Known (Re-)Exploited Vulnerabilities (series 1 of 5)

Written By Jay Jacobs

This is the first post in a series of five posts exploring what happens after a vulnerability is known to have exploitation activity (link to second post).

Takeaways:

  • If all we know is that a vulnerability has had known exploitation activity at some point in the past, there is a 33% chance that we observe exploitation activity tomorrow.

  • There is a lot of nuance when measuring (re-)exploitation activity after the first known exploitation because activity exploitation activity fluctuates wildly and is bursty.

  • Once a vulnerability has been exploited, it’s likely not just a one-time event, but it’s also not an immediate justification to panic.

Conventional wisdom in cybersecurity tells us that if a vulnerability is known to be exploited that everyone should patch it immediately. As a result we get helpful researchers and/or security companies (that tend to sell solutions, but set that aside) announcing that this or that vulnerability has been exploited. They usually do this through a blog or a special publication or maybe a post on social media and some will focus on the vulnerability while others mention it casually in passing. Other helpful folks attempt to turn these mentions into a collected list of “known exploited vulnerabilities” or a KEV for short. That’s what defenders get, a list of vulnerabilities that, at a single point in history, has (likely) been exploited in the wild. The lists aren’t often updated and just keep growing… So how helpful are these lists? 

I’ve attempted to answer this seemingly simple question in the past. At the inaugural VulnCon conference I presented several findings from my research into exploitation activity. I’ll summarize some points here:

  1. Exploitation is not an on/off state - Past exploitation does not guarantee future exploitation and just because we saw something exploited in the past does not mean we will see it exploited again. In reality, most exploitation activity is sparse and bursty

  2. Exploitation is not widespread - only about 6% of vulnerabilities with exploitation activity were detected at more than 1% of data collection points. You are more likely to flip a coin and get heads 13 times in a row than observe most vulnerabilities being exploited. 

I’ve been trying to figure out how to describe the (sparse) patterns in exploitation activity more accurately and succinctly. Unfortunately I am realizing that a succinct description is not so easy. It can be deceiving to just treat exploitation (or even re-exploitation) as a binary and it’s hard to compare a vulnerability with wide-spread, long-lasted activity to a relatively newcomer with sparse activity. There are no nice neat distributions here.

Testing “Known Exploited” vs “Future Exploited”

Question: What is the probability of observing future exploitation activity, given that there is known exploitation activity in the past? 

Short answer: 32% - About one-third of the days recorded exploitation activity after the initial day with exploitation activity, but it fluctuates over time.

The chance of exploitation in the next 1, 7, or 30 days changes and fluctuates over time for CVEs with known exploitation (using a sliding 12-month window).

We leveraged our dataset containing only CVEs (vulnerabilities) that had already been exploited at least once — no hypothetical risks, just real-world activity. In our data, we are approaching nearly 17,000 CVEs with exploitation activity over the past several years.  For each CVE and every day after the first known exploitation, we answered:

  • Was there exploitation the next day?

  • Did exploitation happen within the next 7 days?

  • Was there any exploitation activity in the next 30 days?

We rolled this analysis through the dataset using a 12-month sliding window — meaning, we always focused on just the most recent 12 months of data to calculate these frequencies. This helps capture and visualize how exploitation patterns change over time.

So, what did we find?

Here are the numbers:

  • On any given day after a CVE has known exploitation activity, there’s a 32.3% chance that exploitation happens again “tomorrow”.

  • There’s a 52% chance that exploitation happens at least once in the next 7 days.

  • And looking a bit further, there’s a 65.1% chance that exploitation happens again within the next 30 days.

The difference between these three forward-looking windows is highlighting the sparseness and burstiness of exploitation activity. If exploitation activity was a binary (once exploited, always exploited) these would be much closer together. But since activity is bursty, it’s more likely to see exploitation activity over a 30-day window than a 7-day window.

Why does this matter?

It’s certainly good advice to prioritize anything with known exploitation activity, but our data shows the reality is a little more nuanced. Once a vulnerability has been exploited, it’s likely not just a one-time event, but it’s also not an immediate justification to panic. Additionally, just saying it’s been exploited in the past is an absolute bare minimum of information. As we will get into the next post, it’s a lot more helpful to have systemic detection in place and know when the most recent exploitation activity occurs. Stay tuned!

Go on to read the second post in the series.

Jay Jacobs
Previous

Building with Intention: The Way We Work at Empirical
Next

Watch our co-founder speak at VulnCon 2025