VulnCheck’s 2024 Known Exploited Vulnerabilities report documents a 20% year-over-year increase in actively exploited CVEs: 768 vulnerabilities confirmed exploited in real-world attacks during 2024, up from 639 in 2023. The report is the most comprehensive public dataset tracking exploitation velocity relative to public CVE disclosure. Full findings are available in the VulnCheck 2024 Exploitation Report.
Zero-Day Window: 23.6% of Exploited CVEs Hit Before or on Disclosure Day
The VulnCheck data shows that 23.6% of all actively exploited CVEs in 2024 were exploited on or before the day of public disclosure — meaning patches, advisories, and detection rules were unavailable at the moment of first exploitation. This is marginally improved from 2023’s 26.8%, but still means roughly one in four exploited vulnerabilities gives defenders zero advance warning. The practical implication is that signature-based detection and patch-on-disclosure workflows leave organizations exposed for the highest-risk subset of CVEs. CISA’s Known Exploited Vulnerabilities catalog serves as the authoritative public tracker for confirmed in-the-wild exploitation and is the recommended reference for prioritizing patch deployment.
Scale: 400,000 Internet-Facing Systems Exposed to 15 Critical CVEs
VulnCheck’s internet exposure scans identified approximately 400,000 publicly reachable systems still vulnerable to just 15 known critical CVEs — across products from Apache, Atlassian, Cisco, and Microsoft. The concentration of exposure in a small number of high-severity CVEs reflects two patterns: large installed bases of enterprise software that are slow to patch, and attackers’ rational focus on reliable, scalable exploit paths over novel zero-days. Only 1% of all publicly disclosed CVEs in 2024 saw active exploitation, confirming that attackers continue to work from a curated short-list of proven vulnerabilities rather than the full NVD catalog.
What Security Teams Should Prioritize Based on This Data
- Subscribe to CISA KEV catalog updates and treat any addition as a P1 patch event — KEV inclusion is the strongest available signal that a CVE is being actively exploited at scale.
- Run continuous exposure scans (not point-in-time assessments) against the 15 highest-exposure CVEs identified by VulnCheck for 2024 to confirm your Apache, Atlassian, Cisco, and Microsoft perimeter is patched.
- Implement patch SLAs differentiated by exploitation status: CVEs in the KEV catalog should be remediated within 48–72 hours for internet-facing systems, rather than waiting for the next quarterly patch cycle.
- For zero-day coverage gaps (the 23.6% exploited before disclosure), behavioral detection — anomalous process execution, unexpected outbound connections from application servers — provides earlier warning than signature-based rules that depend on public disclosure.
The trend line from VulnCheck’s data suggests that exploitation volume will continue rising as threat actors build more automated scanning and exploitation infrastructure. The 768-CVE figure for 2024 represents confirmed exploitation with attribution; actual exploitation across all tracked CVEs is estimated substantially higher once lagging evidence collection is factored in.
