Jan 20
/
Latest News
88% of Major Firms Leave Critical Cyber Vulnerabilities Exposed for Six Months or More
A new analysis of over 2,000 global organizations reveals that despite the availability of fixes, the vast majority of companies exposed to active exploits are failing to patch critical security flaws in a timely manner.
Almost nine in 10 major companies exposed to actively exploited cyber vulnerabilities remain at risk for six months or more, despite available fixes, according to a new study by cyber risk analytics provider KYND. The findings suggest a widespread and dangerous delay in essential maintenance among the world’s largest firms, creating a persistent gap between the detection and remediation of high-stakes security flaws.
The analysis examined more than 2,000 organizations, including companies from the FTSE 350 and S&P 500. Researchers discovered that 11% of these organizations were currently exposed to actively exploited vulnerabilities—weaknesses that threat actors are leveraging in real-world attacks. Of that exposed group, a staggering 88% had remained vulnerable for at least six months.
KYND’s analysts identified risks spanning critical infrastructure, web applications, and widely used enterprise software such as Oracle, WordPress, and Apache. The study focused exclusively on vulnerabilities known to be actively exploited, with the most prevalent type being remote code execution (RCE). Accounting for 31% of the top vulnerabilities, RCE flaws allow attackers to run malicious commands on a system without physical access or valid credentials.
Recent incidents highlight the urgency of this issue. In October 2025, a critical flaw in Microsoft Windows Server Update Services was exploited, granting attackers full control over unpatched servers and prompting emergency advisories from the Cybersecurity and Infrastructure Security Agency.
Andy Thomas, KYND’s CEO and founder, noted that leaving such risks unaddressed signals deeper issues beyond IT security. “When exposure lasts for months, it’s rarely a one-off; it’s a behavioural signal that an organization struggles with remediation in general,” Thomas said. “As demand for cyber coverage continues to grow, cyber insurers are increasingly recognizing that it’s not just the number of vulnerabilities that matters, but how quickly critical vulnerabilities are addressed.”
Almost nine in 10 major companies exposed to actively exploited cyber vulnerabilities remain at risk for six months or more, despite available fixes, according to a new study by cyber risk analytics provider KYND. The findings suggest a widespread and dangerous delay in essential maintenance among the world’s largest firms, creating a persistent gap between the detection and remediation of high-stakes security flaws.
The analysis examined more than 2,000 organizations, including companies from the FTSE 350 and S&P 500. Researchers discovered that 11% of these organizations were currently exposed to actively exploited vulnerabilities—weaknesses that threat actors are leveraging in real-world attacks. Of that exposed group, a staggering 88% had remained vulnerable for at least six months.
KYND’s analysts identified risks spanning critical infrastructure, web applications, and widely used enterprise software such as Oracle, WordPress, and Apache. The study focused exclusively on vulnerabilities known to be actively exploited, with the most prevalent type being remote code execution (RCE). Accounting for 31% of the top vulnerabilities, RCE flaws allow attackers to run malicious commands on a system without physical access or valid credentials.
Recent incidents highlight the urgency of this issue. In October 2025, a critical flaw in Microsoft Windows Server Update Services was exploited, granting attackers full control over unpatched servers and prompting emergency advisories from the Cybersecurity and Infrastructure Security Agency.
Andy Thomas, KYND’s CEO and founder, noted that leaving such risks unaddressed signals deeper issues beyond IT security. “When exposure lasts for months, it’s rarely a one-off; it’s a behavioural signal that an organization struggles with remediation in general,” Thomas said. “As demand for cyber coverage continues to grow, cyber insurers are increasingly recognizing that it’s not just the number of vulnerabilities that matters, but how quickly critical vulnerabilities are addressed.”
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.