With Microsoft releasing its largest-ever Patch Tuesday replace in June, and the persevering with debate over the influence of synthetic intelligence (AI) and Anthropic’s Claude Mythos mannequin, new evaluation from US-based autonomous patch administration and endpoint safety consultants Action1 has warned that vulnerability development and structural shifts are outrunning the power of conventional, schedule-driven enterprise patching methods to maintain tempo.
Action1’s 2026 software program vulnerability rankings report revealed that in 2025 – nicely earlier than the debut of Claude Mythos – the full variety of disclosed vulnerabilities surged by 92% in contrast with 2024, with crucial and elevation of privilege (EoP) vulnerabilities doubling in quantity, and distant code execution (RCE) flaws rising by nearly 130%.
Put extra merely, mentioned Action1, the quickest development is happening in vulnerability lessons that almost all simply and readily expose companies to real-world compromises, cyber assaults, information breaches and different types of disruption.
The agency described this as a “warning shot” for enterprise safety leaders, pointing to a broader shift within the menace panorama during which menace actors are profiting from newly disclosed flaws sooner than any human cyber workforce can remediate them, and shrinking response home windows to hours in some circumstances.
“2025 marked a turning level in cyber safety operations,” mentioned Jack Bicer, director of vulnerability analysis at Action1. “Attackers are actually utilizing AI and automation to speed up vulnerability discovery and exploitation sooner than most organisations can reply. Many enterprises are nonetheless patching on human schedules whereas attackers function at machine velocity.”
Action1’s CEO and co-founder, Alex Vovk, added: “The menace panorama is now not simply larger – it’s sooner, extra automated, and more durable to detect. Patching velocity is now not merely an IT metric. It’s now a enterprise resilience metric.”
The menace panorama is now not simply larger – it’s sooner, extra automated, and more durable to detect. Patching velocity is now not merely an IT metric. It’s now a enterprise resilience metric Alex Vovk, Motion 1
Briefly, the report mentioned, these organisations that depend on handbook patching processes, rare scan cycles, or delayed upkeep home windows are actually falling behind operationally.
The necessity to introduce steady vulnerability administration and remediation workflows which might be able to lowering publicity home windows throughout probably the most continuously attacked targets, akin to enterprise purposes, community infrastructure, working programs and safety instruments, is now crucial, mentioned Action1.
“The amount and velocity of the 2025 menace atmosphere make it clear that any course of nonetheless depending on human scheduling and handbook deployment will fail to maintain up. Automation isn’t just an effectivity enchancment. It’s a survival requirement,” wrote the report’s authors.
Subsequent steps for figuring out and patching vulnerabilities
As an instantaneous first step, Action1 mentioned CISOs and safety leaders must audit how shortly they’re patching business-critical software program. Delaying patches for enterprise purposes and different platforms out of a need to not be disruptive or inconvenience customers is now a measurable enterprise danger. Patching have to be aligned with the menace atmosphere in thoughts, not the comfort of finance, HR or gross sales groups.
Past this, probably the most urgent precedence is the necessity to automate vulnerability administration in response, particularly in organisations that deal with probably the most delicate classes of information, akin to instructional and healthcare our bodies, or operators of crucial providers, akin to utilities and energy suppliers.
In these organisations, the power to deploy pressing updates mechanically and with out having to attend for upkeep home windows ought to now be adopted as the usual mannequin, however past this, automation also needs to be pushed throughout patch testing, verification and deployment.
Chief info safety officers (CISOs) ought to prioritise vulnerabilities primarily based on danger to the organisation, profiting from recognized metrics, akin to widespread vulnerability scoring system (CVSS) rankings, or recognized exploitation to focus their efforts – integrating menace intelligence is vital right here. And clear metrics for imply time to remediate (MTTR) by severity tier needs to be made a core benchmark.
However this doesn’t imply that low-risk vulnerabilities are essentially taking a again seat. Certainly, mentioned the report, safety leaders also needs to replace vulnerability prioritisation fashions to account for assault chaining, during which a number of low-severity points are mixed right into a extra damaging assault, enabling EoP or lateral motion. Patching service degree agreements (SLAs) for low-severity flaws must be reassessed to see whether or not present remediation timelines are nonetheless applicable, mentioned Action1.
