The cybersecurity landscape has shifted aggressively and shows no signs of slowing down. We are currently witnessing a dramatic increase in the speed at which exploits are exploited; a previously steady stream of threats has turned into a deluge that is overwhelming traditional defense mechanisms.
A recent Forescout research report shows a staggering 46% increase in zero-day exploitation in the first half of 2025, alongside a 15% rise in published vulnerabilities, a rate that now averages 130 new CVEs per day when compared to the same period in 2024. This is not merely an incremental change; it is a fundamental alteration of the threat landscape that renders manual vulnerability management obsolete.
In a world where AI LLMs can vibe-code working exploits in minutes based only on the CVE ticket description, new approaches are clearly indicated. A recent report provides empirical evidence for what many security teams have felt anecdotally: on a case-by-case basis, the window of opportunity for taking defensive action is closing faster than ever before.
Reality in 2025: Hyper-velocity exploitation
This disparity creates what we identify as the "Velocity Gap." This gap represents the dangerous and widening distance between the speed at which adversaries can weaponize and exploit new vulnerabilities and the speed at which defenders can identify, prioritize, and patch them. As the volume and speed of real-world exploitations accelerate, security teams are finding that their traditional tools, designed for a slower era, cannot bridge this divide. The sheer math of the situation works against the defender; when hundreds of vulnerabilities are disclosed weekly, the time required to manually triage and test patches exceeds the time it takes for attackers to launch a successful compromise.
To understand the scale of the challenge, we must look at the specific pressures contributing to this velocity gap:
- Exploitation speed: The time between disclosure and active exploitation has compressed significantly, often measured in hours rather than days.
- Volume overload: With 130+ new CVEs daily, the burden on security teams increases exponentially, leading to more blind spots and unmanaged risk.
- Resource saturation: Manual patch prioritization is becoming increasingly unmanageable as teams struggle to filter signal from noise.
The "long tail" trap: Why old bugs still bite
There is a pervasive misconception in the industry that the primary danger lies solely in the latest and greatest threats. Security teams often pivot all resources toward the newest critical CVEs, assuming that older vulnerabilities have either been addressed or are no longer targeted. The data, however, contradicts this. A closer look at the threat landscape reveals that 47% of newly exploited vulnerabilities in H1 2025 were actually published before 2025. This statistic illuminates the "Long Tail" trap: while teams are distracted by the headline-grabbing zero-days, attackers are successfully leveraging legacy vulnerabilities that remain unpatched in the backlog.
This finding serves as definitive proof that traditional vulnerability management is failing to meet the moment. If nearly half of successful exploits are targeting known, older vulnerabilities, it indicates that organizations are drowning in a backlog of "legacy" CVEs. Teams are effectively paralyzed because they are still fighting fires from previous years, and they are unable to address the 130-plus new vulnerabilities daily. This creates a compounding debt of risk. Every day that a cybersecurity team spends on manually investigating a new threat is a day on which they aren’t reducing the existing attack surface. This leaves wide avenues open for opportunistic attackers who know that basic hygiene is often the first casualty of high-velocity warfare.
The failure here is not one of effort, but of methodology. Traditional scanning and prioritization tools are excellent at creating lists of problems, but they do not solve them. Without a mechanism to clear the backlog efficiently, the "Long Tail" of vulnerabilities will continue to grow, providing attackers with a stable and reliable inventory of entry points.
The attack surface has moved, and your agents can't always follow
For years, vulnerability management focused heavily on the traditional endpoints: servers, desktops, and laptops. As with any predators, however, attackers follow the path of least resistance. As endpoints have become harder to breach, adversaries have pivoted. Attackers are now frequently targeting "unexpected" devices, moving beyond standard IT assets to exploit IoT, connected equipment, and edge systems. The 2025 data indicates that 21% of known exploited vulnerabilities (KEV) now target network infrastructure such as firewalls, VPN concentrators, and routers. This expansion of the attack surface complicates the defensive strategy significantly because these assets often cannot support traditional security agents.
The report specifically notes a rise in the use of IP cameras and BSD systems for lateral movement. These devices are often unmanaged, rarely patched, and sit on the periphery of the network, making them perfect staging grounds for bypassing traditional endpoint protections. If a security strategy relies solely on agent-based tools, these devices remain invisible and vulnerable. The attackers are effectively exploiting the blind spots inherent in legacy vulnerability management architectures.
The growth in the subornment of both these attack avenues is doubly concerning for different reasons:
- BSD Unix: BSD-based systems have long had the reputation of being “even more secure than Linux”; this has led to a disproportionate use of this OS in “serious” infrastructure components like carrier-grade routers and firewalls. Aside from the potential individual (company) losses in revenue and reputation, the growth in attacks against infrastructure-level BSD systems can, as a matter of civil good, not be ignored.
- Networked (IP) cameras: IP cameras are becoming more ubiquitous, powerful, and useful every day. Recent research also indicates that they can be used as more than just wireless entry points into your physical network; it was demonstrated that hostile actors could potentially use subverted IP cameras to exfiltrate data from secure airgapped computers or networks via the indicator LEDs on the keyboards, monitors, PC cases, or external hard drives, with the network LEDs on infiltrated infrastructure hardware like routers and network switches perhaps not far behind.
To counter this, organizations must adopt a strategy that includes agentless visibility and remediation capabilities. Installing a proprietary agent on every router, smart camera, or legacy OT device is a practical impossibility. A modern defense requires the ability to monitor, reach out to, and remediate these “unmanageable” assets without the need to leave a permanent footprint.
Key shifts in the attack surface include:
- Network infrastructure targeting: Critical gateways like firewalls are now primary targets, requiring immediate, often agentless remediation.
- Peripheral exploitation: Devices like IP cameras are being used to establish persistence outside the view of EDR systems.
- Legacy system vulnerability: Older, embedded devices with older (but still exploitable) vulnerabilities are rapidly expanding the attack surface, creating blind spots that manual processes miss.
Waiting for detection: Too little, too late?
The cybersecurity industry has spent the last decade investing heavily in detection and response technologies. While these tools are vital, the H1 2025 landscape demonstrates their limitations. We are seeing a rising trend of “EDR Killers” and aggressive defense evasion techniques, such as Bring Your Own Vulnerable Driver (BYOVD) and the KillAV attacks that enabled infiltration and ransomware campaigns against various sections of network infrastructure and widespread enterprise-level security “solutions” like Symantec antivirus. Sophisticated threat actors are no longer just trying to hide from detection; they are actively dismantling and subverting the tools designed to catch them.
When an attacker can disable or bypass detection logic, a strategy that relies on "catching" the intrusion fails. In this environment, "detection-heavy" is a losing strategy because it assumes the safety net will always be there. If the alarm is silenced, the breach proceeds unnoticed. This reality underscores why remediation must be the foundation of security.
Remediation offers a deterministic outcome that detection cannot: the removal of the flaw itself. If a vulnerability is patched or mitigated, it cannot be exploited, regardless of whether the attacker has bypassed the EDR or killed the antivirus. Remediation removes the combustible material from the environment, ensuring that even if a spark lands, there is nothing to burn. In a world where detection can be evaded, eliminating the root cause (the vulnerability) might be the only reliable guarantee of safety.
Bridging the gap: The vRx remediation platform
To close the "Velocity Gap," organizations must shift their focus from merely identifying problems to actively solving them. vRx by Vicarius is purpose-built to address this specific need, evolving beyond traditional vulnerability management to focus on the most critical phase of the lifecycle: remediation. By prioritizing the "fix" over the "find," vRx helps security teams move faster from a passive state of "now we know" to an active state of "now it's fixed," relieving the burden on overworked teams drowning in detection data.
The remediation-first approach
vRx provides the automation necessary to handle both the surging influx of new zero-days and the persistent backlog of legacy CVEs that traditional tools leave behind. Crucially, the platform extends this capability to "unexpected" attack surfaces such as network infrastructure and edge systems, ensuring that the (traditionally unmanageable) assets currently being targeted by attackers do not become blind spots. By automating the remediation process, vRx closes exposure windows faster, reducing risk before the accelerating velocity of exploitation can take effect.
Better together: Agnostic integration
We recognize that no single tool provides perfect visibility. We designed vRx to be data-agnostic through our "Better Together" initiative. We partnered and integrated with key industry players to allow your teams to ingest vulnerability data from any scanner or detection tool they currently use, unifying the fragmented security stack as recommended by the report. Our philosophy is simple: if there is a vulnerability to fix, vRx should be able to help fix it, regardless of which tool detected it.
Regaining control: Why waiting is no longer an option
The data from the first half of 2025 sends a clear warning: the status quo is unsustainable. With zero-days on track to exceed 2024 records and ransomware attacks up 36%, the "wait and see" approach of manual prioritization is not just inefficient; it is dangerous. The velocity at which attackers operate, combined with the expanding attack surface and the persistence of legacy bugs, demands a remediation-first mindset.
Security teams can no longer afford to be mere observers of their own risk. To survive the velocity of modern threats, organizations must adopt automated remediation to eliminate the backlog and stay ahead of the curve. It is time to stop managing vulnerabilities and start fixing them. Book a vRx demo session today to see how automated remediation can transform your security posture.
