Gartner Hype Cycle for AI and Cybersecurity

How AI Is Changing CVE Management (and Why Traditional Programs Can’t Keep Up)

For years, vulnerability management followed a familiar pattern. A standards laboratory published a common vulnerability or exposure (CVE), security teams assessed the risk, and organizations worked through remediation.

AI has compressed that timeline and added new complexity at nearly every stage. The result is a landscape of AI security vulnerabilities that looks different from what it did just a few years ago.

Key Takeaways

  • 48,185 CVEs were published in 2025, a record averaging 131 new disclosures per day.
  • AI has collapsed time-to-exploit: the average window from disclosure to working exploit fell from 745 days in 2020 to under 12 hours by 2026.
  • AI-generated code (vibe coding) is directly manufacturing new CVEs: AI-authored pull requests generate 2.74x more security issues than human-written code.
  • 54% of CVEs published in 2025 had no detection signature from major scanners at the time of disclosure.
  • The CVE tracking infrastructure is under strain: The National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) will now enrich only 15-20% of incoming CVEs; The MITRE Corporation’s CVE program nearly collapsed in April 2025.
  • The only viable response is AI-powered detection with automated response; teams can no longer rely on manual CVE triage at this scale.

Why CVE Volume Is Breaking Records

Take a look at the numbers behind this massive shift.

According to the latest CVE statistics, vulnerability disclosures continue to accelerate thanks to AI. Security teams must scramble to manage an expanding attack surface.

AI-Generated Code Is a CVE Factory

AI is changing how software is built, introducing new security flaws that become tomorrow’s CVEs.

  • AI-generated code produces 2.74x more security vulnerabilities than human-written code, according to CodeRabbit’s “2025 State of AI vs. Human Code Generation” report.
  • The rise of “vibe coding” is putting more insecure code into production. Developers rely on AI to generate applications with limited human review.
  • Georgia Tech’s Vibe Security Radar identified 56 CVEs linked to AI-generated code in the first quarter of 2026 alone. Those CVEs included 14 critical and 25 high-severity vulnerabilities, such as command injection, authentication bypass, and server-side request forgery.
  • The true number of AI-generated CVEs is likely much higher. Georgia Tech researchers estimate 400-700 AI-generated code vulnerabilities exist in open-source software. Many cannot be reliably traced because AI coding tools leave little or no identifiable commit metadata.

How AI Is Accelerating Exploitation

AI in cybersecurity brings new challenges because vulnerability detection must operate extremely rapidly.

Time-to-Exploit Has Collapsed

AI-assisted exploit development has dramatically shortened the evaluation timeline. It leaves little room for manual assessment before attackers move.

  • In 2020, organizations had an average of 745 days between a CVE’s public disclosure and the release of a working exploit.
  • By 2025, that window had shrunk to just 44 days across all exploited CVEs.
  • By early 2026, AI-assisted exploit development reduced the average time-to-exploit to under 12 hours. Exploits often appeared before patches, detection signatures, or risk assessments.
  • Nearly one-third (28.3%) of exploited CVEs were weaponized within 24 hours of disclosure in Q1 2025, up from 23.6% the previous year.

AI Is Finding Zero-Days Before Defenders Do

It’s changing who finds vulnerabilities first.

The Defender’s Dilemma: Exploits Before Signatures

Signature-based detection is increasingly insufficient as a primary defense layer. As exploit development outpaces scanner updates, organizations are left with a growing window of exposure.

  • More than half (54%) of CVEs disclosed since January 2025 had no detection signature from Tenable, Qualys, or Rapid7 at the time they were published.
  • For 62% of critical vulnerabilities with known exploits, attackers had working exploit code before scanner detection signatures were available.

LLMs Like Claude and Codex Are Being Weaponized as Exploit Generators

Large language models (LLMs) are simultaneously a new exploit generation tool for attackers and a new attack surface introducing vulnerabilities of their own. The barrier to developing functional exploits from published CVEs is collapsing.

  • Claude Fable 5 was jailbroken within days of its June 2026 launch, using a multi-agent technique that generated step-by-step guidance for exploiting Linux stack buffer overflows.
  • A critical command injection vulnerability in OpenAI Codex allowed attackers to steal GitHub access tokens through malicious branch names passed into unsanitized environment setup scripts.

How AI Is Generating New Vulnerabilities

AI Frameworks and Models as Attack Surfaces

Attackers are shifting from infrastructure to AI applications. Trend Micro reported an 80.4% year-over-year increase in LLM-related CVEs in 2025. Meanwhile, machine learning frameworks such as TensorFlow, PyTorch, and MLflow now account for more than 1,600 known vulnerabilities.

Prompt injection, model poisoning, and AI supply chain attacks have emerged as major attack categories. They create risks that barely existed just a few years ago

Insecure-by-Default AI Integration

Many AI-generated applications work as intended. That doesn’t mean they’re secure by default. CVE-2025-48757 exposed how AI-generated code canship with insecure default configurations. For example, an AI coding platform created Supabase database schemas without Row Level Security policies. These allowed authenticated users to access or modify other users’ data.

AI coding tools can also inherit insecure patterns from the public repositories they are trained on, introducing vulnerabilities such as:

  • Authentication flaws
  • Exposed secrets
  • Injection risks

As AI-generated code becomes part of future training data, those weaknesses can be repeated and reinforced over time.

The CVE Infrastructure Is Under Strain

The NVD Enrichment Crisis

The NVD has long provided the enriched metadata that vulnerability management tools rely on to assess and prioritize risk. On April 15, 2026, NIST announced it would transition the NVD to a triage model, enriching only an estimated 15-20% of incoming CVEs and reclassifying roughly 29,000 backlog vulnerabilities as “Not Scheduled.”

As a result, many new CVEs will lack key information such as:

  • Common Vulnerability Scoring System (CVSS) scores
  • Common Platform Enumeration (CPE) identifiers
  • Common Weakness Enumeration (CWE) mappings

This growing portion of CVEs will be difficult for traditional scanner-based programs to analyze and prioritize.

The 2025 MITRE Funding Crisis

In April 2025, the Department of Homeland Security contract supporting MITRE’s CVE and CWE programs expired without immediate renewal. The program came within hours of shutting down before CISA issued an emergency 11-month extension.

While the immediate crisis was avoided, long-term funding remains uncertain. Alternative systems such as the European Union Vulnerability Database (EUVD) and the Global CVE (GCVE) initiative have begun to emerge. Although additional vulnerability databases may improve resilience, they could also introduce inconsistencies for organizations that have long relied on CVEs as a universal identifier.

How AI Is Helping Defenders Close the Gap

Just as AI is changing threats, it’s also providing the solutions.

AI-Powered Prioritization

Modern vulnerability management platforms use AI to score exploit probability rather than just CVSS severity. This gives teams a ranked remediation list based on real-world risk signals.

AI can correlate CVE data with asset inventory, network exposure, and observed attacker behavior to surface what actually needs patching first.

AI prioritization engines then train on historical exploit behavior, threat actor activity, and global telemetry. They predict which CVEs attackers will weaponize next, giving teams an actionable, ranked list rather than a wall of critical-rated noise.

AI-Powered Triage and Decision Support

A ranked list still has to be acted on, and that’s where triage becomes the bottleneck. Security teams don’t just need to know what’s risky — they need to know what to do about it right now, with limited headcount and limited time.

AI-driven triage tools take prioritization a step further by automating the decision layer: separating findings that need immediate human judgment from those that can be auto-remediated, deferred, or grouped with related issues. Instead of an analyst manually opening dozens of tickets, the system clusters related vulnerabilities, flags which ones share a root cause or affect the same exposure path, and recommends a single course of action across the group.

This compresses the time between finding risk and acting on the information, turning triage from a manual, ticket-by-ticket slog into a guided decision process that analysts can move through in minutes rather than hours.

AI-Driven Detection and Autonomous Response

When exploits arrive before patches, detection and response speed is a more powerful lever than remediation speed. Once a vulnerability has been prioritized and triaged, AI-powered detection systems watch for signs it’s actively being exploited and can trigger containment automatically based on pre-determined rulesets.

This is what closes the gap between CVE disclosure and full vulnerability understanding: instead of detection, triage, and response happening as separate manual steps, AI compresses them into a continuous loop that keeps pace with attacker speed.

What This Means for Your Security Program

A few pillars of your security program will need to shift in order to address AI-enabled threats.

Traditional Patch Management Is No Longer Sufficient

A weekly or daily patch cadence cannot close a sub-12-hour exploitation window, for several reasons:

  • Scanner-based vulnerability management misses 54% of new CVEs at disclosure, the exact moment when exploitation risk is highest.
  • Manual CVE triage of 131 disclosures per day is operationally unsustainable for most security teams.
  • Programs that rely solely on CVSS scores for prioritization work from incomplete risk signals, especially now that NVD is enriching less than 20% of new CVEs.

The New Baseline: AI-Native Detection With Expert Backup

AI has also changed what organizations should expect from their security platforms. Behavioral detection identifies exploitation in progress rather than flagging vulnerable assets. Autonomous response helps contain threats at machine speed instead of waiting for manual approval.

At the same time, organizations need visibility across endpoints, identities, networks, cloud environments, and Software-as-a-Service (SaaS) applications to eliminate blind spots that attackers can exploit. AI may accelerate detection and response, but experienced security analysts remain critical for investigation, validation, and high-impact decisions.

Specific Actions for Security Teams and MSPs

Organizations should reassess both their vulnerability management processes and their detection capabilities. Security teams and Managed Service Providers (MSPs) should consider the following actions:

  • Audit Your Detection Coverage. Determine whether your security tools can detect exploitation attempts before scanner signatures become available.
  • Assess Your AI-Generated Code Exposure. Identify where AI is being used in development and ensure those repositories are scanned with security-focused tooling.
  • Measure Your Response Against Today’s Threat Timeline. Compare your time-to-detect and time-to-respond metrics against the emerging sub-12-hour exploitation window.
  • Eliminate Response Bottlenecks. Ensure your Managed Detection and Response (MDR) strategy can contain active threats without manual approval delays that allow attackers more time to operate.

How Cynet Addresses the AI-Accelerated Threat Landscape

AI compresses the time between vulnerability disclosure and exploitation. Cynet’s unified AI-powered cybersecurity platform is designed for this reality, combining autonomous detection, automated response, and unified visibility across the attack surface.

CyAI: Autonomous Detection That Operates at Machine Speed

A single agent provides visibility across endpoint, network, identity, email, SaaS, and cloud environments, reducing the blind spots attackers increasingly exploit.

  • Organizations facing short exploitation windows need response capabilities that operate faster than manual workflows. CyAI delivers 97% autonomous detection and more than 90% automated remediation to contain threats without waiting for scanner signatures or manual Security Operations Center (SOC) approval.
  • A 100% MITRE ATT&CK detection rate for three consecutive years demonstrates coverage against the techniques used in real-world attacks, including AI-assisted campaigns.
  • Less than a 1% false positive rate enables organizations to automate response without overwhelming analysts with unnecessary alerts.

CyOps: 24/7 MDR When Exploits Arrive Before Patches

When attackers can weaponize vulnerabilities before patches are available, organizations need expert support that is already in place. CyOps, Cynet’s 24/7 MDR service, is included with the platform rather than offered as an add-on or separate contract, so response begins immediately when new threats emerge.

Combined with CyAI’s autonomous detection and remediation, CyOps provides the speed of AI with the expertise of experienced security analysts for complex investigations and high-impact decisions.

Built for MSP Scale

Cynet’s multi-tenant architecture and unified licensing enable providers to manage vulnerability detection and response across all clients from a single platform. AI-driven detection and threat intelligence are applied consistently across tenants. Plus, Cynet for MSPs helps providers respond quickly as new vulnerabilities and exploitation techniques emerge.

Request a demo to see how Cynet helps organizations stay ahead of today’s time-sensitive threat landscape.

FAQs

What is a CVE?

A Common Vulnerabilities and Exposures (CVE) entry is a standardized identifier for a publicly disclosed software vulnerability. Each entry is assigned a unique identifier (e.g., CVE-2025-37899), a severity score (CVSS), and a description. Managed by MITRE and enriched by the NVD, CVEs help security teams identify, prioritize, and remediate vulnerabilities.

How is AI being used to exploit CVEs?

AI accelerates vulnerability discovery, exploit development, reconnaissance, and other stages of the attack lifecycle.

As a result, the time between CVE disclosure and active exploitation has dropped dramatically. Instead of 745 days (2020), defenders have under 12 hours (by 2026) to respond.

Of all exploited CVEs in Q1 2025, 28.3% were weaponized within 24 hours of disclosure.

How is AI being used to defend against CVEs?

AI helps security teams:

  • Prioritize vulnerabilities based on exploit likelihood
  • Detect suspicious behavior before signatures are available
  • Automate investigation and response

The most effective approaches combine AI speed with human expertise.

What is the biggest challenge with CVE management in 2026?

Security teams are facing record CVE volume, faster exploitation, and increasing strain on the vulnerability ecosystem.

This looks like 131 new CVEs per day, sub-12-hour exploitation windows, and an NVD that now enriches less than 20% of new submissions. The signature gap compounds this: 54% of 2025 CVEs lacked scanner signatures at disclosure, leaving teams blind to risk they cannot yet measure.

SUBSCRIBE

Briefings in your Inbox

Original CyOps research, monthly threat intel, and early access to webinars. No fluff. Unsubscribe anytime.

Related Posts

How Cynet Uses AI in Security Operations: Volume, Value, Velocity
Gartner® Hype Cycle™ 2025: Cybersecurity AI Assistants and AI SOC Agents

Reading is great. Seeing is better.

See Cynet's unified AI-powered platform in a 30-minute walkthrough tailored to your environment.

Search results for: