The 5-Day Window (And Why Your Patch Cycle Is a Relic)

In 2018, security teams had 63 days. That was the median time between a vulnerability going public and attackers weaponizing it. Not comfortable, but workable. Enough runway to prioritize, test, and deploy.

By 2024, that number was 5 days.

Not a typo. Mandiant’s threat intel shows a 92% collapse in time-to-exploit over six years. The window didn’t shrink gradually. It fell off a cliff.

And 2025? VulnCheck found 32% of exploited vulnerabilities were weaponized on or before the day the CVE was published. A third of attacks now land before the disclosure ink is dry.

React2Shell: hours, not days

Two weeks ago, CVE-2025-55182 dropped. CVSS 10. Unauthenticated RCE in React Server Components and Next.js. React powers 82% of JavaScript developers’ projects, per the State of JS survey.

The timeline:

• November 29: Researcher discloses to Meta
• December 3: Public disclosure and patch
• December 3 (hours later): Amazon sees China-nexus groups scanning
• December 4: Working exploits in the wild
• December 5: Wiz, Microsoft, Darktrace confirm active exploitation

48 hours. That’s how long it took for botnets to integrate the exploit. Bitsight logged 68,000 requests across their honeypots. State-sponsored actors and cryptominers racing each other to pop servers.

Five days used to be the start of your response window. Now it’s the whole game.

Nine hours felt like forever

Colleagues at a security vendor had the vuln in their database within nine hours of disclosure. Some clients weren’t happy. Nine hours? When attackers move in minutes?

Fair point.

Few days later, Next.js disclosed follow-on vulns: CVE-2025-55183 and CVE-2025-55184. Lower severity. Source code exposure and DoS, not RCE. But this time the team got ahead of it. Proactive Slack messages. Here’s the versions you’re running. Here’s the affected container images. Here’s what to do.

Response was wildly positive. Not because the vulns were worse. They weren’t. Because the team reached out before clients had to ask.

The weird role shift

Here’s what surprised me. This wasn’t a threat intel company. They do appsec. But when React2Shell hit, clients weren’t just asking “am I vulnerable?” They wanted to know what was happening. Who’s exploiting it. Should they panic.

They could’ve gone to threat intel feeds. Watched GreyNoise or Wiz’s live blog. But they came to the vendor first. Probably because that vendor is already in their environment, watching their apps.

Don’t know if “security vendor as accidental threat intel provider” is a trend or just a React2Shell thing. But it’s interesting. When the window compresses to hours, you turn to whoever’s closest to your attack surface.

Drowning in CVEs

Here’s the other problem. It’s not just that attackers are faster. There’s also way more to patch.

Five years ago, about 50 new CVEs dropped daily. Now it’s 140. First half of 2025 alone saw 21,500+ CVEs disclosed. That’s 133 new vulns every single day.

And it’s not like most of these are noise. 38% were rated High or Critical. Almost 1,800 were Critical (CVSS 9-10). Over 6,500 were High. When four out of ten vulns demand “urgent attention,” nothing is actually urgent anymore. Everything is on fire. Pick a fire.

Most teams can fix about one in ten issues. That’s it. The math doesn’t work. You’re triaging a flood with a bucket.

The result is patch fatigue. Alert fatigue. Priority fatigue. Security teams aren’t failing because they’re lazy. They’re failing because they’re buried. The volume of “critical” issues has made the word meaningless. When everything screams for attention, you stop hearing it.

Microsoft alone patched 1,139 CVEs in 2025. Second-largest year on record. And that’s one vendor.

AI makes this worse

That 5-day window? Already shrinking. AI is accelerating the collapse.

Researchers demonstrated AI systems generating working exploits for published CVEs in 10-15 minutes. Cost: about a dollar. The system reads the advisory, builds test apps, writes exploit code, validates it. No human required.

ReliaQuest found a 62% reduction in time-to-exploit (47 days to 18 days) and attributes it to GenAI helping attackers analyze scans and suggest optimal exploits faster than humans can.

In November, a Chinese state-sponsored group reportedly used an AI agent to autonomously execute 80-90% of an attack lifecycle. Recon, exploit writing, lateral movement, exfil. Weeks of tradecraft compressed into seconds.

Think about what that means. AI weaponizes a CVE in minutes for a dollar. Defenders are already losing the time race. AI doesn’t narrow the gap. It erases it.

The math that breaks everything

Zoom out:

• Attackers weaponize in 5 days or less
• 140 new CVEs drop every day
• Teams can fix maybe 1 in 10
• 85% of vulns aren’t patched after 30 days
• Average breach detection: 212 days

Attackers are mass-exploiting while you’re still “evaluating impact.” By the time you schedule the change request, they’re in. By the time you detect the breach, they’ve been there seven months.

Patch Tuesday is a relic

Monthly patch cycles made sense when you had two months of breathing room. Vendor releases, testing windows, staged rollouts, change advisory boards. All of it assumed time was on your side.

That assumption is dead.

The traditional “7-day critical vulnerability fix” policy? Researchers are already saying it’s obsolete. When functional exploits emerge in minutes, not weeks, your SLA is a joke.

And that’s just known vulns. 75 zero-days were exploited in the wild last year. Your scanner can’t find what doesn’t exist yet.

The uncomfortable question

If patching can’t keep pace with exploitation, and scanning can’t catch zero-days, what’s the plan?

Not an argument against patching. Patch your systems. But if patching is your primary defense, if your security model assumes you’ll fix vulns before attackers exploit them, you’re running on 2018 assumptions.

The window closed. Most security programs are still scheduling next month’s patch review.