Last week, Fortinet's CISO Carl Windsor confirmed what collapsing time-to-exploit windows have made inevitable: devices running the latest firmware, fully patched and compliant, were still compromised.
"In the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path," Windsor stated.
Fully patched. Fully compromised.
The December patches for CVE-2025-59718 and CVE-2025-59719 left gaps. Those gaps became CVE-2026-24858, an incomplete fix that attackers continued exploiting. Of 25,000 FortiGate devices exposed online with FortiCloud SSO enabled in mid-December, 11,000 remain reachable as of late January. That's a 56% remediation rate across six weeks for a critical vulnerability under active exploitation.
Fortinet disabled FortiCloud SSO globally on January 26 as emergency mitigation. That's the vendor admitting the patch wasn't enough.
This pattern extends beyond Fortinet. It challenges how security teams approach vulnerability management across every platform.
The 5-Day Window
Why time-to-exploit matters: When attackers weaponize vulnerabilities within 5 days of disclosure—and 32% are exploited on day zero—traditional quarterly patch cycles cannot keep pace. This 84% compression demands fundamentally different prioritization and response strategies.
Time-to-exploit has collapsed. In 2024, organizations had roughly 32 days between vulnerability disclosure and active exploitation. Today, that window has shrunk to 5 days.
That's an 84% compression of your response window.
The picture gets bleaker when you examine the data more closely. According to vulnerability research from H1 2025, 32.1% of vulnerabilities were exploited on or before the day they were publicly disclosed. One in three vulnerabilities is weaponized before most organizations know it exists. And 50-61% had exploit code weaponized within 48 hours. Threat actors now reverse-engineer patches within 72 hours as standard practice.
Recent examples from the past month:
• SmarterMail: Exploited within 2 days of patch release
• Fortinet CVE-2025-59718: Weaponized 3 days after the patch dropped
• Fortinet CVE-2026-24858: A new zero-day that emerged after the previous patch
Your quarterly patch cycle cannot compete with a 5-day exploitation timeline.
Patches Have Become Attack Roadmaps
Your patches are being studied. Not by your team. By the adversaries targeting you.
WatchTowr Labs documented it directly: "This demonstrates that attackers actively monitor release notes and perform patch diffing on high-value targets. Given that this vulnerability is already under active exploitation, upgrading is not optional."
Patch diffing is the practice of comparing code before and after a security fix to identify exactly what changed. Attackers download the patch, decompile the binaries, diff the changes, and identify exploitable conditions. The fix becomes a roadmap to the vulnerability.
The Zero Day Initiative (ZDI) estimates that 10-20% of vulnerabilities they analyze are direct results of faulty or incomplete patches. ZDI's Dustin Childs captured the problem: "So that bug is still there and exploitable to threat actors, except now they've been informed of it."
The cascade is real. Fortinet's CVE-2025-59718 patch led directly to CVE-2026-24858. Fixing one problem illuminated another. Attackers were watching.
Persistence That Survives the Cure
Modern attackers don't just move fast. They plan for what happens after you respond.
Arctic Wolf researchers tracking the Fortinet compromises discovered something alarming: attackers deployed symlink-based backdoors specifically designed to survive patching, firmware upgrades, and factory resets. By April 2025, 16,620 devices had been compromised with the symlink backdoor—a number that kept growing.
One researcher put it bluntly: "We have seen, numerous times, attackers deploy capabilities and backdoors after rapid exploitation designed to survive the patching, upgrade and factory reset processes organizations have come to rely on to mitigate these situations. This is straight-up terrifying."
Even if you patch immediately, attackers who reached your systems during the exploitation window may persist. That patch may not evict them. You can be fully patched and already compromised from before the patch existed.
The Math That Breaks the Model
The strategic problem becomes clear when you look at the numbers.
Many enterprises struggle to remediate more than 15-20% of their vulnerabilities per month. Meanwhile, 60% of breached organizations had patches available at the time they were compromised. This mirrors the broader challenge of security backlog, where organizations face capacity constraints that prevent timely patching.
When time-to-exploit is 5 days and your remediation rate is 16% monthly, the arithmetic fails. You cannot patch your way to safety at current industry velocities.
None of this argues against patching. Patching remains essential baseline hygiene. But measuring security posture by patch compliance percentage is like measuring fitness by gym membership. The metric matters less than the outcome it's supposed to represent.
Three Strategic Shifts
The collapse of time-to-exploit demands operational changes:
1. Prioritize by exploitability, not severity.
CVSS scores measure theoretical severity. Exploitability data measures actual risk. When 32% of vulnerabilities are weaponized on disclosure day, the vulnerability with a working exploit matters more than the one with a higher CVSS score and no observed activity.
2. Assume pre-patch compromise.
If attackers can establish persistence before your patch cycle completes, your detection strategy needs to identify indicators independent of patch status. Don't ask "are we patched?" Ask "were we compromised during the window?" This requires shifting from patch percentage metrics to exploitability-based prioritization, focusing detection efforts on what actually poses risk.
3. Measure remediation velocity, not patch percentage.
Time-to-remediation for critical, actively-exploited vulnerabilities is the metric that matters. Not what percentage of your fleet is patched, but how quickly you close exposure when it counts. Organizations optimizing for velocity are moving toward automated remediation strategies that go beyond patching to include context-aware mitigation.
The New Operating Reality
Patching remains table stakes, not obsolete.
The organizations that navigate this environment successfully treat patching as one component of a remediation strategy, not the entire strategy. They prioritize based on exploitation intelligence, hunt for compromises that predate patches, and measure security by how fast they can respond.
The 32-day window is gone. The 5-day reality is here. The question for security teams isn't whether to keep patching. It's what else needs to change.
Your remediation strategy was built for a different threat landscape. The landscape shifted. Has your strategy?
