In 2020, the average exploit took 700 days to appear after a vulnerability was disclosed. By 2025, that was 44 days. Now Mandiant's M-Trends 2026 report puts 28.3% of CVEs exploited within 24 hours of disclosure.
Vendors aren't getting slower. Attackers are getting tools that write exploit code for them. And the downstream effect isn't just faster attacks - it's a different class of attacker entirely.
The Non-Technical Attacker Era Has Arrived
In February 2025, three teenagers with no coding background used ChatGPT to build a tool that hit Rakuten Mobile 220,000 times. They spent the money on gaming consoles.
In July, a single actor used Claude Code to run a month-long extortion campaign against 17 organizations. Malicious code written, stolen files organized, financials analyzed to set ransom amounts, extortion emails drafted. All of it through an AI coding interface. Alone.
By December, the same tooling was used to breach 10+ Mexican government agencies. 195 million taxpayer records exfiltrated.
These attacks required organized teams before 2025. Now one motivated person with a frontier LLM can pull them off solo. Malicious packages in public repos jumped 75% in 2025. Cloud intrusions climbed 35%. AI-generated phishing started outperforming human red teamers. The cost of entry didn't go down. It collapsed.
CVE-2026-41940: When Ransomware Goes Industrial
A critical authentication bypass in cPanel (CVE-2026-41940) was disclosed on May 2. By May 4 - 48 hours later - multiple threat actor groups were already mass-exploiting it.
Censys found 8,859 hosts with files encrypted by the .sorry extension. 7,135 of them running cPanel or WHM. The Sorry ransomware - a Go-based Linux encryptor - hit hundreds of web servers. Backups wiped. On a single day, Shadowserver flagged over 44,000 unique cPanel-related IPs running exploits or brute-forcing honeypots.
The ransomware was just the first wave. A parallel campaign used Mirai botnet variants to turn the same compromised servers into crypto miners and DDoS bots, pulling credentials from hosted accounts along the way.
And separately: nation-state actors used the same CVE for espionage. Government and military targets across Southeast Asia, plus MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the US. Same vulnerability. Different objectives. Different actors. All within 48 hours of disclosure.
Linux Privilege Escalation Gets Another Upgrade
Microsoft researchers disclosed CVE-2026-31431 - "Copy Fail" - a high-severity Linux kernel flaw enabling reliable root privilege escalation across cloud environments. One of dozens of zero-days dropped in the past week. Google issued its fourth emergency Chrome patch of the year. Supply chain attacks keep multiplying. The pattern is consistent: your infrastructure has holes, and someone has already written the key.
The Remediation Nightmare
Average time to patch a critical CVE: 74 days. Average time to exploit: 2 days or less. 45% of vulnerabilities in large organizations never get remediated at all.
Faster patch cycles don't solve this. The math doesn't work.
Stop Playing Defense
The only strategies that actually hold up in 2026 eliminate entire vulnerability categories rather than chasing individual CVEs:
- Rebuild from verified, attributable source code. Stop trusting package repositories blindly.
- Implement zero-trust architecture so lateral movement fails even after initial breach.
- Treat supply chain integrity as a first-class control, not a checkbox.
- Build systems where "patch fast" isn't the primary defense.
For offensive security teams: update the playbook. If your pentest assumes finding unpatched systems, you're testing the wrong thing. Test what happens after the breach. How long until detection? How far does the pivot go? What can you exfiltrate before IR responds? Those are the questions that matter in 2026.
In December, Japanese police arrested a teenager in Osaka who breached Kaikatsu Club - Japan's largest internet cafe chain - and exfiltrated 7 million personal records. When they asked why, he said he wanted to buy Pokemon cards.
Not a hacker. A kid with ChatGPT and a goal. He succeeded.
The overlap between "willing to attack" and "technically capable" used to be a small slice. That slice is now most of the circle. Patching faster and hoping for the best is a 2023 strategy. In 2026, it's just a way to feel busy while falling behind.
Is your attack surface tested before attackers find it? uMercs AI-powered pentests deliver validated findings - not scanner noise - in days, not weeks. Visit umercs.com to get a quote.
Sources
The Hacker News: 2026: The Year of AI-Assisted Attacks - May 4, 2026
Help Net Security: Multiple threat actors actively exploit cPanel vulnerability (CVE-2026-41940) - May 4, 2026
Microsoft Security Blog: CVE-2026-31431 - Linux Privilege Escalation Copy Fail
Mandiant M-Trends 2026 Report
Chainguard: Malicious Package Detection Data, 2025
