By Yohai Schweiger

One of the most troubling trends to emerge in the cyber world in 2025 is the dramatic acceleration in how quickly attackers are able to exploit known security vulnerabilities—sometimes within hours of their public disclosure. Data collected throughout the year points to a sharp reduction in the time between the publication of a One-Day vulnerability and the appearance of real-world attack activity. The global average has fallen from around 30 days just a few years ago to roughly five days in 2025, with nearly a third of cases seeing exploitation in under 24 hours. This shift is no coincidence. It cuts across sectors, critical infrastructure, cloud environments, commercial organizations and service providers, and is closely tied to the growing use of artificial intelligence across the attack chain.

AI Shortens the Path From Disclosure to Breach

Two complementary lines of research from recent years reinforce the conclusion that this is a structural change rather than a temporary spike. On one hand, a series of academic studies published between 2023 and 2025 showed that advanced language models can turn vulnerability descriptions into working exploit code within minutes. The most prominent study in this space, published in 2024 and focused on GPT-4, found that the model successfully generated functional exploits in more than 80 percent of the cases tested, including for non-trivial One-Day vulnerabilities, and in development times far shorter than what had been considered normal in the past. On the other hand, empirical data from incident-response and security-operations teams shows that in 2025 more than 55 percent of vulnerabilities exploited in the wild were attacked before organizations managed to deploy the available patch, compared with roughly 40–50 percent in previous years. At the same time, average Time to Exploit has collapsed from about 30 days in 2022 to just five days in 2025. Together, these findings paint a clear picture of an AI-driven acceleration in which attackers are simply moving faster than defenders.

That picture is also recognized by Amir Preminger, CTO of Claroty, a company specializing in securing industrial and operational technology networks. “We’re seeing a clear acceleration in the time between vulnerability disclosure and real-world exploitation,” he says. “From the moment a vulnerability is published, the hourglass flips. Today it’s much easier both to weaponize a vulnerability and to identify who is exposed. The time it takes vendors to develop and distribute updates hasn’t shortened at the same pace, and that gap is exactly where attacks happen.”

Why One-Day Became the Preferred Target

One-Day vulnerabilities are flaws that have already been publicly disclosed, typically after being discovered by security researchers, software vendors, bug bounty programs or independent research teams. Once identified, they receive a CVE identifier—a standardized reference that allows vendors, organizations and security companies to track and coordinate remediation. Publishing a CVE does not mean systems are already fixed; it simply means the information is available and action can begin. Unlike Zero-Day vulnerabilities—flaws that are unknown to the public and lack an available patch—One-Day vulnerabilities are fully documented and accessible to everyone. Ironically, that transparency is exactly what makes them so attractive to attackers.

In recent years, and especially in 2025, the window between disclosure and full remediation has become the primary point of weakness. The median exposure window for critical vulnerabilities now stands at around 70 days, a figure that has barely changed since 2022. What has changed is what happens inside that window: far more malicious activity, and much earlier in the lifecycle of the vulnerability.

The fundamental shift is not in how quickly organizations respond, but in how fast attackers operate. Hackers are increasingly using language models and AI tools to analyze vulnerability disclosures, quickly understand exploitation mechanics and translate technical descriptions into active exploit code. What once required deep expertise and long development cycles has become a semi-automated process, where humans guide the system and the system does much of the heavy lifting.

In practice, the moment a One-Day vulnerability is disclosed, a two-sided race begins. Vendors release patches and security teams assess risk and plan deployment, while attackers simultaneously launch large-scale scans to locate unpatched systems and identify vulnerable versions. AI allows them to do this faster and at a scale that was previously impossible.

This is one of the main reasons One-Day vulnerabilities have become one of today’s most significant attack vectors. They offer a powerful combination of reliability and scale, particularly in edge products such as VPN gateways, web servers, management systems and cloud platforms that remain widely deployed in partially or completely unpatched environments.

The trend is also reflected in the industry metrics used to measure real-world risk. Time to Exploit has fallen from an average of around 30 days in 2022 to just five days in 2025, while the overall Exposure Window has remained largely unchanged at roughly 70 days. Patch Latency tells a similar story: in 2025, only about 30 percent of organizations deploy critical patches within 30 days, down from around 45 percent in 2022. Lists of vulnerabilities exploited in the wild show that roughly 50 percent of the vulnerabilities added in 2025 were One-Day flaws, with the median time between CVE publication and confirmed exploitation dropping to under 20 days.

“As Zero-Day vulnerabilities are expensive and difficult to develop, most attackers today focus on One-Day vulnerabilities simply because they’re more profitable,” Preminger says. “AI tools have accelerated not only exploit development but vulnerability research itself. Attackers understand this is the holy grail—once a vulnerability is disclosed, everyone races to be first through the door. It’s a cat-and-mouse game, and there’s no reason for attackers to change their strategy.”

For organizations and customers alike, the implication is a profound shift in mindset. The fact that a vulnerability is not a Zero-Day no longer provides breathing room. The first days after disclosure are the most dangerous, and during that period organizations must rely on rapid risk assessment and temporary mitigations, even if full patch deployment comes later. In an era where attackers operate at AI-driven speed, defense strategies can no longer depend solely on manual processes and comfortable timelines.

Ultimately, One-Day vulnerabilities have become one of the defining attack paths of the decade—not because they are new, but because the way they are exploited has changed. Artificial intelligence did not create the flaws, but it has dramatically shortened the time it takes for them to become truly dangerous. In that race, those who fall behind in the opening days may discover that the attack has already begun.