50-61%
of newly disclosed high-severity CVEs have weaponized exploit code within 48 hours of public disclosure
26%
of CISA KEV vulnerabilities were fully remediated by organizations in 2025 — the catalog tells you what is being exploited, not what is being fixed
21,500+
CVEs published in the first half of 2025 alone — roughly 130 new disclosures per day requiring triage
61%
of CVEs are scored Critical or High by CVSS, making severity scoring alone useless as a prioritization signal

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A critical CVE drops on a Tuesday morning. By Tuesday afternoon, proof-of-concept exploit code is publicly available. By Wednesday, threat actors are actively scanning for vulnerable infrastructure. Your change management system requires a two-week approval cycle, a rollback plan, a test environment validation, and a change advisory board sign-off.

This tension — between exploit timelines measured in hours and patch processes measured in weeks — is the most common vulnerability management failure mode. Organizations that have not pre-established an emergency patch track discover, under pressure, that they have no process for moving faster than normal change management allows.

This playbook covers the hour-by-hour decisions from CVE disclosure to patched or documented compensating controls. It does not replace your vulnerability management program — it gives your emergency track structure that can be executed without improvising.

Hours 0-2: Scope and exposure assessment

The most important action in the first two hours is understanding whether the vulnerability affects anything in your environment — not reading about it, not forwarding alerts, and not scheduling a meeting. Assess exposure first.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Hours 2-6: Compensating controls while patches are prepared

The patch is unlikely to be deployed in the first 6 hours regardless of urgency. Compensating controls reduce your exposure during the gap between disclosure and remediation.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Hours 6-24: Emergency change process

Deploying a patch outside normal change management requires a pre-established emergency change track. Organizations that have not defined this track in advance face the choice between waiting for normal approval (days to weeks) or bypassing controls entirely (risky and undocumented). A pre-defined emergency track eliminates both risks.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Hours 24-48: Patch deployed or exception documented

At the 48-hour mark, your organization should be in one of two documented states: patched and monitored, or in documented exception with compensating controls in place.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The decision matrix: patch now vs. wait for testing

The most contested decision in emergency patching is whether to deploy immediately or wait for regression testing. Neither answer is universally correct — the decision is a function of exploitation timeline versus operational risk.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

The organizations that handle critical CVEs well are not the ones that patch the fastest — they are the ones with a pre-defined emergency change track that allows them to move faster than normal change management when exploitation timelines demand it, without bypassing controls or creating undocumented risk. An emergency patch track defined when there is no active CVE crisis is executed with discipline when one arrives. One defined under pressure while an active exploit is circulating produces inconsistent outcomes.

Frequently asked questions

What qualifies as a critical CVE that triggers emergency patching?

Operationally, a CVE warrants emergency patching when it meets two criteria: CVSS 9.0 or above (or equivalent severity scoring), and either confirmed exploitation in the wild (CISA KEV listing) or publicly available proof-of-concept exploit code for internet-exposed systems in your environment. CVSS score alone is insufficient — 61% of CVEs score High or Critical, but only a fraction are actively exploited. CISA KEV listing is the most reliable signal for actual exploitation.

What is CISA's Known Exploited Vulnerabilities catalog and how do I use it?

CISA's KEV catalog (cisa.gov/known-exploited-vulnerabilities-catalog) lists vulnerabilities with confirmed in-the-wild exploitation, with mandatory remediation deadlines for federal agencies and recommended timelines for all organizations. Checking a new critical CVE against KEV should be the first step in any emergency patch assessment. CISA updates the catalog regularly — subscribe to email notifications or use the KEV JSON feed to integrate into your vulnerability management platform.

How do I handle emergency patching for operational technology (OT) systems that can't be taken offline?

OT environments with availability constraints require pre-established compensating controls that can be applied without downtime: network segmentation to isolate affected systems from general IT networks, protocol filtering at the IT/OT boundary, and application whitelisting if the OT environment supports it. Document these compensating controls as the exception record for each OT system that cannot be patched on emergency timelines. Work with the OT vendor on their patch timeline and plan a maintenance window patch as soon as operationally feasible.

What is virtual patching and does it provide real protection?

Virtual patching uses WAF or IPS rules to block known exploit patterns for a vulnerability before a code-level patch is applied. It provides meaningful protection against known exploit signatures — the initial PoC code that attackers use at scale. It does not protect against novel bypass techniques that skilled attackers develop after initial public exploit code becomes available. Virtual patching is a valid short-term compensating control, not a substitute for an actual patch.

Sources & references

  1. When Attacks Come Faster Than Patches: Machine-Speed Security 2026
  2. CISA Known Exploited Vulnerabilities Catalog
  3. Vulnerability Statistics 2025: Record CVEs & Exploitation

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.