The US Cybersecurity and Infrastructure Security Agency (CISA) frequently updates its list of Known Exploited Vulnerabilities (KEV). Not all of these CVEs are new. Among five recent additions to the list, at least one – an unauthenticated remote code execution flaw – was first discovered in 2017. It’s understandable if they flew under your radar, coinciding as it did with the discovery of zero-day exploits against Oracle’s E-Business Suite, Cisco IOS/IOS XE, and VMware Aria Operations and Tools.
Zero days pose a dangerous threat. However, the reality is that they usually account for far fewer real-world attacks than many assume. In fact, the biggest threats are often the old vulnerabilities – those flaws in software we all use that have gone undiscovered and unpatched for years.
Why attackers favour older, known vulnerabilities
CISA’s KEV catalogue provides intelligence on vulnerabilities used in the wild and mandates patching deadlines that apply to federal and government organisations. It also helps businesses prioritise their vulnerability management efforts.
As of 10 October 2025, 196 vulnerabilities have been added to the KEV catalogue this year. Interestingly, only 110 are from 2025, meaning 43% of the vulnerabilities seen in the wild by CISA are from previous years. This is not an isolated trend; the same pattern was observed last year, too.
So, why are attackers using these old vulnerabilities? Simply put, it’s much easier and still offers the best return on investment. Zero-day exploits are expensive and time-consuming to develop, and the average cybercriminal doesn’t want to put in that level of effort.
Meanwhile, researchers often revisit older, known flaws and publish proof-of-concepts or exploit code, which criminals can simply reuse. They gain the same rewards as exploiting a zero-day, but with far less effort. For example, attackers favour ProxyLogon flaws because the software is widespread, the exploit is reliable, and unpatched versions continue to be found in organisations’ networks.
Modern defences have made it harder to exploit purely technical flaws, but older vulnerabilities are often safer to attack and less likely to be properly managed by organisations. The uncomfortable truth that businesses need to address is that attackers are likely to exploit a vulnerability which should have already been patched. So, how can companies correct this problem?
Keep your security strategy simple
Many organisations have a flawed strategy; they focus their attention on the latest zero-day attack while overlooking the fundamentals and neglecting basic cyber hygiene.
First and foremost, CISOs must treat the KEV catalogue as their immediate patching priority. That’s precisely what it’s for – a list of vulnerabilities being actively exploited in the wild right now.
Next, they should focus on building the foundations of effective cybersecurity management. This includes strong asset management, regular vulnerability scanning, and secure configurations. These may not be the most exciting aspects of security, but they are what keep an organisation truly safe.
A strong patching process must additionally balance service uptime with security risk. Systems critical to an organisation’s operations are too important to leave unpatched.
Finally, it’s important that teams can quickly and effectively patch vulnerabilities. This is where cyber simulations become essential. They provide an opportunity to test and evaluate the effectiveness of a company’s security controls and vulnerability management processes, revealing weaknesses before real attackers can exploit them.
Furthermore, applying untested patches can lead to outages or unforeseen consequences; therefore, cyber simulations help technical teams develop their skills in identifying and remediating vulnerabilities without risking live systems.
Prioritise the vulnerabilities that put the business at risk
Ultimately, it doesn’t matter whether it’s a new zero-day exploit or an old, known CVE. Organisations must be able to identify the vulnerabilities that pose the greatest risk to their systems and prioritise patching.
With a simple but effective vulnerability management strategy, supported by regular cyber simulations, security teams can quickly patch their highest-risk vulnerabilities before they lead to a devastating breach.
Ben McCarthy is the lead cybersecurity engineer at Immersive
Read more: The hidden cost of MFT vulnerabilities
