Firms leave cyber vulnerabilities unpatched for months, study shows

Almost nine in 10 major companies exposed to actively exploited cyber vulnerabilities remain at risk for six months or more, despite available fixes, according to a new study by cyber risk analytics provider KYND.

The analysis examined more than 2,000 organizations, including companies from the FTSE 350 and S&P 500. Researchers found that 11% were exposed to actively exploited vulnerabilities, security weaknesses currently leveraged in real-world attacks. Of those exposed, 88% remained vulnerable for at least six months.

KYND’s analysts identified risks affecting critical infrastructure and enterprise software. Exposure spanned web applications and widely used platforms such as Oracle, WordPress, and Apache, as well as networking hardware and secure communication protocols that businesses rely on daily. The findings point to widespread delays in essential maintenance and a persistent gap between detection and remediation of vulnerabilities.

The study focused on vulnerabilities known to be actively exploited. The most prevalent type was remote code execution, accounting for 31% of top vulnerabilities. This flaw allows attackers to run malicious commands on a system without physical access or valid credentials.

Recent incidents highlight the scale of this risk. In October 2025, a critical flaw in Microsoft Windows Server Update Services was exploited, enabling attackers to gain full control of unpatched servers. The event prompted emergency updates from Microsoft and urgent advisories from the Cybersecurity and Infrastructure Security Agency.

Andy Thomas (pictured), KYND’s chief executive officer and founder, said leaving cyber risks unaddressed can have serious consequences beyond IT security.

As insurers refine pricing and risk assessment models, remediation speed and patch management are becoming key indicators of an organization’s overall cyber resilience.

“A company’s approach to patching tells you a lot about its approach to risk,” Thomas said. “As demand for cyber coverage continues to grow, cyber insurers are increasingly recognising that it’s not just the number of vulnerabilities that matters, but how quickly critical vulnerabilities are addressed.”

Thomas added that prolonged exposure is rarely an isolated incident. “When exposure lasts for months, it’s rarely a one-off; it’s a behavioural signal that an organization struggles with remediation in general,” he said. “Such vulnerabilities can be exploited to steal data, deploy malware, or disrupt operations, turning preventable flaws into serious business risks.”