With Microsoft releasing its largest-ever Patch Tuesday update in June, and the continuing debate over the impact of artificial intelligence (AI) and Anthropic’s Claude Mythos model, new analysis from US-based autonomous patch management and endpoint protection experts Action1 has warned that vulnerability growth and structural shifts are outrunning the ability of traditional, schedule-driven enterprise patching strategies to keep pace.
Action1’s 2026 software vulnerability ratings report revealed that in 2025 – well before the debut of Claude Mythos – the total number of disclosed vulnerabilities surged by 92% compared with 2024, with critical and elevation of privilege (EoP) vulnerabilities doubling in volume, and remote code execution (RCE) flaws rising by almost 130%.
Put more simply, said Action1, the fastest growth is occurring in vulnerability classes that most easily and readily expose businesses to real-world compromises, cyber attacks, data breaches and other forms of disruption.
The firm described this as a “warning shot” for enterprise security leaders, pointing to a broader shift in the threat landscape in which threat actors are taking advantage of newly disclosed flaws faster than any human cyber team can remediate them, and shrinking response windows to hours in some cases.
“2025 marked a turning point in cyber security operations,” said Jack Bicer, director of vulnerability research at Action1. “Attackers are now using AI and automation to accelerate vulnerability discovery and exploitation faster than most organisations can respond. Many enterprises are still patching on human schedules while attackers operate at machine speed.”
Action1’s CEO and co-founder, Alex Vovk, added: “The threat landscape is no longer just bigger – it’s faster, more automated, and harder to detect. Patching speed is no longer simply an IT metric. It’s now a business resilience metric.”
The threat landscape is no longer just bigger – it’s faster, more automated, and harder to detect. Patching speed is no longer simply an IT metric. It’s now a business resilience metric Alex Vovk, Action 1
In short, the report said, those organisations that rely on manual patching processes, infrequent scan cycles, or delayed maintenance windows are now falling behind operationally.
The need to introduce continuous vulnerability management and remediation workflows that are capable of reducing exposure windows across the most frequently attacked targets, such as business applications, network infrastructure, operating systems and security tools, is now critical, said Action1.
“The volume and speed of the 2025 threat environment make it clear that any process still dependent on human scheduling and manual deployment will fail to keep up. Automation is not just an efficiency improvement. It is a survival requirement,” wrote the report’s authors.
Next steps for identifying and patching vulnerabilities
As an immediate first step, Action1 said CISOs and security leaders need to audit how quickly they are patching business-critical software. Delaying patches for business applications and other platforms out of a desire not to be disruptive or inconvenience users is now a measurable business risk. Patching must be aligned with the threat environment in mind, not the convenience of finance, HR or sales teams.
Beyond this, the most pressing priority is the need to automate vulnerability management in response, especially in organisations that handle the most sensitive categories of data, such as educational and healthcare bodies, or operators of critical services, such as utilities and power suppliers.
In these organisations, the ability to deploy urgent updates automatically and without having to wait for maintenance windows should now be adopted as the standard model, but beyond this, automation should also be pushed across patch testing, verification and deployment.
Chief information security officers (CISOs) should prioritise vulnerabilities based on risk to the organisation, taking advantage of known metrics, such as common vulnerability scoring system (CVSS) ratings, or known exploitation to focus their efforts – integrating threat intelligence is key here. And clear metrics for mean time to remediate (MTTR) by severity tier should be made a core benchmark.
But this does not mean that low-risk vulnerabilities are necessarily taking a back seat. Indeed, said the report, security leaders should also update vulnerability prioritisation models to account for attack chaining, in which multiple low-severity issues are combined into a more damaging attack, enabling EoP or lateral movement. Patching service level agreements (SLAs) for low-severity flaws needs to be reassessed to see whether current remediation timelines are still appropriate, said Action1.
