The 45-Day Exploitation Window: Patch Delays in SMB Environments

Our analysis of 600+ incidents shows the average SMB applies critical patches 45 days after publication — a window actively exploited by ransomware operators. Data and methodology.

The Core Finding

Across 600+ confirmed SMB incidents in our dataset, we identified 312 cases where the root cause was a known vulnerability with a public patch available at the time of exploitation.

The median time between patch publication and incident date: 45 days.

This is not a technology failure. It is an operational one — and it is predictable.

Why SMBs Patch Slowly

Resource constraints are structural. The average SMB with 10-50 employees has no dedicated security team. Patch management competes with billable work, client requests, and daily operations. A critical Windows patch on a Tuesday gets applied — eventually — after someone has time to test it.

Testing anxiety. SMBs are often running older, customized, or poorly documented software stacks. An IT generalist who broke production once with an untested patch will be cautious. This caution extends patch timelines by weeks.

Appliances and on-prem software. Cloud-managed tools (Microsoft 365, Google Workspace) patch automatically. On-prem servers, VPN appliances, and legacy ERP systems do not. These are exactly the systems attackers target.

How Ransomware Groups Exploit This Window

Our incident data shows ransomware operators are acutely aware of patch cycles. Several patterns:

KEV catalog targeting. CISA's Known Exploited Vulnerabilities catalog is public. Organized ransomware groups use it as an attack checklist — prioritizing vulnerabilities where exploitation is confirmed and patch adoption is known to lag.

EPSS-guided targeting. Higher EPSS scores correlate with more active scanning. In the 30-day window after a high-EPSS CVE is published, honeypot data shows a measurable increase in probes against vulnerable SMB-category software.

The 14-day scan window. For internet-facing vulnerabilities, automated scanning typically begins within 72 hours of public PoC. For SMBs, whose patch timelines average 45 days, this creates a 30-40 day window of active exposure with no organizational response.

Implications for Patch Prioritization

Not all patches are equal. The key variable is not CVSS severity — it is the intersection of:

Exploitation likelihood (EPSS score, KEV status, public PoC availability) multiplied by SMB exposure (how widely is this software actually deployed in SMB environments?) multiplied by patch urgency (internet-facing? authentication bypass? no user interaction required?).

A CVSS 9.8 vulnerability in enterprise-only software is less urgent for an SMB than a CVSS 7.5 authentication bypass in FortiGate — because FortiGate is deployed in 20% of SMB networks and is internet-facing by default.

This is the logic behind SMB Attack Probability Score.

Analysis based on TIRESIS incident database (March 2024 - February 2026). CVE timing data sourced from NVD. Patch adoption estimates based on EPSS historical data and internal analysis.