TIRESIS/Patch Window

Patch Window

How many days do you have before a published vulnerability becomes actively exploited? Measured from CVE publication to CISA KEV confirmation across 28 vulnerabilities.

Median patch window
8d
Half of exploited CVEs hit before this
Average patch window
43d
Mean across all KEV CVEs
Shortest observed
1d
0-day or near-0-day exploitation
CVEs measured
28
CISA KEV with full date data
Key insight

The median patch window is 8 days — but 14 CVEs were exploited within 7 days of publication. For internet-facing systems like VPN appliances and firewalls, you should assume a 3–7 day window from patch release to active exploitation.

Average Patch Window by Vendor
appleCRITICAL WINDOW
5 KEV
3d
googleCRITICAL WINDOW
4 KEV
4d
linuxSHORT WINDOW
3 KEV
17d
debianSHORT WINDOW
5 KEV
26d
microsoftMODERATE
6 KEV
39d
netappMODERATE
2 KEV
64d
kenticoEXTENDED
2 KEV
210d
Distribution of Exploitation Speed
0-7 days14 CVEs (50%)
8-30 days6 CVEs (21%)
31-90 days3 CVEs (11%)
91-365 days5 CVEs (18%)
Based on 28 CVEs confirmed in CISA KEV catalog. Patch window = days from NVD publication to KEV addition.
Recent KEV Additions — Patch Window
CVE IDPublishedKEV AddedPatch WindowSMB Score
CVE-2026-16032026-02-102026-03-0927dSHORT WINDOW76
CVE-2026-251082026-02-132026-02-2411dSHORT WINDOW80
CVE-2026-227692026-02-172026-02-181dCRITICAL WINDOW84
CVE-2026-24412026-02-132026-02-174dCRITICAL WINDOW75
CVE-2026-207002026-02-112026-02-121dCRITICAL WINDOW52
CVE-2025-155562026-02-032026-02-129dSHORT WINDOW70
CVE-2025-543132025-07-192026-01-22187dEXTENDED89
CVE-2025-583602025-11-252025-12-1116dSHORT WINDOW78
CVE-2025-666442025-12-052025-12-083dCRITICAL WINDOW61
CVE-2025-132232025-11-172025-11-192dCRITICAL WINDOW76
Cyber Weather →Active Targets →Forecast Accuracy →Methodology →