When a system vulnerability is made public, the clock starts ticking — and it may only have 24 hours left to run. Fortinet's *2026 Global Threat Landscape Report* finds that AI-accelerated reconnaissance, weaponization, and attack execution have compressed the Time-to-Exploit (TTE) window from what was once measured in days or weeks down to between 24 and 48 hours. In some cases, active exploitation was detected within hours of a vulnerability's initial disclosure. For organizations still operating on traditional patch schedules, that window may close before their security teams have even started.
Vulnerabilities Are Now Inventory, Not Isolated Incidents
Fortinet recorded approximately 121.99 billion exploitation attempts globally in 2025, a 25% increase from the previous year. Of 635 vulnerabilities observed being actively exploited, 53.86% already had publicly available proof-of-concept (PoC) code, and 31.18% had fully functional exploit code in circulation. The pattern is telling: attackers are less reliant on novel zero-day discoveries than on rapidly packaging known flaws, public tools, and automated workflows into repeatable, deployable attack kits.
Fortinet describes vulnerabilities as having shifted from isolated security events into tradable "inventory" on underground markets. FortiRecon dark web intelligence identified 656 CVEs being discussed on dark web forums in 2025. Of those, 344 (52.44%) had publicly available PoC code, 176 (26.83%) had working exploit code, and 149 had both. Once a vulnerability enters that ecosystem, the operative question for any organization is no longer whether an attack is theoretically possible — it is how quickly adversaries can commoditize and deploy it at scale.
That speed dynamic is now central to enterprise security strategy. While organizations once scheduled patches by risk rating, system criticality, and maintenance windows, AI-assisted reconnaissance has fundamentally altered the playing field. Attackers can rapidly determine which organizations are exposed online, which software versions they run, and which specific vulnerabilities are ready to activate — often before corporate patch cycles have even begun.
The report notes that initial exploitation signals for several major 2025 incidents appeared on the same day as, or the day after, public disclosure. Fortinet specifically highlighted the React2Shell vulnerability, where active exploitation attempts were detected within hours of its release — a clear illustration of how narrow the defensive window has become.
Ransomware Victims Surge 389%; Manufacturing Leads the Count
Faster vulnerability weaponization has directly driven ransomware activity upward. Fortinet's FortiRecon platform identified 7,831 ransomware victims globally in 2025, compared with roughly 1,600 the year prior — a 389% year-on-year increase. Manufacturing was the hardest-hit sector, accounting for 1,284 incidents, followed by business services at 824 and retail at 682. Geographically, the United States recorded 3,381 cases, Canada 374, and Germany 291.
The concentration of ransomware attacks on manufacturing is not coincidental. The sector's structural characteristics — multi-site and multinational supply chains, the coexistence of operational technology (OT) and IT systems, and high remote-access requirements — create a broad and difficult-to-defend attack surface. Once attackers gain initial access, they can move beyond data theft to disrupt scheduling, production, logistics, and supply chain coordination.
The stakes are particularly acute for Taiwan. The island's semiconductor foundries, electronics contract manufacturers, server producers, component suppliers, and industrial computing firms are deeply embedded in global supply chains. A successful ransomware attack on any one of them could propagate disruption outward to customers, partners, and downstream industries worldwide.
Fortinet characterizes ransomware as having matured into a systematic production model. Attackers no longer pursue one-off breaches; instead, they leverage reusable vulnerabilities, stolen credentials, modular tools, and persistent infrastructure to continuously generate new victims and monetization opportunities. Ransomware, the report concludes, has evolved from an opportunistic nuisance into a highly economized, process-driven criminal enterprise.
AI Tools Lower the Entry Bar; Criminal Services Go Modular
Fortinet also documented a growing volume of AI-powered attack tools being sold as services across dark web forums and encrypted messaging platforms. Products marketed under names such as WormGPT, FraudGPT, HexStrike AI, APEX AI, and BruteForceAI are advertised for phishing generation, automated reconnaissance, attack path planning, and brute-force attacks that mimic human behavior.
According to the report, these tools do not necessarily create new attack surfaces. What they do is compress the time it takes for attackers to validate and exploit existing ones — widening the speed gap between offense and defense.
The implication for organizations is significant: security programs can no longer focus exclusively on defending against sophisticated, nation-state-level actors. As criminal toolkits democratize offensive capabilities, even low-skilled attackers can now execute credible reconnaissance, phishing campaigns, credential abuse, and vulnerability exploitation. The result is a broader attack surface and a higher frequency of attempts across the board.
What Organizations Must Do to Close the Window
Fortinet recommends that organizations fundamentally reframe their defensive posture — shifting from simply patching known vulnerabilities to actively compressing the overall attack window. In practical terms, that means maintaining real-time visibility into external exposure, prioritizing remediation for vulnerabilities that already have publicly available exploit code, strengthening identity verification and access controls, and reducing detection, containment, and recovery times.
When a disclosed vulnerability can be weaponized within 24 hours, the competitive edge for security teams is no longer purely technical depth. It is the ability to move faster than the attacker.
