Wednesday 14 October 16:30 - 17:00, Red room
Kerstin Zettl-Schabath & Kritika Roy (Deutsche Cyber-Sicherheitsorganisation (DCSO))
Revelations about proliferating exploit kits, such as the Coruna kit (a commercially available iOS exploit framework), indicate that zero-day exploits are no longer as exclusive as they once seemed – rather, an increasingly broad range of threat actors can access and leverage them for their own purposes. Furthermore, once a former zero-day vulnerability is publicly disclosed, an even larger set of opportunistic actors move rapidly to (mass-)exploit it, effectively compressing the window for detection, patching, and verification of compromise available to defenders. This paper terms that window the "exploitation-remediation gap".
This gap may be constituted through various pathways, involving both state-affiliated and criminal actors acting as either first movers or followers. In our first case study, a WinRAR vulnerability (CVE-2023-38831) had already been silently exploited by criminal actors for months before its public disclosure in August 2023. Within hours of the public disclosure and release of the proof of concept (PoC), (mass-)exploitation expanded to include multiple state-affiliated groups. In contrast, in January 2026 Russian state-sponsored threat group APT28 weaponized a newly disclosed Microsoft Office vulnerability (CVE-2026-21509) within 24 hours of its public disclosure to target European government entities, demonstrating the group’s increasingly advanced n-day weaponization capabilities. In a third case study, Storm-1175, a financially motivated ransomware affiliate, built its entire operational model around systematically targeting the window between vulnerability disclosure and patch adoption, in some cases moving from initial access to ransomware deployment within 24 hours. Notably, both sophisticated state-affiliated actors and criminal groups can operate at the same pace, making the exploitation-remediation gap a target-agnostic challenge and creating immediate pressure on defenders regardless of sector or organizational size. Critically, this gap carries a dual burden for defenders: they must simultaneously hunt retrospectively for pre-disclosure actors (Wave 1) who may have already completed their intrusions silently, as well as respond concurrently to post-disclosure mass-exploitation activity (Wave 2) that may still be potentially active in their systems.
Technological innovations, such as increasingly automated PoC creation with the help of generative AI, further accelerate this compression. Consequently, the immediate period following a vulnerability’s disclosure and, ideally, the release of a patch is far more critical than in the past. This intensifies the pressure on software vendors to deliver timely, comprehensive, and effective patches (or at least hotfixes), and on affected organizations to apply them promptly, even in complex IT or operational technology (OT) environments.
For attackers, the declining exclusivity of vulnerabilities, especially in their pre-disclosure phase, increases operational risks and costs. Exploits lose strategic value, the likelihood of detection rises due to others’ activity, and misattribution can trigger serious legal or diplomatic repercussions.
The paper examines a shift in two long-standing assumptions: that zero-day exploits are limited to well-resourced nation-state actors, and that patching largely contains post-disclosure risk by forcing attackers to develop exploits from scratch. As zero-days become less exclusive and newly disclosed vulnerabilities are rapidly exploited by both state-affiliated and criminal actors, organizations face growing challenges in vulnerability management. Unpatched, unsupported edge devices remain common entry points, while intensified zero-day activity before and after disclosure complicates attribution and response. This dynamic increases pressure on vendors to release faster patches, raising the risk of incomplete fixes and creating downstream challenges for organizations, particularly in complex environments such as OT, where patch deployment is constrained and high-risk.
The paper’s primary contribution is analytical, framing these trends through the concept of the exploitation-remediation gap, while also reflecting on broader implications, including the convergence of state-linked and criminal actors and the potential role of democratic states in sustaining this ecosystem through vulnerability acquisition and stockpiling. By presenting timely case studies from both pre- and post-disclosure phases, it also provides defenders and vulnerability management practitioners with a framework for prioritizing detection, threat hunting, and remediation during the critical window between disclosure and organizational recovery.
 |
Kerstin Zettl-Schabath Dr Kerstin Zettl-Schabath works as a senior cyber threat intelligence analyst at the German Cyber Security Organization (DCSO) in Berlin, where she analyses cyber threats, particularly from a geopolitical and strategic perspective. Previously, she helped establish the international research project "European Repository of Cyber Incidents" (EuRepoC) at Heidelberg University and led the coding team until 2025. During her Ph.D., she developed a theoretical model to compare autocratic and democratic cyber proxies using the EuRepoC dataset. She regularly delivers keynotes and participates in panels at cybersecurity events.
|
 |
Kritika Roy Kritika Roy is a senior threat intelligence researcher at Deutsche Cyber-Sicherheitsorganisation (DCSO) in Berlin. She is also a 2025-2026 Virtual Routes European Cybersecurity Fellow, a former Practice fellow at the Hertie Center for International Security, and a former delegate at the Indo-German Young Leader Forum. Her research covers a wide range of cybersecurity issues, including the study of threat activity, operational tactics and global implications. Before joining DCSO, Kritika worked as a research analyst at the Manohar Parrikar Institute for Defence Studies and Analysis as well as at the Centre for Land Warfare Studies in India. |
Back to VB2026 conference page
Register your interest for VB2026