Critical vulnerabilities doubled in past year: report
IT security teams are being stretched thin by the volume of critical vulnerabilities, new research released by Check Point Software Technologies suggests.
The company’s 2026 Exposure Gap Report found that critical vulnerabilities have more than doubled over the past year, but fewer than one in 12 are urgent enough to demand immediate action. With automation and AI-assisted attack tools reshaping the scale and shape of exposure, the distance between visibility, prioritisation and safe remediation is widening while the window between discovery of an exposure and its impact is shortening, the research found.
Close to half (42.6%) of all critical exposures evaluated for the report were vulnerabilities, making it the single largest category of exposure in 2026, up from just 18.7% in the prior year. Combined with internal information disclosure, these two categories made up 76% of all critical exposures. But only 7.8% of vulnerability alerts warranted critical or high attention after exploitability validation, the report found.
Besides vulnerabilities, phishing websites grew from just 1% to 10.5% of critical exposures, making this one of the fastest-growing exposure types.
The research also found that organisations acted on 85.9% of recommended fixes across the industries analysed, which demonstrates that exposures are being closed at scale when prioritisation and response workflows are in place.
Check Point Software Technologies VP of Exposure Management Yochai Corem said the findings show that attackers are testing more exposures at greater speed than security professionals can manually keep pace with.
“The organisations that stay ahead are the ones that can quickly separate the small set of genuinely exploitable risks from the noise, then remediate them safely without disrupting operations,” he said. “That is what exposure management delivers, and it is fast becoming a core measure of operational readiness,” he said.
BeyondTrust launches beta solution for taming AI agents
BeyondTrust's in-beta AI Agent Security is designed to prevent AI coworkers and autonomous...
DigiCert launches Quantum Central tool
DigiCert's recently launched Quantum Central solution can help security and IT teams prepare...
Guest accounts a major threat to IT environments: report
Kaseya's 2026 SaaS Security Report found that SMBs are leaving themselves exposed to attack...
