Risky Bulletin Between Two Nerds: What drives 0day mass exploitation
Oct 6, 2025
Experts discuss the alarming trend of mass exploitation of platforms like SharePoint and Exchange. They analyze Google's time-to-exploit metric, revealing a troubling shift towards zero-day exploits. Notably, they explore why many vulnerabilities exploited today are years old and argue that attackers prioritize targets that yield quick gains. The conversation highlights how the announcement of patches triggers rapid exploitation and the impact of better detection methods on perceived trends in cyber incidents. A must-listen for cybersecurity enthusiasts!
AI Snips
Chapters
Transcript
Episode notes
TTE Can Misrepresent Long-Term Risk
- Google's Time To Exploit (TTE) measures days between patch release and first observed exploitation, which can be negative if exploitation precedes a patch.
- The metric shows a shift from ~63 days to near zero, but that single first-exploit datapoint may mislead about long-term exploitation trends.
First-Seen ≠ Ongoing Prevalence
- First-seen exploitation is a single data point and does not indicate attack volume or longevity.
- A vulnerability with TTE near zero can still be exploited repeatedly for years afterward.
Detection Improvements Skew Trends
- Improved detection and collection bias can create apparent trends where none exist.
- Better telemetry makes recent vulnerabilities look more immediately exploited compared with older eras of poor visibility.