AI Now Writes Viruses. Here's Why 2025 Became a Cybersecurity Nightmare
In 2025, exploits are deployed into action almost immediately after disclosure.
In 2025, exploits are deployed into action almost immediately after disclosure.
Just recently, zero-day vulnerabilities seemed like exotic tools from the world of special operations and espionage. Now, they are a mass-market tool for hacking corporate networks, and not just because the number of attacks has increased. The main change is speed: sometimes only a few hours pass from the first signs of a vulnerability to its real-world exploitation.
This picture is painted in the ForeScout Vedere Labs 2025 H1 Threat Review report: according to its data, the number of attacks using zero-days has grown by 46% in just the first half of 2025. While security teams used to consider a gap of days between vulnerability disclosure and the appearance of exploits in the wild as normal, today this "buffer" has shrunk to hours, sometimes even less.
This growth doesn't look like a random spike. Experts link it to a "perfect storm": increasingly complex software, expanding supply chains, a growing number of dependencies, and accelerated attacks thanks to AI. Systems have become so complex that secure development can't keep up with the pace, and errors are becoming harder to spot during routine testing. Simultaneously, the commercial zero-day market has skyrocketed: vulnerabilities allowing privilege escalation, authentication bypass, or account compromise have become high-demand commodities. Criminal groups and state-affiliated buyers compete for such finds, especially when it comes to access to clouds, identity platforms, and industrial infrastructure.
AI has accelerated nearly the entire cycle: automated fuzzing, searching for exploitable bugs, and generating proof-of-concept code reduce the time from discovery to "combat" use. What once required rare expertise has now become more accessible and faster to finalize even for less experienced attackers.
The attack surface is growing relentlessly. More devices, more edge and IoT, more legacy systems—meaning more places to find a vulnerability. Attackers are increasingly looking beyond browsers and workstations, targeting "atypical" assets like IP cameras and industrial equipment. Such devices are convenient as hidden footholds for further lateral movement across a network, a scenario increasingly seen in ransomware attacks and targeted operations. Old components, like file systems, drivers, and network stacks, remain fertile ground for new discoveries. And geopolitical tensions are fueling demand for zero-days, as groups engaged in intelligence gathering have strong incentives to find and stockpile unknown vulnerabilities.
The tactics themselves are also changing. Targeted operations are increasingly giving way to "industrialized exploitation," where a zero-day is merely the starting key. Attackers then build a chain comprising supply chain compromise, credential theft, lateral movement, and privilege escalation. Instead of relying on a single flaw, they combine multiple vectors to more reliably achieve privileged access.
For defenders, this is unpleasant math. Some vulnerabilities begin to be exploited within hours of public disclosure, especially if they concern edge systems or popular devices. The window to install a patch or implement workarounds has almost vanished, and the familiar rhythm of "an update is released, we'll install it on schedule" no longer works. Meanwhile, the initial breach might take minutes, but the attacker's "dwell time" inside the network can stretch for months.
Defense must now operate on the assumption that exploitation of an unknown vulnerability could begin almost instantly. The emphasis is shifting to models like zero trust and compensating controls at the level of identities, endpoints, applications, and the network, which slow down an attacker even when a patch doesn't exist yet. Minimal privileges, segmentation, and continuous verification of accounts become more critical to prevent the spread of an attack. A shift is needed from "periodic" security practices to continuous ones, with a focus on containment, segmentation, and behavioral detection.
There is also good news: observability has improved in recent years. Telemetry is shared more often, and vulnerability disclosure processes and vendor reporting have matured. But this is not enough to compensate for the attackers' adaptation. The most dangerous blind spot is identities: exploiting a zero-day often looks like a legitimate login with real credentials. Without quality logging, behavioral baselines, and privilege control, attackers can remain invisible. Furthermore, blind spots persist in supply chains, firmware, unmanaged devices, and shadow SaaS services. IoT, edge, OT, and legacy systems are often poorly monitored and slow to update or not updated at all, allowing attacks to go unnoticed for a long time.
Taken together, all of this appears not as a short-term spike, but as a signal of changing rules. The old assumption that there is a comfortable reaction time between a vulnerability and its mass exploitation no longer holds. Organizations are now forced to build their defenses based on an uncomfortable premise: unknown vulnerabilities will be used, and the task of defense is not only to patch in time but also to prevent a breach from turning into a chain reaction.
