The first quarter of 2026 saw a continued surge in software vulnerabilities being discovered, published, and exploited. Most of the coverage is written for security teams. This briefing is written for the people who run the businesses those security teams are supposed to be protecting.
A vulnerability is a flaw in software that an attacker can use to break in. An exploit is the tool that lets them do it. Every piece of software your business runs, from Windows and Office to your web browser and email client, has vulnerabilities being discovered constantly. Here is what the last three months looked like.
The total volume of published vulnerabilities continues rising, with Q1 2026 tracking higher than the same period in 2025. AI-assisted discovery is accelerating the pace, meaning both security researchers and attackers are finding flaws faster than ever. Industry estimates put the 2026 annual total at 31,000 to 34,000 new vulnerabilities, the highest on record.
The median time for an attacker to weaponise a vulnerability and start exploiting it is now under 5 days. That is the time between a flaw being published and active attacks beginning. If your business takes weeks or months to apply updates, you are operating with the doors open. Only 34% of businesses have a policy to patch within 14 days.
Vulnerability attacks grew 149% year-on-year against financial services, 220% against insurance, 167% against manufacturing, and 168% against healthcare. These are not niche targets. If your business uses Microsoft 365, a web application, or cloud accounting software, you are running software that has known vulnerabilities right now.
The most commonly detected exploits in Q1 2026 target flaws in Microsoft Office's Equation Editor from 2017 and 2018. These are not new attacks. They work because businesses have not updated their software. Roughly 25% of actively exploited vulnerabilities date back to 2024 or earlier. Attackers do not need new tricks when old ones still work.
NEW CVES
DISCLOSED DAILY
RATED HIGH
OR CRITICAL
HAD EXPLOIT CODE BUT
NO DETECTION RULES
DAYS MEDIAN
TIME TO EXPLOIT
Not every vulnerability matters equally. These are the specific flaws that Q1 2026 threat intelligence shows being actively used in real attacks, and what they mean in plain language for business owners.
The three most commonly detected exploits in Q1 2026 all target Microsoft Office. Two of them are from 2017 and 2018. They target a component called the Equation Editor, which most people have never knowingly used, but which ships with every copy of Office.
These exploits are delivered as email attachments. A staff member opens what looks like a normal Word document or Excel spreadsheet, and the exploit runs silently in the background, downloading malware or giving the attacker remote control of the machine.
The fix is straightforward: keep Office updated. But the government survey shows only 34% of businesses have a policy to patch within 14 days, and the reality on the ground is often worse.
| ID | YEAR | WHAT IT DOES | RISK |
|---|---|---|---|
| CVE-2018-0802 | 2018 | Runs attacker code via Office Equation Editor | CRITICAL |
| CVE-2017-11882 | 2017 | Same component, different entry point | CRITICAL |
| CVE-2017-0199 | 2017 | Office/WordPad gives attacker system control | CRITICAL |
Q1 2026 saw a new exploit chain targeting Windows systems. Three vulnerabilities were chained together: a flaw in the Internet Explorer rendering engine (still present in Windows for legacy compatibility), combined with two archive-handling bugs that allow files to be extracted to unintended locations.
The practical impact: an attacker sends a file that appears harmless. When opened, it silently bypasses the security checks Windows is supposed to apply to files downloaded from the internet, then runs malicious code. The entry point is often a phishing email with a .lnk (shortcut) file attached.
The number of Windows users encountering exploits has been trending upward since Q1 2025. Linux-based exploit attempts have surged even more dramatically, with Q4 2025 seeing a doubling compared to the previous quarter, driven by the growing number of internet-connected Linux devices.
// WINDOWS EXPLOIT DETECTIONS, QUARTERLY TREND
Trend direction is clearly upward. Each quarter brings more exploit attempts against standard Windows business systems.
Attackers are increasingly using archive files (.zip, .rar, .7z, .iso) to deliver malicious payloads. Two specific vulnerability types dominated Q1 2026:
When you unzip a file, the archive tells your computer where to put the contents. A directory traversal vulnerability lets the attacker specify a path outside the intended folder, placing malicious files anywhere on your system. This can overwrite critical system files or drop an executable into your startup folder, so it runs every time the machine boots.
Windows normally tags files downloaded from the internet with a "Mark of the Web" flag, which triggers security warnings when you try to open them. ISO, IMG, and certain archive formats can bypass this check entirely, meaning the file opens without any warning, as if it was a trusted local file. Attackers package their payloads inside these formats specifically to avoid the safety prompt.
Networking hardware accounted for 20% of all known exploited vulnerabilities in Q1 2026, and that number is expected to climb. Routers, firewalls, VPN appliances, and network-attached storage devices often run outdated firmware, rarely get patched, and sit exposed on the internet by design.
For a business with 10 staff, the router sitting in the corner of the office is a genuine attack surface. If it has not been updated since it was installed, it almost certainly has known vulnerabilities that an attacker can find with a single automated scan.
Once inside a network device, attackers have a position of enormous privilege. They can intercept traffic, redirect DNS, capture credentials, and pivot into every device on the network, all without triggering endpoint security tools that only monitor individual computers.
You do not need to understand CVE numbers or exploit frameworks. You need to understand the five things that actually reduce your exposure, and then do them. Here they are, in order of impact.
The single most effective thing you can do. Enable automatic updates for Windows, macOS, Office, your web browser, and any cloud software you use. The vulnerabilities being exploited right now have patches available. The problem is that businesses are not applying them.
The government survey shows only 34% of businesses have a policy to patch within 14 days. That means two-thirds of businesses are leaving known doors open for weeks or months. With a median time-to-exploit of under 5 days, that gap is where breaches happen.
Log into your router's admin panel (the address is usually printed on the device itself). Check for firmware updates. If the router is more than five years old, seriously consider replacing it. Network equipment accounted for 20% of actively exploited vulnerabilities this quarter.
While you are there: change the default admin password if you have not already. A frightening number of business routers are still running factory credentials. Also check whether remote management is enabled. If you do not know what it is, turn it off.
The top three exploits in Q1 2026 all target Microsoft Office. Disabling macros by default across your organisation eliminates the most common payload delivery mechanism. In Microsoft 365 Admin Centre, you can enforce this as policy so individual users cannot override it.
If specific teams genuinely need macros (finance teams using complex spreadsheets, for example), create a narrow exception for those specific files from trusted locations, rather than leaving macros enabled for everyone.
Configure your email platform to block or quarantine attachments with the following extensions: .iso, .img, .lnk, .exe, .scr, .bat, .cmd, .js, .vbs, .hta. These are the file types being used to deliver exploits in Q1 2026. Legitimate business communication almost never requires them.
For archive files (.zip, .rar, .7z), consider requiring password-protected archives to be held for manual review, as they cannot be scanned by automated tools, which is exactly why attackers use them.
You cannot fix what you do not know about. An external vulnerability scan checks your internet-facing systems (website, email server, VPN, remote desktop) for known flaws. It takes minutes, not days, and gives you a concrete list of what needs fixing, ranked by severity.
313SEC runs external exposure assessments as a standalone service. No commitment, no ongoing contract required. You get a report showing what an attacker would see if they scanned your business today, with clear, prioritised recommendations on what to fix first.
AI is now being used both to discover vulnerabilities and to exploit them. The Q1 2026 data shows the early effects, and the trajectory is clear.
AI agents are now being used to scan code for vulnerabilities, generate exploit code, and automate attack workflows. Early 2026 saw reports of AI tools being used to compress what used to take a skilled attacker weeks into hours. This is not theoretical. It happened in documented incidents against government agencies, where AI tools automated reconnaissance, scripting, and payload delivery.
The practical effect for business owners: the barrier to entry for attackers is dropping. Attacks that used to require specialist knowledge can now be partially automated. The volume and sophistication of attacks will continue to increase.
On the defensive side, AI is accelerating the rate at which security researchers find flaws before attackers do. This is one reason CVE volumes are climbing: more flaws are being found and disclosed, which means more patches are available if businesses apply them.
The Q1 2026 data also shows 121 CVEs with direct AI relevance, covering flaws in AI tools and frameworks themselves. As businesses adopt AI tools, they are adding new attack surface that most do not even know exists.
The government survey found 31% of businesses are using or exploring AI, but only 24% of those have any cyber processes for AI risk. That gap is a ticking clock.
313SEC runs external vulnerability assessments, patch management guidance, and ongoing exposure monitoring for businesses who want to know what attackers can see before it becomes a problem.
If anything in this briefing raised a question, drop your details below. No sales script, no auto-sequence. Just a real reply from a real person within a working day or two.
You'll get a real reply, from a real person, within a couple of working days.