Back

Rapid7 Reports Vulnerability Exploitation Surpasses Social Engineering in Q1 2026

Severity: High (Score: 67.5)

Sources: Markets.Ft, www.globenewswire.com, Stocktitan

Published: 2026-05-22 · Updated: 2026-05-22

Keywords: rapid7, threat, landscape, report, vulnerability, exploitation, social

Severity indicators: vulnerability

Summary

Rapid7's Q1 2026 Threat Landscape Report reveals that vulnerability exploitation has become the leading initial access vector, accounting for 38% of incident response cases. This marks a significant shift from social engineering, which accounted for 24%. The report highlights that half of the actively exploited vulnerabilities were zero-click, network-facing issues, allowing attackers direct access without user interaction. The median time from public disclosure to inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog decreased from 8.5 days to 5.0 days for high and critical vulnerabilities. SQL injection was identified as the most exploited vulnerability type, while fragmented ransomware activity was led by the Qilin group. The findings emphasize the growing role of AI in cyberattacks, compressing response times for defenders. Security teams are urged to prioritize rapid identification and remediation of exposed systems to mitigate risks. Overall, the report underscores the evolving threat landscape driven by AI and sophisticated exploitation methods. Key Points: • Vulnerability exploitation now accounts for 38% of incident response cases. • Half of exploited vulnerabilities were zero-click, requiring no user interaction. • Median time from disclosure to CISA KEV inclusion has decreased to 5 days.

Detailed Analysis

**Impact** Vulnerability exploitation accounted for 38% of incident response cases in Q1 2026, surpassing social engineering at 24% and compromised accounts at 14%. The affected sectors and geographies are not specified. The shrinking remediation window, with median time from public disclosure to CISA KEV inclusion reduced to 5.0 days, increases the risk of widespread operational disruption and data compromise. Fragmented ransomware activity, led by the Qilin group, and abuse of Remote Monitoring and Management tools (22.9% of threat activity) further contribute to potential business impacts. **Technical Details** The primary attack vector is vulnerability exploitation, with half of actively exploited CVEs being zero-click, network-facing vulnerabilities requiring no authentication or user interaction. SQL injection is identified as the most exploited vulnerability type. The median time from vulnerability disclosure to CISA KEV catalog inclusion dropped from 8.5 to 5.0 days. Threat actors leverage AI to accelerate identification and weaponization of unpatched systems. Ransomware operations remain fragmented, with Qilin as a notable actor. No specific CVE numbers or IOCs are provided. **Recommended Response** Prioritize rapid identification and remediation of high- and critical-severity vulnerabilities, especially zero-click, network-facing flaws. Implement continuous vulnerability scanning and patch management aligned with CISA KEV updates to reduce exposure time. Enhance monitoring for exploitation attempts targeting Remote Monitoring and Management tools and SQL injection vectors. Increase focus on threat intelligence to triage and prioritize alerts, given compressed exploitation timelines. No additional specific detection signatures or IOCs are provided.

Source articles (3)

  • Rapid7 Q1 2026 Threat Landscape Report Finds Vulnerability Exploitation Overtakes Social ... — Markets.Ft · 2026-05-21
    BOSTON, May 21, 2026 (GLOBE NEWSWIRE) -- Rapid7, Inc. (NASDAQ: RPD), a global leader in AI-powered managed cybersecurity operations, released its Q1 2026 Threat Landscape Report, examining trends in v…
  • Tracker — www.globenewswire.com · 2026-05-22
    Explore keynotes, practitioner sessions, and expert discussions on preemptive security operations, MDR, AI, and cyber resilience from Rapid7’s 2026 summit. Rapid7 command platform Improve your securit…
  • Rapid7 Q1 2026: vulnerability exploits lead 38% — Stocktitan · 2026-05-21
    Rapid7 (NASDAQ:RPD) released its Q1 2026 Threat Landscape Report, showing that vulnerability exploitation overtook social engineering as the top initial access vector, driving 38% of incident response…

Timeline

  • 2026-05-21 — Rapid7 Q1 2026 Threat Landscape Report released: The report indicates vulnerability exploitation surpassed social engineering as the top access vector, highlighting AI's role in cyberattacks.
  • 2026-05-21 — Key findings on zero-click vulnerabilities: The report found that 50% of actively exploited vulnerabilities were zero-click, allowing direct access to systems without user action.
  • 2026-05-21 — Median remediation time decreases: The median time for high-severity vulnerabilities from disclosure to CISA KEV inclusion fell from 8.5 days to 5.0 days.

Related entities

  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • Sql Injection (Attack Type)
  • Cwe-89 - SQL Injection (Cwe)
  • rapid7.com (Domain)
  • [email protected] (Email)
  • [email protected] (Email)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Qilin (Ransomware Group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed