KYND: big firms leave critical cyber flaws unpatched

Nearly nine in ten large organisations that face actively exploited security vulnerabilities leave those weaknesses unpatched for six months or longer, according to a study by cyber risk analytics provider KYND.

The firm analysed more than 2,000 organisations, including members of the FTSE 350 and the S&P 500. It found that 11 per cent had exposure to vulnerabilities that attackers already exploit in real-world incidents. Among that group, 88 per cent remained exposed for six months or more despite fixes being available.

KYND described actively exploited cyber risks as vulnerabilities or weaknesses that attackers currently use in live attacks. The company said its analysts identified exposure across a broad range of commonly used technologies.

Software exposure

KYND said it found risks affecting critical infrastructure and enterprise software. It reported exposure in web applications and in widely used platforms, including Oracle, WordPress and Apache. It also cited networking hardware and secure communication protocols that many businesses use day to day.

The company linked the findings to delays in maintenance and patching. It also pointed to a gap between identifying a weakness and fixing it across many organisations.

Insurance focus

KYND said the speed of remediation and patch management practice has taken on more importance in cyber insurance assessments. The firm said insurers increasingly look beyond counts of known vulnerabilities when they evaluate risk.

"A company's approach to patching tells you a lot about its approach to risk," said Andy Thomas, Chief Executive Officer and Founder, KYND.

"As demand for cyber coverage continues to grow, cyber insurers are increasingly recognising that it's not just the number of vulnerabilities that matters, but how quickly critical vulnerabilities are addressed. When exposure lasts for months, it's rarely a one-off - it's a behavioural signal that an organisation struggles with remediation in general," said Thomas.

"Across a portfolio, the same slow-to-fix firms remain persistently vulnerable, exposures stack up over time, and the insurer's true risk can look very different from a point-in-time snapshot," said Thomas.

KYND's study focused on vulnerabilities that researchers and authorities have already linked to active exploitation. The company said prolonged exposure to that category of weakness raises the likelihood of material incidents.

Top vulnerability

KYND said remote code execution was the most prevalent vulnerability class in its analysis. It accounted for 31 per cent of the top vulnerability types it assessed. The firm described remote code execution as a flaw that allows attackers to run malicious commands on a target system without physical access or valid credentials.

KYND pointed to a recent example involving Microsoft Windows Server Update Services. In October 2025, a critical flaw tracked as CVE-2025-59287 was exploited, which KYND said enabled attackers to gain full control of unpatched servers.

"The Microsoft Windows server incident prompted emergency updates from Microsoft and urgent advisories from CISA, highlighting how quickly threat actors can move when known weaknesses remain unaddressed.

"Such vulnerabilities can be exploited to steal data, deploy malware, or disrupt operations - turning preventable flaws into serious business risks," said Thomas.

KYND is based in London and has offices in Portugal and the US. The company said its work centres on analysing cyber risk exposure and monitoring changes over time for organisations in insurance and financial services markets.

The findings add detail to a long-running concern in cyber security that organisations struggle with patching, even when vendors publish updates. KYND said insurers and risk teams increasingly treat remediation speed as a signal of operational discipline and cyber resilience.

"Across a portfolio, the same slow-to-fix firms remain persistently vulnerable, exposures stack up over time, and the insurer's true risk can look very different from a point-in-time snapshot," said Thomas.