Cyber risk analytics provider KYND, a specialist in identifying and assessing organisational cybersecurity vulnerabilities, has revealed that almost nine in ten firms exposed to cyber risks remain vulnerable for six months or longer.
The study analysed more than 2,000 organisations, including FTSE 350 and S&P 500 companies, and found that 11 per cent were exposed to actively exploited vulnerabilities. Of these, 88 per cent remained exposed for six months or more, leaving critical security weaknesses unaddressed despite available fixes.
KYND’s research highlighted risks across a wide range of critical infrastructure and enterprise software. Exposures were detected in web applications, widely used platforms such as Oracle, WordPress, and Apache, as well as networking hardware and secure communication protocols relied upon by businesses every day.
These findings point to widespread delays in maintenance and a persistent gap between detecting and remediating vulnerabilities.
The most common vulnerability identified was remote code execution (RCE), accounting for 31 per cent of the top vulnerability types. RCE flaws allow attackers to execute malicious commands on a target system without physical access or valid credentials.
Recent incidents, such as the October 2025 Microsoft Windows Server Update Services flaw (CVE-2025-59287), illustrate the potential scale of these risks, enabling attackers to take full control of unpatched servers.
KYND Founder and CEO Andy Thomas said, “A company’s approach to patching tells you a lot about its approach to risk.
“As demand for cyber coverage continues to grow, cyber insurers are increasingly recognising that it’s not just the number of vulnerabilities that matters, but how quickly critical vulnerabilities are addressed. When exposure lasts for months, it’s rarely a one-off. It’s a behavioural signal that an organisation struggles with remediation in general.
“Across a portfolio, the same slow-to-fix firms remain persistently vulnerable, exposures stack up over time, and an insurer’s true risk can look very different from a point-in-time snapshot.”
Thomas added, “The Microsoft Windows Server incident prompted emergency updates from Microsoft and urgent advisories from CISA, highlighting how quickly threat actors can move when known weaknesses remain unaddressed.
“Such vulnerabilities can be exploited to steal data, deploy malware, or disrupt operations, turning preventable flaws into serious business risks.”
Copyright © 2025 FinTech Global
Copyright © 2018 RegTech Analyst
