For years, cybersecurity professionals have treated vulnerability management as an insular IT operational metric—measured by patch cycles, ticket queues, and scan counts. But a new, data-driven report from Moody's Ratings elevates software vulnerabilities to where they ultimately belong: a material factor in enterprise creditworthiness and organizational resilience.
The report, titled "Risks posed by unpatched software flaws vary by industry and region," analyzes two years of telemetry across roughly 9,500 global issuers. Its conclusions provide a sobering look at how operating context, geography, and structural constraints collide to create an unequal landscape of risk. In an era where AI-accelerated threats shrink the window to exploit to mere hours, the report confirms that corporate perimeter hygiene is lagging behind.
"AI tools are increasingly proficient at uncovering previously unknown bugs, even in software that has undergone extensive security testing. With the accelerated pace of software bug discoveries, corporate cybersecurity teams are struggling to keep up," said Leroy Terrelonge, VP and Cyber Credit Risk Officer at Moody's Ratings. "While the average time from public disclosure to first exploitation fell to 44 days in 2025, the median time required for Moody's-rated issuers to remediate top priority vulnerabilities—those that have been exploited by malicious actors to launch ransomware attacks (ransom KEVs)— over the past two years is roughly 59 days, or nearly two months. For entities targeted with AI-assisted zero-day exploits, that window compresses even further to zero."
The report's baseline telemetry cuts through the "maturity mirage" that many organizations project. Moody's focused its analysis on Known Exploited Vulnerabilities (KEVs)—the small subset of software bugs tracked by U.S. CISA with verified, real-world exploitation data.
The findings are stark:
The baseline: In 2025, 60% of all analyzed organizations had at least one externally observable KEV on their network.
The long-standing exposure: In any given month, close to 40% of organizations harbored an unresolved KEV that was older than 45 days. This directly overlaps with threat intelligence metrics indicating that attackers take an average of 44 days to weaponize a newly disclosed bug.
The dormant threat: More than a quarter (25%) of organizations had a verified KEV that remained unpatched for over a year.
This is not a failure of awareness; it is a failure of velocity. While CISA recommends patching most KEVs within 21 days, median remediation timelines are failing to keep pace with an automated threat landscape. CISA recently launched a new, centralized KEV Nomination Form. This capability allows independent security researchers, technology vendors, and industry partners to directly report active, real-world vulnerability exploitation.
One of the report's most compelling insights is that vulnerability exposure is heavily shaped by regional governance and local technology ecosystems. Even when controlling for organizational size, geography dictating patching outcomes remains clear.
There's the APAC strain. Issuers in Japan and Korea exhibit the highest prevalence of long-standing (+45 day) KEVs, with more than half of non-financial corporates impacted. In Japan, an astounding 85% of non-financial firms harbored unresolved KEVs, compared to 41% of their financial counterparts. Moody's attributes this massive gap to slower modernization cycles and a heavy reliance on rigid, legacy systems within the corporate sector.
There's the Anglo-American advantage. North America, the UK, and Western Europe showed lower overall prevalence, particularly within financial institutions.
Don't forget the Australian benchmark. Australia and New Zealand demonstrated the lowest exposure rates globally. Moody's explicitly ties this success to prescriptive regulatory coordination, specifically the centralized approach to threat-sharing led by the Australian Cyber Security Centre (ACSC) and strict oversight from the Council of Financial Regulators (CFR).
Unsurprisingly, the report correlates exposure directly to the size of an organization's externally facing digital footprint (the total number of active IP addresses, domains, and internet-facing assets).
The exposure scale is real: 78% of organizations in the top 10% of digital footprint size were plagued by old, unpatched KEVs, compared to just 7.2% in the bottom decile.
Crucially, for non-financial corporates, digital footprint size correlates with KEV exposure far more strongly than annual revenue. This points to a clear structural reality: a larger digital footprint creates a level of complexity, uneven patching cycles, and shadow IT that manual security teams simply cannot out-hustle.
When breaking down exposure by industry, Moody's data expose the structural barriers unique to specific business models.
The highest exposure: Education (universities and colleges) and Telecommunications experience the highest KEV prevalence, frequently exceeding 60% of issuers. For universities, this is driven by decentralized, mixed-user environments. For telecom, it reflects massive, sprawling infrastructures that provide a vast attack surface.
The remediation paradox: High exposure does not automatically mean poor security capability. For example, IT Software companies combine a high prevalence of KEVs with one of the shortest median remediation times. They are exposed because they run bleeding-edge, internet-facing infrastructure, but they possess the engineering agility to fix flaws quickly.
The OT drag: Sectors heavily reliant on Operational Technology (OT) and Industrial Control Systems (ICS)—such as utilities, manufacturing, and oil & gas—exhibit lower externally observable footprint risks but suffer from slower patch implementation times. As U.S. NIST guidelines point out, patching an active production line requires extensive testing and alignment with physical maintenance windows; you cannot simply reboot a refinery to apply an emergency patch.
The Moody's report reinforces that the traditional "hustle hard" approach to vulnerability management has hit its absolute human limit. To close the execution gap, cybersecurity teams must transition to a more strategic model.
Automated attack path validation: Because a large digital footprint guarantees exposure, stop trying to patch everything. Teams must use continuous, automated validation to determine if a +45-day KEV lies on a live, executable "path to privilege" toward critical corporate assets. Focus remediation solely on reachable risk.
Prioritize ransomware telemetry: The data show that organizations patch ransomware-linked KEVs fastest (median of 59 days versus 87 days for standard KEVs). Lean into this prioritization framework explicitly. If a bug is flagged as an active ransomware vector, it should bypass standard patch-window protocols entirely.
Account for legacy and regional debt: If your enterprise operates cross-regionally, recognize that your subsidiaries in places like Japan or Korea may require targeted architectural intervention—such as aggressive network segmentation—to isolate legacy systems that local operational teams cannot patch quickly.
Bridge the credit-security gap: Security leaders should use this report when speaking to CFOs and board members. When unpatched bugs are directly linked to credit risk, business disruption, and executive accountability, cybersecurity spending transitions from an "IT cost center" into a fundamental tool for preserving corporate valuation.
Moody's Ratings reminds us that attackers don't care about an organization's revenue; they care about its exposed attack surface. In an ecosystem where a small subset of known vulnerabilities drives the vast majority of credit-destroying incidents, resilience is found in velocity, visibility, and surgical prioritization.