Rapid7 Q1 2026 Threat Landscape Report — vulnerability exploitation overtakes social engineering as top initial-access vector (38% vs 24%); KEV median time 8.5→5.0 days

annual-report · annual-report:rapid7-q1-2026-threat-landscape-report-vulnerability-exploitation-top-iav

Coverage timeline

first 2026-05-23 → last 2026-05-23

Briefs

1 distinct

Sources cited

10 hosts

Sections touched

research

Co-occurring entities

see Related entities below

Story timeline

2026-05-23CTI Daily Brief — 2026-05-23
researchRapid7 Labs Q1 2026 report (2026-05-21) covering Jan–Mar 2026 IR data. Vulnerability exploitation 38% IAV (first time top); social engineering 24%. >50% of exploited vulns zero-click network-facing. KEV median time disclosure-to-listing dropped from 8.5d to 5.0d. SQL injection top exploited class. RMM tool abuse 22.9%; ClickFix 18.8%. Ransomware leaders: Qilin 357 posts, The Gentlemen 206, Akira 174. Iranian/Russian/Chinese geopolitical layer; BPFDoor, ModeloRAT mentioned. PD-9 dedicated treatment.

Where this entity is cited

research1

Source distribution

rapid7.com4 (27%)
blog.talosintelligence.com2 (13%)
securityweek.com2 (13%)
globenewswire.com1 (7%)
bleepingcomputer.com1 (7%)
cisa.gov1 (7%)
cyberscoop.com1 (7%)
helpnetsecurity.com1 (7%)
other2 (13%)

Related entities

Akira — ransomware operator targeting EU healthcare and SME via edge-device CVE chains and intermittent-encryption EDR evasion
actoractor:Akira×1
The Gentlemen — RaaS surged Q1 2026 (192 attacks, 588% QoQ); 32% of victims European; FortiGate CVE-2024-55591 initial-access funnel
actoractor:TheGentlemen×1

All cited sources (15)

Items in briefs about Rapid7 Q1 2026 Threat Landscape Report — vulnerability exploitation overtakes social engineering as top initial-access vector (38% vs 24%); KEV median time 8.5→5.0 days (1)

ANNUAL REPORT — Rapid7 Q1 2026 Threat Landscape Report: vulnerability exploitation now top initial-access vector at 38 %; KEV median time to listing collapses to 5 days

From CTI Daily Brief — 2026-05-23 · published 2026-05-23 · view item permalink →

Rapid7 Labs published its Q1 2026 Threat Landscape Report on 2026-05-21 covering January–March 2026 IR data; the GlobeNewswire release accompanied the post the same day. The findings that change what a Swiss/EU public-sector SOC should prioritise:

Vulnerability exploitation accounted for 38 % of confirmed initial-access vectors, overtaking social engineering (24 %) in Rapid7's Q1 2026 dataset. The implication: edge / perimeter patch SLAs and exposure management now drive blast-radius more than awareness training does.
More than 50 % of actively exploited vulnerabilities in Q1 2026 were zero-click, network-facing flaws requiring no authentication or user interaction. The defensive prioritisation gradient sharpens: pre-auth network-facing CVEs > authenticated CVEs > anything user-interaction-dependent.
Median time from public disclosure to CISA KEV listing fell from 8.5 days to 5.0 days. Operators of EU/CH public-sector estates running on monthly patch windows lose ground every cycle; the report frames this as faster AI-assisted N-day weaponisation. PD-13 still applies — the KEV addition is the exploitation-confirmation signal, not a US-only compliance deadline — but the window between "vendor publishes" and "expect attempts" has narrowed materially.
Exploited vulnerabilities averaged 1.8 million mentions across forums, blogs and social media before operational targeting, making chatter spikes a leading indicator of imminent exploitation waves.
SQL injection became the most-exploited vulnerability class in Q1 2026, validating the Drupal CVE-2026-9082 story above as part of a broader shift.
RMM tool abuse accounted for 22.9 % of observed threat activity, ClickFix-style social engineering 18.8 % — both worth re-checking on EDR detection coverage in EU/CH environments where ClickFix browser drive-by is less culturally familiar than in U.S. consumer markets.

The report also covers a geopolitical layer (Iranian, Russian and Chinese campaigns synchronised with Middle East military escalation; tools mentioned include BPFDoor and ModeloRAT) and ransomware fragmentation (Qilin leads at 357 leak-site posts, The Gentlemen 206, Akira 174; pure-extortion without encryption continues to grow). Per PD-9 this is the dedicated treatment of the report; specific findings will be cited as context in future briefs rather than re-summarised.