Kaspersky's quarterly exploitation analysis for Q1 2026 identifies a marked resurgence in document-based exploit delivery, with Microsoft Office and PDF readers accounting for the largest share of initial-access exploit deployments. The most exploited CVE class involved Office Protected View bypass chains (multiple CVEs published in January 2026 Patch Tuesday). Browser exploitation via V8 memory corruption grew 34% quarter-on-quarter. A significant structural trend: ransomware-as-a-service operators are increasingly acquiring zero-day exploits directly from private brokers rather than relying on publicly available PoC code, shortening the detection window between disclosure and mass exploitation. The report includes Excel macro delivery via cloud storage abuse as an emerging initial-access technique.
Kaspersky's quarterly exploitation analysis for Q1 2026 reports that exploit kits expanded again to include new Microsoft Office, Windows, and Linux exploits, and that veteran vulnerabilities CVE-2018-0802 (Equation Editor RCE), CVE-2017-11882, and CVE-2023-38831 still account for the largest share of detections in the quarter (Kaspersky Securelist — Exploits and Vulnerabilities Q1 2026). The Securelist report also notes that AI-tool use for vulnerability discovery is increasing total registered vulnerability volume — a defender-side reframe for the M-Trends 2026 dwell-time data above (daily 2026-05-08).