More CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild
Proofpoint US, Wednesday, May 27th, 2026
Proofpoint reports attackers are rapidly weaponizing new CVEs using established techniques rather than developing fundamentally new exploit methods.
Proofpoint's threat research reveals that while the volume of CVEs has dramatically increased due to AI-assisted vulnerability discovery, threat actors continue using the same opportunistic playbooks to exploit them.
The company identified 12 distinct 2026 CVEs actively exploited in the wild, compared to only 8 on the CISA KEV catalog, indicating significant visibility gaps. Three CVEs have been weaponized in targeted email campaigns: CVE-2026-21509 targeting Microsoft Office, CVE-2026-21510 exploiting Windows Shell protection, and CVE-2026-32202 resulting from an incomplete patch.
Rather than innovating attack methods, groups like TA422 and TA406 simply adopt newly disclosed vulnerabilities for their existing email-based initial access and multi-stage infection chains.