Introduction
The first quarter of 2026 has witnessed a significant escalation in the arsenal of exploit kits used by cybercriminals. These toolkits have been updated to target the Microsoft Office platform, along with Windows and Linux operating systems, incorporating newly discovered vulnerabilities. This report delves into the statistics of published vulnerabilities and exploits, including those leveraged by popular command-and-control (C2) frameworks during this period.
Vulnerability Registration Trends
The data presented here is sourced from the CVE database (cve.org). We analyze the monthly count of registered Common Vulnerabilities and Exposures (CVEs) from January 2022 through March 2026. The overall volume of vulnerabilities continues to rise. Notably, the increasing use of artificial intelligence agents for discovering security issues is expected to further accelerate this upward trend.
Total Published Vulnerabilities
A graphical representation of total published vulnerabilities per month from 2022 to 2026 shows a steady climb. (Download the full dataset.)
Critical Vulnerabilities (CVSS > 8.9)
Examining the number of new critical vulnerabilities over the same period reveals a slight decrease compared to previous years, but the upward trajectory remains clear. This can be attributed to the disclosure of several severe flaws in web frameworks toward the end of 2025. Current growth is driven by high-profile issues such as React2Shell, the release of exploit frameworks for mobile platforms, and the discovery of secondary vulnerabilities during remediation of previously known bugs. We will test this hypothesis in the next quarter; if correct, Q2 2026 should see a significant decline, mirroring patterns from the prior year.
Exploitation Activity in Q1 2026
This section provides statistics on vulnerability exploitation during Q1 2026, drawing from open sources and our telemetry data.
Windows and Linux Vulnerability Exploitation
In Q1 2026, threat actors updated their toolsets with exploits for newly registered vulnerabilities. However, the most frequently detected exploits continue to target older, well-known flaws. The following veteran vulnerabilities remain consistently exploited:
- CVE-2018-0802 – a remote code execution (RCE) vulnerability in the Equation Editor component of Microsoft Office
- CVE-2017-11882 – another RCE vulnerability also affecting Equation Editor
- CVE-2017-0199 – a vulnerability in Microsoft Office and WordPad that can allow an attacker to gain control of the system
- CVE-2023-38831 – a vulnerability caused by improper handling of objects within archives, commonly used in phishing campaigns
- CVE-2025-6218 – a flaw that allows specifying relative paths to extract files into arbitrary directories, potentially leading to malicious command execution
- CVE-2025-8088 – a directory traversal bypass vulnerability during file extraction, exploiting NTFS streams
New Exploits on the Horizon
Among the newcomers, we have observed exploits targeting the Microsoft Office platform and Windows OS components. These new additions indicate that attackers are actively adapting to the latest security patches and evolving their attack vectors.
Conclusion
The first quarter of 2026 underscores the persistent and evolving nature of cybersecurity threats. While legacy vulnerabilities continue to dominate the exploitation landscape, the emergence of new exploits for both Microsoft and Linux environments demands ongoing vigilance. Security teams should prioritize patching older, widely abused vulnerabilities and stay informed about emerging threats highlighted in this report.