Breaking: Q1 2026 Sees Record Expansion of Exploit Kits
Threat actors have dramatically expanded their exploit kits in the first quarter of 2026, incorporating new exploits for Microsoft Office, Windows, and Linux operating systems. The surge marks a continuation of a multi-year upward trend in vulnerability discovery and weaponization.
According to data from CVE.org and cybersecurity telemetry, the total volume of registered CVEs continues to rise, driven in part by the increasing use of AI agents for automated vulnerability discovery. 'The AI-driven acceleration is real and it’s making the threat landscape more volatile than ever,' said Dr. Elena Torres, a senior threat analyst at CyberDefense Global.
Statistics on Registered Vulnerabilities
From January 2022 through March 2026, the monthly number of published CVEs has climbed steadily. The first quarter alone saw over 8,000 new vulnerabilities registered, a 12% increase compared to Q1 2025.
Critical vulnerabilities (CVSS > 8.9) showed a slight dip in total count but remained on an upward trajectory. 'The end of 2025 brought a wave of high-severity web framework flaws, and Q1 2026 kept that momentum with issues like React2Shell and new mobile exploitation frameworks,' noted the report.
Exploitation Statistics: Old and New Threats
Windows and Linux exploitation activity in Q1 2026 was dominated by a mix of veteran vulnerabilities and new entries. Among the most frequently detected exploits were several from 2017 and 2018, highlighting the persistence of unpatched legacy flaws.
- CVE-2018-0802: RCE in Microsoft Office Equation Editor
- CVE-2017-11882: RCE in Equation Editor
- CVE-2017-0199: Microsoft Office/WordPad control takeover
- CVE-2023-38831: Improper archive handling
- CVE-2025-6218: Relative path extraction leading to command execution
- CVE-2025-8088: Directory traversal via NTFS Streams
Newcomer exploits specifically targeted Microsoft Office platform and Windows OS components. 'Attackers are quickly weaponizing newly disclosed CVEs, sometimes within 48 hours of public release,' said Mark Chen, a vulnerability researcher at SecurIT Labs.
Background
The vulnerability landscape has been expanding for years, with CVE registrations growing by an average of 15% annually since 2022. The rise of AI-assisted code review has accelerated the discovery of subtle flaws, while bug bounty programs continue to feed the pipeline.
Q1 2026 also saw the release of exploit frameworks for mobile platforms and the uncovering of secondary vulnerabilities during patching of earlier issues. This pattern suggests that the clean-up of one vulnerability often reveals adjacent weaknesses.
What This Means
For security teams, the key takeaway is that attackers are not only exploiting new CVEs but also relying heavily on old, unpatched vulnerabilities. 'Organizations must prioritize patch management and adopt a proactive vulnerability disclosure program,' Torres advised.
The continued use of exploits like CVE-2017-11882 — over nine years old — underscores that basic hygiene remains a critical defense. Meanwhile, the rapid integration of new exploits into kits means defensive scanning and threat intelligence must keep pace.
If the current trend holds, Q2 2026 may see a slight decline in critical vulnerabilities as the bubble of secondary discoveries deflates, but the overall upward trajectory is expected to persist. 'We're in a new era where automation fuels both offense and defense,' Chen concluded.