Old vulnerabilities continue to be a blind spot for organizations

Check your blind spots…and we aren’t talking about the ones in your car.

Old vulnerabilities continue to create new dangers for organizations as cybercriminals exploit code that’s never been fixed. That’s according to a recent TrendAI report, which found 70% of requested exploits between January 2023 and January 2026 leveraged vulnerabilities that were more than two years old. About 8% were for vulnerabilities between 10 and 15 years old.

The AI twist. There’s nothing novel about cybercriminals eyeing dated vulnerabilities. This January, for example, CISA added a 17-year-old PowerPoint bug to its list of actively exploited common vulnerabilities and exposures (CVEs).

However, like so many other aspects of cybersecurity, AI is changing the game: TrendAI researchers claim the technology has expanded the “potential blast radius of exploits” as it bleeds into business-critical workflows. “Because large language models (LLMs) are trained on extensive public datasets that include unsecure coding practices, their outputs frequently replicate well-known vulnerabilities and unsafe design patterns. This increases the likelihood that exploitable flaws are introduced into applications at scale,” the researchers wrote.

This vulnerability is just right! In TrendAI’s analysis, it found that malicious actors had refined taste when it came to the vulnerabilities purchased on underground markets. For instance, cybercriminals were observed to have a preference for high- or critical-severity vulnerabilities, with more than half of requested exploits holding a score of 7.5 (out of 10) or higher on the Common Vulnerability Scoring System (CVSS). On the underground markets, the cost of exploits can range anywhere between $500 to $115,000.

How to reduce the risk. TrendAI researchers suggest companies reduce the chance of an n-day exploit—cyberattacks exploiting known vulnerabilities in unpatched systems—by prioritizing vulnerabilities based on current exploits as opposed to just age or severity, and have clear ownership over vulnerabilities and their remediation timelines: “These measures help disrupt repeatable initial access paths, limit long‐term exposure to known weaknesses, and prevent legacy vulnerabilities from compounding the risks introduced by AI‐driven development.”