Critical cybersecurity vulnerabilities have more than doubled over the past year, but only a small fraction require immediate attention, according to a new report from Check Point Software Technologies.
The company’s 2026 Exposure Gap Report, released on Thursday at Check Point Engage in Paris, found that vulnerabilities now account for 42.6% of all critical security exposures, up from 18.7% a year ago.
At the same time, phishing websites have emerged as one of the fastest-growing threats, increasing from just 1% of critical exposures in 2025 to 10.5% this year.
The report says attackers are using automation and AI-assisted tools to scan exposed systems, stolen credentials, phishing infrastructure and known weaknesses much faster than security teams can respond, leaving organisations with less time to stop attacks before they cause damage.
Despite the surge in vulnerabilities, Check Point found that only 7.8% of vulnerability alerts were validated as critical or high priority after exploitability testing. That means more than 90% did not require the same urgent response.
“Attackers are now testing more exposures, across more organisations, at a greater speed than security professionals can manually keep pace with. The organisations that stay ahead are the ones that can quickly separate the small set of genuinely exploitable risks from the noise, then remediate them safely without disrupting operations.
“That is what exposure management delivers, and it is fast becoming a core measure of operational readiness,” said Yochai Corem, VP and general manager of Exposure Management at Check Point Software Technologies.
According to the report, vulnerabilities and internal information disclosure together made up 76% of all critical exposures recorded this year, showing that cyber risks are heavily concentrated around exploitable weaknesses and exposed information assets.
Phishing activity also grew, becoming the third-largest category of critical exposure after vulnerabilities and internal information disclosure.
Hendrik de Bruin, head of Security Consulting for Africa at Check Point Software Technologies, said the speed of modern attacks is changing the way organisations need to manage cyber risks.
“Automation and AI-assisted attack tools are reshaping both the scale and pace of exposure. Threat actors can now test exposed systems, credentials, phishing infrastructure, and known weaknesses across more organisations and at greater speed than manual triage can match,” he said.
The report also reveals wide differences across industries. Vulnerabilities accounted for 78.2% of critical exposures in the utilities sector and 56.4% in government organisations.
In contrast, internal information disclosure was the biggest risk in healthcare, where it represented 63.6% of critical exposures, and in financial services, where it accounted for 42.7%.
Healthcare organisations recorded the slowest response time, taking a median of 158.8 hours to remediate critical exposures. Utilities responded the fastest, with a median remediation time of 12.6 hours.
Even so, the report suggests that rapid remediation is possible. Utilities led all sectors, with 30% of organisations resolving critical exposures within one hour. Financial services followed at 23.1%, while government recorded 14.3% and healthcare 7.7%.
Across the four industries analysed, organisations implemented an average of 85.9% of recommended fixes. Financial services recorded the highest implementation rate at 91.7%, followed by healthcare at 85.5%, utilities at 84%, and government at 82.5%.
Check Point noted that organisations can narrow the exposure gap by combining continuous discovery, exploitability validation, prioritisation and remediation in a single workflow, allowing security teams to focus on the small number of threats that present the greatest risk before they become business incidents.



