Tenable Graph Model Reveals 68% of Organizations Carry CVEs Exploited by Named Adversaries
Tenable Research's graph-based model linking 600+ threat groups to vulnerabilities across 7,800 customer environments reveals that 68% of organizations carry at least one CVE previously exploited by a named adversary.
Tenable Research has developed a graph-based model that maps more than 600 threat groups to vulnerabilities observed across 7,800 customer environments, revealing that 68% of organizations carry at least one CVE previously exploited by a named adversary. The analysis also found that 321 tracked threat groups can reach at least one customer environment through an active vulnerability. The findings underscore the need for adversary-aware vulnerability prioritization over the traditional 'patch everything' approach.
The model links four categories of entities: threat actors, attack techniques, vulnerabilities (both CVE and non-CVE), and customer environments where vulnerabilities are detected. By joining plugin-finding telemetry with proprietary threat actor tracking data and MITRE ATT&CK technique data, the graph enables a shift from asking 'how severe is this CVE?' to 'which named adversaries can reach my environment through this CVE?' This provides a fundamentally different kind of intelligence that per-CVE scoring layers were never designed to offer.
A key finding is the prevalence of the 242 'Elite Arsenal' CVEs—those meeting all three criteria of critical VPR (≥9), CISA KEV listing, and documented threat group exploitation. These CVEs are nearly universally present across the studied customer base, with 241 of 242 actively detected. More than half are five or more years old, and 78% of the persistently exploited core are simultaneously weaponized by nation-state APTs, commodity malware operators, and ransomware gangs. This highlights that even old, well-known vulnerabilities remain a significant threat.
Non-CVE exposures, including misconfigurations, weak credentials, and end-of-life software, are present in virtually 100% of studied organizations, with 60% carrying at least one that maps to a tracked threat actor's preferred techniques. Preliminary modeling suggests these exposures may confer more breach risk than CVE-linked findings, yet no industry-standard scoring infrastructure exists to prioritize them. This gap represents a critical blind spot for defenders.
The research builds on earlier posts in the series that documented the accelerating vulnerability flood and the widening remediation gap. The first post highlighted AI-driven vulnerability discovery tools accelerating CVE volume toward a projected 59,000 disclosures in 2026, while NIST scaled back NVD enrichment. The second post, produced with the Verizon 2026 DBIR, showed vulnerability exploitation has surged to become the leading initial access vector at 31% of breaches, with median time-to-patch growing from 32 to 43 days.
Tenable's graph model provides a concrete tool for organizations to prioritize remediation efforts based on real-world risk. By identifying which vulnerabilities are actively exploited by named adversaries and how many organizations share those exposures, defenders can focus finite resources on the most critical threats. The research also calls for industry-wide efforts to develop scoring infrastructure for non-CVE exposures, which may pose an even greater risk than traditional vulnerabilities.