Mechanism
The CVE system was designed for a world where vulnerabilities are found by research and managed through coordinated disclosure. That world still exists, but it shares the landscape with a different one: an attacker economy that discovers its own primitives, uses them for months, and only leaks them when incident-response firms begin recognizing the shape of the intrusions. The second world does not produce CVEs until the first world catches up.
The mechanics of this inversion are unglamorous. A well-resourced attacker finds a vulnerability, usually in an enterprise product with a heavy on-premises footprint (edge devices, managed file transfer, VPN appliances, identity software). They exploit it at a cadence that does not trigger noise: two or three targets at a time, not ten thousand. The targets who notice (if any notice at all) file incidents, and the incident responders deal with one-off intrusions for a while. Eventually someone at a response firm sees two cases with the same entry point and writes the vendor. The vendor, depending on internal urgency and legal posture, starts the clock. Patch. CVE. Advisory.
The defender-visible timeline starts only at the last step. The customers who took the hit during the in-wild window are already in remediation. The customers who did not take the hit are one incident away from finding out that their lucky streak ended last Tuesday. The CVE is the post-hoc label, not the early warning.
Exhibits
CVE-2025-54309: The AS2 Receiver Authenticated the Admin. CVE-2025-54309 is the disclosure-after-exploitation pattern with the audit trail in the URL. CrushFTP filed the documenting wiki page at Wiki.jsp?page=CompromiseJuly2025 on July 18, 2025, because they had traced customer compromises before the bug had a name. MITRE assigned the CVE four days later. CISA added it to KEV the same week. The first public PoC arrived thirty-six days after that, by watchTowr Labs, who openly described the writeup as "the one where we just steal the vulnerabilities" because they captured the technique from attacker traffic in their Attacker Eye honeypot, replayed it, and confirmed it worked. Neither the vendor nor the security firm was first; both backfilled into a chain that began on production systems with no bound visible from outside. This is the second consecutive CrushFTP exhibit on this pattern, three months after CVE-2025-31161 (the silent-patch instance) hit the same endpoint by a different protocol seam.
CVE-2010-0249: The KEV Deadline for Aurora Is a Census. CVE-2010-0249 is the pattern's founding case at two layers. In late 2009 a state-aligned operator used the bug against Google, Adobe, Juniper Networks, and at least twenty other named companies before any vendor saw it; Google's January 12, 2010 breach disclosure preceded Microsoft Security Advisory 979352 by two days and the emergency MS10-002 patch by nine. The CVE was post-hoc documentation of a thing that had already happened, which is the pattern in its naked form. Sixteen years later, the disclosure tail extends: CISA adds the same CVE to KEV on May 20, 2026, with a June 3 federal deadline, against a product Microsoft retired in 2022. The bug was disclosed by breach in 2010. The footprint of the product the bug lives in is being disclosed by federal mandate in 2026. The pattern compounds at the regulatory layer, the deadline functioning as an inventory event rather than a patch directive.
CrushFTP CVE-2025-31161: MFT Is the Target Now. Pre-auth vulnerabilities in managed file transfer products are a recurring attack vector because MFT sits directly on the public internet with credentials for everyone's file share. The CrushFTP CVE was known in the wild before it was known in public. The advisory went out after several incident response firms were already seeing the same entry point across unrelated customers. The window between first observed exploitation and public disclosure was measured in weeks, not hours.
CVE-2025-57819: FreePBX's Ajax Dispatcher Asked PHP If The Class Existed. PHP Loaded The File.. The timeline reads in three beats: in-wild exploitation surfaced Aug 21, the endpoint-module sink fix shipped Aug 28, and the framework-level dispatcher regex landed Sep 11 as defense-in-depth. The Sep 11 patch is the admission that the August fix only closed one sink while leaving the include primitive reachable through any other module that takes user input into SQL. Two weeks of "patched" customers were still one bug-class away from the same execution path — the framework regex is what closes the class, and it shipped after the advisory said the class was closed.
CVE-2026-28318: SolarWinds Patched The Path To The Decoder, Not The Decoder. CVE-2026-28318 was published 2026-06-04 and landed on CISA KEV 2026-06-05 with a federal patch deadline of 2026-06-19. The CVE record is a fourteen-day inventory event for a bug that, by KEV's inclusion criterion, was already being used at scale. CISA does not add unauthenticated denial-of-service bugs to KEV on severity alone; the inclusion is documentation that the bug was running against MFT services whose availability is the asset. The disclosure ordering is the pattern: attackers used the deflate-decoder crash on Serv-U before SolarWinds disclosed, and the federal deadline catches the customer fleet up to a thing that has been running.
CVE-2024-47575: FortiManager's get auth Command Does Not Authenticate. Mandiant traced in-wild exploitation of the FortiJump chain to no later than June 2024. Fortinet's advisory FG-IR-24-423 published on October 23, 2024. Four months of unauthorized device registrations against FortiManagers around the world, under serial numbers the advisory eventually listed as indicators of compromise. The CVE was the vendor catching up to a breach record, not the research community's early warning. The advisory credits Mandiant for threat intelligence findings after the fact; it credits no one for finding the bug before it was in use, because nobody did. The bug was found by being used.
Ivanti: The Vulnerability Subscription. Ivanti produces a steady stream of edge-appliance vulnerabilities, many of them first visible through active exploitation rather than responsible disclosure. The pattern is recurring enough that the post title treats it as a subscription: Ivanti customers are paying for a recurring delivery of in-wild CVEs. The advisories arrive after nation-state crews have already moved through the fleet.
xrpl.js: The Official Package Was the Threat. The xrpl.js maintainer-account compromise was in the wild (harvesting credentials) before it was understood as a compromise. The community noticed the malicious publish; the takedown came hours later; the formal disclosure came after. Every install that pulled the package during the in-wild window was already a victim by the time the rest of the ecosystem heard about it.
Defender playbook
Track in-wild before you track CVEs. Threat intel feeds that name specific products under active targeting often move days or weeks before the corresponding CVE publishes. For products in your stack that have a history of disclosure-after-exploitation (edge appliances, MFT, identity software), treat in-wild signals as patch-triggering events and figure out the specific CVE later.
Assume a disclosure-after-exploitation product is currently exploited somewhere. If the product has a history of the pattern, the CURRENT state is not "no known CVEs." The current state is "no public CVEs yet for this quarter's attack campaign." Configure incident response and monitoring accordingly.
Segment products that fit the pattern. Disclosure-after-exploitation products tend to be the ones with deep network access (identity brokers, MFT, VPNs, remote management). Segmentation reduces the blast radius when the inevitable advisory arrives. Treat their network privilege as provisional, not architectural.
Watch your revocation gaps on products that fit the pattern. The exploitation window is longer than the disclosure window. Credentials and access earned during in-wild use are still valid when the patch lands. Patching alone does not close the window.
When you see multiple unrelated orgs with the same entry point, say so publicly. The feedback loop that turns attacker-found-bugs into public CVEs depends on defenders comparing notes. Silence serves the vendor's comms timeline, not the ecosystem's security posture.
Kinship
Revocation Gap. Disclosure-after-exploitation is a specific case of revocation gap at the VENDOR level. The gap between first-seen and CVE is the vendor's revocation gap. Credentials and access harvested during that gap have their own revocation gaps at the customer level. The pattern is nested, which is why incidents compound.
Design Debt Driver. Products that keep showing up in the disclosure-after-exploitation pattern usually have design-debt in the substrate. Attackers return to the same products because the same products keep producing the same class of primitives. The two patterns reinforce each other: design debt produces the bugs; attacker-first discovery means customers learn about them the hard way.
Trust Inversion. Disclosure-after-exploitation is often how trust-inversion incidents first become visible. A compromised authorizer is not disclosed through research. It is disclosed through the downstream who notices that something authenticated is doing things it should not.
The CVE is documentation of the breach. The breach is not documentation of the CVE.