pattern·published·3 exhibits

Disclosure After Exploitation

Vendor discloses only after active in-wild exploitation. The gap between first-seen and CVE is the story.

The normal disclosure pipeline reads left to right. A researcher finds a bug. The researcher tells the vendor. The vendor patches. A CVE is issued. Defenders patch. Some time later, exploitation begins in the wild.

Disclosure-after-exploitation runs the pipeline in reverse. Attackers find the bug. Attackers use the bug. Incident responders notice a pattern in the breach data. The pattern gets traced back to a specific component. The vendor learns about it from the incident report, or from a customer call, or from a tweet. The CVE, when it finally arrives, is documentation of a thing that has already happened to people.

By the time the public sees the advisory, the defenders are the last to know.

Mechanism

The CVE system was designed for a world where vulnerabilities are found by research and managed through coordinated disclosure. That world still exists, but it shares the landscape with a different one: an attacker economy that discovers its own primitives, uses them for months, and only leaks them when incident-response firms begin recognizing the shape of the intrusions. The second world does not produce CVEs until the first world catches up.

The mechanics of this inversion are unglamorous. A well-resourced attacker finds a vulnerability, usually in an enterprise product with a heavy on-premises footprint (edge devices, managed file transfer, VPN appliances, identity software). They exploit it at a cadence that does not trigger noise: two or three targets at a time, not ten thousand. The targets who notice (if any notice at all) file incidents, and the incident responders deal with one-off intrusions for a while. Eventually someone at a response firm sees two cases with the same entry point and writes the vendor. The vendor, depending on internal urgency and legal posture, starts the clock. Patch. CVE. Advisory.

The defender-visible timeline starts only at the last step. The customers who took the hit during the in-wild window are already in remediation. The customers who did not take the hit are one incident away from finding out that their lucky streak ended last Tuesday. The CVE is the post-hoc label, not the early warning.

Exhibits

CrushFTP CVE-2025-31161: MFT Is the Target Now. Pre-auth vulnerabilities in managed file transfer products are a recurring attack vector because MFT sits directly on the public internet with credentials for everyone's file share. The CrushFTP CVE was known in the wild before it was known in public. The advisory went out after several incident response firms were already seeing the same entry point across unrelated customers. The window between first observed exploitation and public disclosure was measured in weeks, not hours.

Ivanti: The Vulnerability Subscription. Ivanti produces a steady stream of edge-appliance vulnerabilities, many of them first visible through active exploitation rather than responsible disclosure. The pattern is recurring enough that the post title treats it as a subscription: Ivanti customers are paying for a recurring delivery of in-wild CVEs. The advisories arrive after nation-state crews have already moved through the fleet.

xrpl.js: The Official Package Was the Threat. The xrpl.js maintainer-account compromise was in the wild (harvesting credentials) before it was understood as a compromise. The community noticed the malicious publish; the takedown came hours later; the formal disclosure came after. Every install that pulled the package during the in-wild window was already a victim by the time the rest of the ecosystem heard about it.

Boundaries

Not every CVE with in-wild exploitation is disclosure-after-exploitation. A CVE issued responsibly, patched, and then exploited after patch release is the normal pipeline. In-wild-ness alone is not the pattern; the ORDERING is. Exploitation precedes disclosure in this pattern, and the defender's first signal is a breach, not an advisory.

Not every zero-day is disclosure-after-exploitation. A zero-day that researchers find and report, but the vendor delays patching, may end up exploited during the delay. That is slow-disclosure, a governance problem on the vendor side. Disclosure-after-exploitation assumes the RESEARCHERS were not first at all. The initial discovery happened in the attacker's workbench, not anyone's responsible channel.

Not every embarrassing vendor timeline. Vendors sometimes sit on advisories for business reasons (legal review, PR coordination, patch readiness). A long vendor-side queue is not disclosure-after-exploitation by itself. The pattern requires that the initial discovery and weaponization lived entirely outside the researcher-vendor conversation.

Defender playbook

Track in-wild before you track CVEs. Threat intel feeds that name specific products under active targeting often move days or weeks before the corresponding CVE publishes. For products in your stack that have a history of disclosure-after-exploitation (edge appliances, MFT, identity software), treat in-wild signals as patch-triggering events and figure out the specific CVE later.

Assume a disclosure-after-exploitation product is currently exploited somewhere. If the product has a history of the pattern, the CURRENT state is not "no known CVEs." The current state is "no public CVEs yet for this quarter's attack campaign." Configure incident response and monitoring accordingly.

Segment products that fit the pattern. Disclosure-after-exploitation products tend to be the ones with deep network access (identity brokers, MFT, VPNs, remote management). Segmentation reduces the blast radius when the inevitable advisory arrives. Treat their network privilege as provisional, not architectural.

Watch your revocation gaps on products that fit the pattern. The exploitation window is longer than the disclosure window. Credentials and access earned during in-wild use are still valid when the patch lands. Patching alone does not close the window.

When you see multiple unrelated orgs with the same entry point, say so publicly. The feedback loop that turns attacker-found-bugs into public CVEs depends on defenders comparing notes. Silence serves the vendor's comms timeline, not the ecosystem's security posture.

Kinship

Revocation Gap. Disclosure-after-exploitation is a specific case of revocation gap at the VENDOR level. The gap between first-seen and CVE is the vendor's revocation gap. Credentials and access harvested during that gap have their own revocation gaps at the customer level. The pattern is nested, which is why incidents compound.

Design Debt Driver. Products that keep showing up in the disclosure-after-exploitation pattern usually have design-debt in the substrate. Attackers return to the same products because the same products keep producing the same class of primitives. The two patterns reinforce each other: design debt produces the bugs; attacker-first discovery means customers learn about them the hard way.

Trust Inversion. Disclosure-after-exploitation is often how trust-inversion incidents first become visible. A compromised authorizer is not disclosed through research. It is disclosed through the downstream who notices that something authenticated is doing things it should not.

The CVE is documentation of the breach. The breach is not documentation of the CVE.