Exploit Kit Surge in First Quarter 2026 Targets Microsoft Office, Windows, and Linux Systems

In the first quarter of 2026, threat actors significantly expanded their exploit kits, adding new vulnerabilities targeting the Microsoft Office platform, Windows, and Linux operating systems. This marks a continuing trend of increasingly sophisticated attacks against both enterprise and consumer endpoints.

According to the latest threat intelligence report from cybersecurity firm CySecAnalytics, the volume of registered Common Vulnerabilities and Exposures (CVEs) has continued to rise, driven in part by the use of AI agents for vulnerability discovery. The report highlights that while the number of critical vulnerabilities (CVSS > 8.9) saw a slight decline compared to previous quarters, the overall upward trajectory remains intact.

Vulnerability Statistics for Q1 2026

Data sourced from cve.org shows that the total number of published vulnerabilities per month has been steadily increasing since January 2022. Experts predict that the integration of AI into security research will further accelerate this trend.

"The use of AI agents for vulnerability discovery is a double-edged sword," said Dr. Elena Markov, lead analyst at CySecAnalytics. "While it helps identify flaws faster, it also amplifies the volume of vulnerabilities that need patching, straining IT teams."

Critical vulnerabilities, those with a CVSS score above 8.9, showed a slight decrease in Q1 2026 compared to the same period last year. However, analysts note that the end of 2025 saw several high-severity web framework disclosures, and the current growth is fueled by issues like React2Shell, new mobile exploit frameworks, and secondary vulnerabilities discovered during remediation of earlier flaws.

"If this pattern holds, we expect a significant drop in critical vulnerabilities in Q2 2026, similar to the trend observed in previous years," added Markov.

Exploitation Statistics: Windows and Linux Under Siege

In Q1 2026, threat actor toolsets continued to update with exploits for recently registered vulnerabilities. However, the most frequently detected exploits remain older, "veteran" vulnerabilities that persist across networks:

• CVE-2018-0802 – Remote code execution (RCE) in Microsoft Office Equation Editor.
• CVE-2017-11882 – Another RCE in Equation Editor, still actively exploited.
• CVE-2017-0199 – Microsoft Office and WordPad vulnerability allowing system compromise.
• CVE-2023-38831 – Improper handling of archive objects leading to RCE.
• CVE-2025-6218 – Relative path traversal enabling arbitrary file extraction.
• CVE-2025-8088 – Directory traversal bypass using NTFS streams during extraction.

"The persistence of these legacy vulnerabilities underscores the challenge of patch management at scale," commented John Reyes, threat intelligence analyst at SecurIT Group. "Attackers know that many organizations are slow to update, so they continue to rely on proven exploits."

Newcomers in Q1 2026 include exploits targeting Microsoft Office platform components and Windows OS internals. These are expected to become prominent in the next quarter as exploit kits integrate them.

Background

Exploit kits have evolved over the past decade from simple drive-by download tools to complex, modular platforms that can chain together multiple vulnerabilities. The first quarter of 2026 continues this evolution, with attackers leveraging both old and new CVEs to maximize infection rates.

Historically, exploit kits have targeted unpatched software, especially Microsoft Office and Internet Explorer. The shift toward including Linux exploits is notable, reflecting the expansion of Linux in server and cloud environments.

What This Means

Organizations must prioritize patching critical vulnerabilities, particularly those in widespread tools like Microsoft Office and Windows. The rise of AI-driven vulnerability discovery suggests that the pace of new CVEs will only accelerate, making automated patch management and vulnerability scanning essential.

For security teams, the data indicates that focusing on the most exploited veteran vulnerabilities can yield immediate risk reduction, while preparing to address emerging exploits from Q1 2026 will be crucial for future defenses. Continuous monitoring and threat intelligence sharing are key to staying ahead of exploit kit developers.