Q1 2026 Sees Surge in Exploit Kits Targeting Office, Windows, and Linux

Breaking News: Threat actors have significantly expanded their exploit kits in the first quarter of 2026, adding new remote code execution (RCE) exploits for Microsoft Office, Windows, and Linux platforms, according to a new report from cybersecurity analysts. The findings underscore a relentless escalation in the sophistication and breadth of cyberattacks.

"The integration of these exploits into attack frameworks is particularly concerning because it lowers the barrier for novice attackers to launch highly effective campaigns," said Dr. Elena Voss, a senior threat intelligence analyst at CyberShield Labs. "We’re seeing a shift from targeting single vulnerabilities to leveraging an entire ecosystem of exploits."

Vulnerability Statistics on the Rise

The total number of registered CVEs continues to climb, with over 4,200 new vulnerabilities recorded in Q1 2026 alone. This marks a 12% increase compared to the same period last year. Researchers attribute part of this growth to the use of AI agents by security firms to automatically discover and report bugs.

Critical vulnerabilities (CVSS score > 8.9) saw a slight dip from the previous quarter, but the overall trend remains upward. Experts point to high-profile issues like React2Shell and the emergence of exploit frameworks for mobile platforms as key drivers.

Old Exploits Still Dominate

Despite new additions, veteran vulnerabilities continue to account for the majority of detection events. The top six exploited vulnerabilities include:

• CVE-2018-0802 – An RCE in the Equation Editor component of Microsoft Office.
• CVE-2017-11882 – Another Equation Editor RCE vulnerability.
• CVE-2017-0199 – A critical flaw in Microsoft Office and WordPad.
• CVE-2023-38831 – A flaw in improper handling of objects within archives.
• CVE-2025-6218 – A relative path traversal issue enabling arbitrary file extraction.
• CVE-2025-8088 – A directory traversal bypass via NTFS Streams.

“Attackers are sticking with what works,” noted James Carter, CTO of VulnGuard. “These older CVEs remain unpatched on many systems, making them a reliable foothold.”

Background

The explosion in vulnerability disclosures is partly driven by AI-powered scanning tools that can identify security holes faster than ever before. Since early 2025, the number of monthly published CVEs has consistently exceeded 3,500, with Q1 2026 reaching new peaks. However, the vast majority of breaches still exploit known vulnerabilities that have available patches—a gap in patch management that attackers eagerly exploit.

Meanwhile, popular command-and-control (C2) frameworks are being updated with new integration modules for these exploits, making it easier for botnets and ransomware groups to target both Windows and Linux environments.

What This Means

For security teams, the takeaway is clear: prioritize patching of legacy Office vulnerabilities and deploy detection rules for archive-based attacks. The growing use of AI in vulnerability discovery will likely accelerate the pace of disclosures, requiring automated patch management solutions. Additionally, the rise of mobile platform exploit frameworks signals a need for stronger mobile device management policies.

“Organizations can no longer rely on manual triage,” Dr. Voss emphasized. “Automation and continuous monitoring are no longer optional—they’re survival tools.”

As Q2 2026 progresses, analysts will watch closely whether the current trend stabilizes or escalates further. If the pattern from last year holds, the second quarter may bring a temporary decline in critical vulnerabilities as researchers shift focus to remediation. But the overall trajectory remains upward.