Don't Take Wednesday Off When You Manage Vulnerabilities
We analyzed ~355,000 published CVEs and the entirety of CISA's KEV (Known Exploited Vulnerabilities) catalog. The data has a very firm opinion on when you absolutely should not be sipping something cold on a beach: midweek. Everyone knows to fear Patch Tuesday, but the quieter day right after is the most critical one: Wednesday. Take those two days off, and you'll have a backlog to sort through when you get back, and possibly an emergency to handle.
Tuesday looks like the busiest day
When you rank the days of the week by raw CVE volume, Tuesday comes out clearly on top:
| Day | Share of all CVEs |
|---|---|
| Tuesday | 20.9% |
| Wednesday | 20.7% |
| Thursday | 18.8% |
| Friday | 17.1% |
| Monday | 15.2% |
| Saturday | 3.8% |
| Sunday | 3.4% |
Case closed, right? Tuesday wins, the Patch Tuesday effect is real, plan accordingly, done.
Except that Tuesday's razor-thin lead is hiding something. A single Tuesday blows up the counters and drags the whole day's average upward. The others? Perfectly ordinary.
| Tuesday of the month | CVEs published / day (avg.) |
|---|---|
| 1st | 58 |
| 2nd (Patch Tuesday) | 99 |
| 3rd | 59 |
| 4th | 55 |
| 5th | 53 |
A normal Tuesday publishes ~55 CVEs, fewer than a Thursday, barely more than a Monday. The second Tuesday publishes nearly double. That recurring spike is the one and only reason Tuesday tops the ranking. Remove it, and Tuesday becomes an ordinary day.
So if Tuesday's ranking is misleading, which day is truly the busiest?
Wednesday is the most active
Remove the Patch Tuesday spike and the busiest day of the week for vulnerability disclosures changes!
| Day (Patch Tuesday excluded) | CVEs / day (avg.) |
|---|---|
| Wednesday | 65 |
| Thursday | 60 |
| Tuesday | 57 |
| Friday | 55 |
| Monday | 53 |
Wednesday wins. The true weekly rhythm of disclosure is a midweek bump that peaks on Wednesday, then declines toward Friday and collapses over the weekend.
Another interesting stat: Tuesday only became the #1 day by raw volume in 2023. For a long time, the busiest day was Wednesday. Tuesday only took the crown recently, carried by an ever-larger Patch Tuesday spike. Thanks, Microsoft!
The vulnerabilities that really hurt also land on Wednesday
Exploited vulnerabilities are, in the end, the ones that matter most. So we ran the same analysis on CISA's KEV catalog, the ~1,600 CVEs confirmed as exploited in the wild.
Look at the day CISA adds a vulnerability to the KEV, the moment a vulnerability officially becomes exploited by attackers:
| Day added to KEV by CISA | Share |
|---|---|
| Wednesday | 31.7% |
| Thursday | 19.7% |
| Monday | 18.9% |
| Tuesday | 18.1% |
| Friday | 11.6% |
| Saturday | 0% |
| Sunday | 0.1% |
Wednesday, again. And by a wide margin. CISA runs on an administrative business-day calendar, which is why the catalog records almost zero vulnerabilities on weekends. The only exception in over three years: CVE-2025-53770, a critical SharePoint flaw exploited en masse, added on a Sunday because it couldn't wait for Monday (it did hurt, indeed ๐ฃ).
This is what matters. Your week has a two-beat rhythm: on Tuesday, you read about the problem; on Wednesday, it's in your queue. Tuesday's disclosures have to be triaged on Wednesday. CISA's "exploited in the wild" verdicts land on Wednesday. The natural disclosure peak is Wednesday. Everyone braces for Tuesday, charges in head-down, survives the fireworks. And the real, lasting load arrives the next morning, when half the team has already mentally checked out.
And the worst week of the month? The second.
The rhythm doesn't only play out at the scale of the day, it shows up across the month too. Group CVEs by week of the month and one week stands out clearly:
| Week of the month | CVEs / day (avg.) |
|---|---|
| 1st (days 1โ7) | 48.5 |
| 2nd (days 8โ14) | 60.7 |
| 3rd (days 15โ21) | 52.7 |
| 4th (days 22โ28) | 46.8 |
| 5th (days 29โ31) | 42.5 |
The second week, the one that contains Patch Tuesday, is the busiest: about 25% above the first and 30% above the fourth. And it's not just a Tuesday thing. Compared to the same day in other weeks, Patch Tuesday's Wednesday and Thursday are inflated too (+15% and +29%), while Monday and Friday don't budge. The reason: many vendors line up their disclosure with Patch Tuesday week, with Microsoft on Tuesday and Adobe, SAP, Siemens and others right behind, which spreads the publication wave from Tuesday to Thursday.
In other words, the danger zone isn't a date, it's a window: from the second Tuesday to the Thursday of the month. That's exactly when you shouldn't go on vacation ๐ฌ.
And the busiest month? December
Group CVEs by month and one month stands out clearly:
| Month | CVEs / month (avg.) | CVEs / day (avg.) |
|---|---|---|
| January | 2,481 | 82.3 |
| February | 2,163 | 78.0 |
| March | 2,482 | 81.6 |
| April | 2,566 | 87.2 |
| May | 2,597 | 89.6 |
| June | 2,377 | 81.6 |
| July | 2,333 | 78.1 |
| August | 2,449 | 82.0 |
| September | 2,453 | 85.4 |
| October | 2,527 | 88.4 |
| November | 2,378 | 82.4 |
| December | 2,932 | 97.3 |
Against all odds, December takes the crown: ~97 CVEs/day, about 18% above the annual average. With Christmas in the middle? That's precisely the year-end rush: vendors and CNAs clear their backlog before closing. Christmas magic, CVE edition ๐ . At the other end, the quietest months are February and July (~78/day).
CVE publication is still tied to the United States
If the weekly rhythm follows the calendar, the annual rhythm tells you who the sources are (in case there was still any doubt ๐). To measure each holiday, we compared it to the same weekday of the same year (a holiday falling on a Monday in 2023 is judged against the other Mondays of 2023), so that the runaway growth in CVEs year over year wouldn't skew the picture. We took the median across years (so an outlier day wouldn't distort everything) and counted only the years where the holiday fell on a business day, where there was room to drop.
The proof comes down to a single type of holiday: the ones only the United States observes. Well, that's no surprise either ๐. With 276 CNAs, the United States is #1 in the CVE ecosystem.
| US-only holiday | Always falls on a | Volume vs. a normal same day |
|---|---|---|
| Thanksgiving | Thursday | 25% |
| Memorial Day | Monday | 31% |
| Independence Day (July 4th) | (varies) | 43% |
Thanksgiving is significant. Almost no one celebrates it outside the United States. It always falls on a Thursday, normally one of the busiest days of the week, and yet CVE publication drops to a quarter of normal. The rest of the planet works an ordinary Thursday.
A little curiosity: July 4th is the most fickle holiday of the lot. Most years it collapses as expected, except in 2025 when 188 CVEs were stamped on that holiday Friday, more than double a normal Friday. Yet the whole surrounding week was slow: a publication backlog clearly spilled out all at once on the day itself. That's exactly why we reason in medians and not averages, otherwise that single July 4th would push the figure from 43% up to 74%.
The holidays everyone takes also drop, but they prove nothing about the United States:
| Globally shared holiday | Volume vs. a normal same day |
|---|---|
| New Year's Day (January 1st) | 12% |
| Christmas | 19% |
Christmas and New Year's Day collapse even harder. That shows it's still humans driving disclosure. The day these numbers start going up, it'll mean AI has taken over!
One last clue, this one monthly. Europe empties out in August: if the CVE flow were driven from the Old Continent, August should collapse. Yet it doesn't flinch (82 CVEs/day), it's right on the annual average. A single American holiday (Thanksgiving) makes worldwide output drop to 25%, but the entire European vacation month leaves no trace at all. It's hard to be clearer about where the flow comes from.
The conclusion is hard to avoid: the global flow of vulnerability disclosure runs on the rhythm of the American business calendar. It climbs midweek and dies on the weekend. And it goes dark precisely on the days America is off. The same human rhythm that makes Wednesday the real peak is the one that makes Thanksgiving disappear.
When should you actually take your vacation
Enough with the stats. Pull out your time-off calendar, here's the playbook!
- To avoid: from the second Tuesday to the Thursday of the month. Tuesday (Patch Tuesday) triggers the wave, Wednesday is the real peak with raw disclosure and KEV additions, and the tail runs through Thursday. If you could only block out three days a month, these are the ones. Wednesday, in particular, is your absolute no-vacation day.
- To favor: the last week of the month and weekends. The 4th/5th week days are the quietest, and on weekends vendors and CISA both go dark. Looking for a real break? Aim for end of month and the months of February and July.
- The bonus: American holidays. A Thanksgiving, a Memorial Day or a July 4th, and the global CVE flow drops to a quarter of normal. Even without taking time off, the ecosystem hands you the pause.
Of course this is all tongue-in-cheek and you can take more than 3 days off ๐. Just line up someone to cover for you!
Methodology
- Scope: ~355,000 CVEs with a recorded publication date, and the entirety of CISA's KEV catalog (1,611 entries, launched in November 2021).
- Timing: the day of the week is computed from the CVE's publication date; KEV timing relies on CISA's "date added" field.
- Patch Tuesday: defined as the second Tuesday of the calendar month (
ceil(day_of_month / 7) = 2). - Daily figures: averages that account for the varying count of each weekday in the dataset, so a monthly spike can't pass itself off as a daily norm.
- Holidays: full calendar years 2019โ2025. Each occurrence is compared to the average of the same weekday of the same year (Thanksgiving against the other Thursdays of the year, Memorial Day against Mondays, etc.), year-for-year to neutralize the roughly 2ร growth in volume over the period.
- Median rather than mean: we report the median of the ratios across years, robust to one-off batch publications (July 4th, 2025, for example, saw an abnormal backlog of 188 CVEs stamped on that holiday).
- Business days only: only the years where a holiday fell on a business day are counted (5 to 7 per holiday), so a holiday falling on a weekend isn't credited with an artificial "drop."
- Sources: the public NVD/CVE registry and CISA's Known Exploited Vulnerabilities catalog. No vendor data or proprietary scores were used. These figures remain indicative.