In order to reflect the dynamic change of vulnerability security risk over time in an information system,this paper developed a life cycle stochastic model based on the absorbing Markov.The prior historical vulnerability information is used as the input.Then the state transition probability matrix of vulnerability life cycle is constructed.Specifically,the state evolution process is simulated in the dimension of time using matrix deduction.Meanwhile,the common vulnerability scoring system (CVSS) is utilized to measure the threat impact of vulnerabilities in the network system.Furthermore,a quantitative risk method to measure security vulnerability in terms of time dimension is provided to analyze some probability evolution rules with respect to the states of vulnerability life cycle.Finally,the exploits by the ransomware "WannaCry" in a typical APT attack scenario are taken as an example to verify the rationality and validity of the presented model and method.