Would-be attackers spent 2025 swimming in a sea of more than 40,000 newly published vulnerabilities, VulnCheck said in a
report released Wednesday, but only 1% of those defects, just 422, were exploited in the wild.
As the deluge of vulnerabilities grows every year, and CVSS ratings lose significance for vulnerability management prioritization, some defenders are turning to research on known exploited vulnerabilities to narrow their scope of work and place more emphasis on verified risks.
“The growth in CVE volume is ludicrous, not necessarily unfounded, but it’s large. Defenders don’t know what to pay attention to,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. “Prioritization is still a huge problem.”
Too many defenders and researchers are paying attention to defects and unsubstantiated exploit concepts that aren’t worth their time, Condon added. “The indicators of risk that used to be semi reliable, now no longer are.”
The technologies exploited by attackers are developed and sold by many repeat offenders. Some of the vendors on VulnCheck’s list of the most routinely targeted vulnerabilities enjoy large market shares.
Other vendors, especially those in network edge device space, have been inundated with malicious activity for years and remain the preferred intrusion point for all attacks.
Network edge devices were responsible for 191 of the 672 products impacted by new known exploited vulnerabilities last year, representing 28% of the top targeted technologies in 2025, according to VulnCheck.
“Anything that’s in that position of being at the network edge, guarding access to corporate networks, often in a privileged place for secure communication,” is naturally a large target, Condon said.
This problem is exacerbated by the fact many network devices are running on code bases that haven’t been radically changed in about a decade. Meanwhile, attackers have copies of that software and use fully automated analysis pipelines to quickly identify new vulnerabilities.
“Threat actors are much more organized presently than we all collectively are on defense,” Condon said. Defenders have to assume there’s going to be a new zero-day in any network edge device at any time, and patches will be reversed for exploit development in short order, she added.
Each of the
top 50 vulnerabilities VulnCheck flagged in its report were exploited in the wild last year with at least 20 working public exploits, attacks originating from at least two state-sponsored or cybercrime threat groups. The top exploited vulnerabilities were also linked to least one ransomware variant and appeared in at least two instances of known botnet activity.
Four of the 10 most routinely targeted vulnerabilities last year —
CVE-2025-53770 and
CVE-2025-53771, which are variants of previously disclosed vulnerabilities
CVE-2025-49706 and
CVE-2025-49704 — were contained in Microsoft SharePoint. All four of the zero-day vulnerabilities were
exploited en masse and initially
compromised more than 400 organizations, including the Departments of Energy, Homeland Security and Health and Human Services.
cyberscoop.com
