40,704 new vulnerabilities were disclosed in 2024.

There was a 75% increase in actively exploited flaws compared to the same period in 2024, with 12,333 vulnerabilities reported in Q1 alone .

Since 2023, network infrastructure, especially routers, has continued to outpace endpoints as the riskiest IT devices.

Routers account for over 50% of devices with the most dangerous vulnerabilities.

A significant portion of vulnerabilities were weaponized within days of disclosure.

Over 4,400 of the disclosed CVEs in 2024 were classified as critical (CVSS 9.0+).

Over 40,000 CVEs were disclosed in 2024.

There was a 38% year-over-year increase in published CVEs.

Over 20,000 of the disclosed CVEs in 2024 had a CVSS score of 7.0 or higher.

Many of 2024's most exploited vulnerabilities were found in widely used third-party software rather than internally developed applications

Nearly three out of every five assets in healthcare environments have a critical vulnerability finding.

8% of imaging systems (X-rays, CT scans, MRI, ultrasound, and more) have KEVs linked to ransomware and insecure internet connectivity, making this the riskiest medical device category and impacting 85% of organisations.

1% of IoMT devices carry KEVs linked to active ransomware campaigns and insecure internet connectivity, impacting 89% of organisations.

9% of IoMT devices contain confirmed KEVs in their systems, impacting 99% of organisations.

Despite 98% of organisations using vulnerability scanning, only 34% find it highly effective due to false positives.

Over half of practitioners (53%) and more than a third of security leaders (36%) admit to delaying patches due to operational constraints

20% of HIS (hospital information systems), which manage clinical patient data, as well as administrative and financial information, have KEVs linked to ransomware and insecure internet connectivity, impacting 58% of organisations

NodeZero exploited 229 known vulnerabilities nearly 100,000 times in customer environments, demonstrating that many organizations struggle to remediate even widely recognized threats.

89% of healthcare organisations have the top 1% of riskiest IoMT devices on their networks, which contain known exploitable vulnerabilities (KEVs) linked to active ransomware campaigns and an insecure connection to the internet.

At Pwn2Own Automotive 2025, 49 unique zero-day vulnerabilities were discovered across primarily in-vehicle infotainment (IVI) and EV-charging systems. This event took place between January 22-24, 2025, in Tokyo and involved top-tier security researchers from 13 countries.