There was a 75% increase in actively exploited flaws compared to the same period in 2024, with 12,333 vulnerabilities reported in Q1 alone .

40,704 new vulnerabilities were disclosed in 2024.

Since 2023, network infrastructure, especially routers, has continued to outpace endpoints as the riskiest IT devices.

Routers account for over 50% of devices with the most dangerous vulnerabilities.

Over 4,400 of the disclosed CVEs in 2024 were classified as critical (CVSS 9.0+).

Over 20,000 of the disclosed CVEs in 2024 had a CVSS score of 7.0 or higher.

There was a 38% year-over-year increase in published CVEs.

Over 40,000 CVEs were disclosed in 2024.

A significant portion of vulnerabilities were weaponized within days of disclosure.

Many of 2024's most exploited vulnerabilities were found in widely used third-party software rather than internally developed applications

Nearly three out of every five assets in healthcare environments have a critical vulnerability finding.

NodeZero exploited 229 known vulnerabilities nearly 100,000 times in customer environments, demonstrating that many organizations struggle to remediate even widely recognized threats.

Despite 98% of organisations using vulnerability scanning, only 34% find it highly effective due to false positives.

Over half of practitioners (53%) and more than a third of security leaders (36%) admit to delaying patches due to operational constraints

9% of IoMT devices contain confirmed KEVs in their systems, impacting 99% of organisations.

89% of healthcare organisations have the top 1% of riskiest IoMT devices on their networks, which contain known exploitable vulnerabilities (KEVs) linked to active ransomware campaigns and an insecure connection to the internet.

1% of IoMT devices carry KEVs linked to active ransomware campaigns and insecure internet connectivity, impacting 89% of organisations.

8% of imaging systems (X-rays, CT scans, MRI, ultrasound, and more) have KEVs linked to ransomware and insecure internet connectivity, making this the riskiest medical device category and impacting 85% of organisations.

20% of HIS (hospital information systems), which manage clinical patient data, as well as administrative and financial information, have KEVs linked to ransomware and insecure internet connectivity, impacting 58% of organisations

The total count of automotive-related vulnerabilities (“CVEs”) published in 2024 reached 530, representing another annual gain and nearly twice as many as the 2019 count.