Vulnerabilities
We've curated 267 cybersecurity statistics about Vulnerabilities to help you understand how software weaknesses and system flaws are being exploited by cybercriminals in 2025. This insight can guide you in fortifying your defenses effectively.
Explore Subcategories
Related Topics
Showing 81-100 of 267 results
The volume of disclosed vulnerabilities is up by a staggering 246% since February 2025.
26.9% of KEVs first seen in 1H-2025 were still awaiting analysis by NIST.
The top five categories for KEVs in 1H-2025 are: Content Management Systems (CMS): 86 KEVs, with a significant volume attributed to WordPress Plug-ins; Network Edge Devices: 77 KEVs; Server Software: 61 KEVs; Open Source Software: 55 KEVs; and Operating Systems: 38 KEVs.
Vendors with Highest Number of KEVs in 1H-2025: Microsoft: 32 KEVs, with 26 of these being for Windows; Cisco: 10 KEVs; Apple OS: 6 KEVs; Totolink Networking Devices: 6 KEVs; and VMware: 6 KEVs.
In 2H-2024, 44 KEVs were attributed to the North Korean cyber group Silent Chollima.
Reports of KEVs associated with China and North Korea decreased in 1H-2025, while reports associated with Russia and Iran increased.
In 2H-2024, 66 KEVs were attributed to the Chinese threat actor Flax Typhoon (AKA Ethereal Panda).
In 1H-2025, 29 KEVs were attributed to Iranian threat actors.
4.4% of KEVs are in a deferred status by NIST, meaning they are no longer maintained or updated
32.1% of vulnerabilities (Known Exploited Vulnerabilities - KEVs) had exploitation evidence on or before the day of their CVE disclosure, often indicating zero-day exploitation. This marks an 8.5% increase in the percentage of KEVs exploited on or before disclosure compared to 23.6% in 2024.
Attackers exploit new application vulnerabilities in just 5 days.
The average application is exposed to 81 confirmed, viable attacks each month that evade other defences
On average, applications contain 30 serious vulnerabilities.
Applications face an average of 17 new application vulnerabilities per month.
Developer teams remediate, on average, 6 application vulnerabilities per month.
It takes an average of 84 days to patch even the most critical flaws in applications.
The average application is targeted by attackers once every 3 minutes.
In one analysis, media had 21% of vulnerable assets across cloud, APIs, and web applications.
In one analysis, energy had 18% of vulnerable assets across cloud, APIs, and web applications.
13.6% of all analyzed cloud assets are vulnerable.