Vulnerabilities
We've curated 342 cybersecurity statistics about Vulnerabilities to help you understand how software weaknesses and system flaws are being exploited by cybercriminals in 2025. This insight can guide you in fortifying your defenses effectively.
Explore Subcategories
Related Topics
Showing 161-180 of 342 results
26.9% of KEVs first seen in 1H-2025 were still awaiting analysis by NIST.
In 2H-2024, 66 KEVs were attributed to the Chinese threat actor Flax Typhoon (AKA Ethereal Panda).
4.4% of KEVs are in a deferred status by NIST, meaning they are no longer maintained or updated
32.1% of vulnerabilities (Known Exploited Vulnerabilities - KEVs) had exploitation evidence on or before the day of their CVE disclosure, often indicating zero-day exploitation. This marks an 8.5% increase in the percentage of KEVs exploited on or before disclosure compared to 23.6% in 2024.
The top five categories for KEVs in 1H-2025 are: Content Management Systems (CMS): 86 KEVs, with a significant volume attributed to WordPress Plug-ins; Network Edge Devices: 77 KEVs; Server Software: 61 KEVs; Open Source Software: 55 KEVs; and Operating Systems: 38 KEVs.
Attackers exploit new application vulnerabilities in just 5 days.
Applications face an average of 17 new application vulnerabilities per month.
The average application is targeted by attackers once every 3 minutes.
On average, applications contain 30 serious vulnerabilities.
It takes an average of 84 days to patch even the most critical flaws in applications.
Developer teams remediate, on average, 6 application vulnerabilities per month.
The average application is exposed to 81 confirmed, viable attacks each month that evade other defences
In one analysis, the government sector had 18.5% vulnerable APIs.
In one analysis, professional services had 28% of vulnerable assets across cloud, APIs, and web applications.
In one analysis, media had 21% of vulnerable assets across cloud, APIs, and web applications.
In one analysis, energy had 18% of vulnerable assets across cloud, APIs, and web applications.
13.6% of all analyzed cloud assets are vulnerable.
Top 5 industries by web‑app vulnerability: Education: 35.3%, Retail: 30.9%, Government: 30.4%, Professional Services: 30.1%, Media: 25.7%.
In one analysis, transport had 12% of vulnerable assets across cloud, APIs, and web applications.
In one analysis, the government sector had 30.4% vulnerable web applications.