VulnCheck

26.9% of KEVs first seen in 1H-2025 were still awaiting analysis by NIST.

The top five categories for KEVs in 1H-2025 are: Content Management Systems (CMS): 86 KEVs, with a significant volume attributed to WordPress Plug-ins; Network Edge Devices: 77 KEVs; Server Software: 61 KEVs; Open Source Software: 55 KEVs; and Operating Systems: 38 KEVs.

Vendors with Highest Number of KEVs in 1H-2025: Microsoft: 32 KEVs, with 26 of these being for Windows; Cisco: 10 KEVs; Apple OS: 6 KEVs; Totolink Networking Devices: 6 KEVs; and VMware: 6 KEVs.

In 2H-2024, 44 KEVs were attributed to the North Korean cyber group Silent Chollima.

Reports of KEVs associated with China and North Korea decreased in 1H-2025, while reports associated with Russia and Iran increased.

In 2H-2024, 66 KEVs were attributed to the Chinese threat actor Flax Typhoon (AKA Ethereal Panda).

In 1H-2025, 29 KEVs were attributed to Iranian threat actors.

The countries with the largest number of active threat actor groups are: China: 20 groups, Russia: 11 groups, North Korea: 9 groups, and Iran: 6 groups.

4.4% of KEVs are in a deferred status by NIST, meaning they are no longer maintained or updated

32.1% of vulnerabilities (Known Exploited Vulnerabilities - KEVs) had exploitation evidence on or before the day of their CVE disclosure, often indicating zero-day exploitation. This marks an 8.5% increase in the percentage of KEVs exploited on or before disclosure compared to 23.6% in 2024.

1% of the CVEs published were reported publicly as exploited in the wild.

768 CVEs were publicly reported as exploited in the wild in 2024, a 20% year-over-year increase.

There were over 100 unique sources that were the first to report a CVE.

23.6% of Known Exploited Vulnerabilities (KEVs) were known to be exploited on or before the day their CVEs were publicly disclosed.

Exploited CVEs ranged from 30-50 per month, with spikes during April/May due to increased reports during RSA and end-of-quarter reports.