Key Findings
In 2025, 36% of AI-related KEVs involved an API attack surface.
99% of API vulnerabilities are remotely exploitable.
In 2025, 17% of 67,058 published vulnerabilities (11,053 vulnerabilities) were API-related.
In 2025, 43% of CISA KEV additions were API-related, making APIs the single largest exploited surface in that dataset.
In 2025, 36% of AI-related vulnerabilities involved APIs (786 of 2,185 AI-related vulnerabilities).
In 2025, 14% of published AI vulnerabilities were MCP-related (315 MCP-related vulnerabilities).
97% of API vulnerabilities can be exploited with a single request.
MCP vulnerabilities grew 270% from Q2 to Q3 in 2025.
98% of API vulnerabilities are easy or trivial to exploit.
59% of API vulnerabilities require no authentication.
In 2025 breach data, AI platforms and tooling accounted for 15% of API-related breaches, tying software as the largest category in the dataset.