159 CVEs exploited in Q1 2025 — 28.3% within 24 Hours of Disclosure.
As many as 159 CVE identifiers have been flagged as exploited in the wild in the first quarter of 2025, up from 151 in Q4 2024. "We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure," VulnCheck said.
![This translates to 45 security flaws that have been weaponized in real-world attacks within a day of disclosure. Fourteen other flaws have been exploited within a month, while another 45 flaws were abused within the span of a year.
The IT-security company VulnCheck said a majority of the exploited vulnerabilities have been identified in content management systems [CMSes], followed by network edge devices, operating systems, open-source software and server software.
The breakdown is as follows:
• Content Management Systems [CMS] (35)
• Network Edge Devices (29)
• Operating Systems (24)
• Open Source Software (14)
• Server Software (14)](https://nerdculture.de/system/media_attachments/files/114/613/682/698/969/812/original/15cb334906affac5.jpeg "This translates to 45 security flaws that have been weaponized in real-world attacks within a day of disclosure. Fourteen other flaws have been exploited within a month, while another 45 flaws were abused within the span of a year.
The IT-security company VulnCheck said a majority of the exploited vulnerabilities have been identified in content management systems [CMSes], followed by network edge devices, operating systems, open-source software and server software.
The breakdown is as follows:
• Content Management Systems [CMS] (35)
• Network Edge Devices (29)
• Operating Systems (24)
• Open Source Software (14)
• Server Software (14)")
![[ImageSource: VulnCheck]
The leading vendors and their products that were exploited during the time period are Microsoft Windows (15), Broadcom VMware (6), Cyber PowerPanel (5), Litespeed Technologies (4) and TOTOLINK Routers (4).
"On average, 11.4 KEVs were disclosed weekly, and 53 per month," VulnCheck said. "While CISA KEV added 80 vulnerabilities during the quarter, only 12 showed no prior public evidence of exploitation."
Of the 159 vulnerabilities, 25.8% have been found to be awaiting or undergoing analysis by the NIST National Vulnerability Database (NVD) and 3.1% have been assigned the new "Deferred" status.](https://nerdculture.de/system/media_attachments/files/114/613/689/347/931/234/original/4981ae91f83110e1.jpeg "[ImageSource: VulnCheck]
The leading vendors and their products that were exploited during the time period are Microsoft Windows (15), Broadcom VMware (6), Cyber PowerPanel (5), Litespeed Technologies (4) and TOTOLINK Routers (4).
\"On average, 11.4 KEVs were disclosed weekly, and 53 per month,\" VulnCheck said. \"While CISA KEV added 80 vulnerabilities during the quarter, only 12 showed no prior public evidence of exploitation.\"
Of the 159 vulnerabilities, 25.8% have been found to be awaiting or undergoing analysis by the NIST National Vulnerability Database (NVD) and 3.1% have been assigned the new \"Deferred\" status.")
![[ImageSource: VulnCheck]
According to Verizon's newly released Data Breach Investigations Report for 2025, exploitation of vulnerabilities as an initial access step for data breaches grew by 34%, accounting for 20% of all intrusions.
<https://www.verizon.com/about/news/2025-data-breach-investigations-report>
Data gathered by Google-owned Mandiant has also revealed that exploits were the most frequently observed initial infection vector for the fifth consecutive year, with stolen credentials overtaking phishing as the second most frequently observed initial access vector.
<https://services.google.com/fh/files/misc/m-trends-2025-en.pdf>
"For intrusions in which an initial infection vector was identified, 33% began with exploitation of a vulnerability," Mandiant said. "This is a decline from 2023, during which exploits represented the initial intrusion vector for 38% of intrusions, but nearly identical to the share of exploits in 2022, 32%."
⚠️That said, despite attacker’s efforts to evade detection, defenders are continuing to get better at identifying compromises. The global median dwell time, which refers to the number of days an attacker is on a system from compromise to detection, has been pegged at 11 days, an increase of one day from 2023.⚠️](https://nerdculture.de/system/media_attachments/files/114/613/689/766/988/430/original/d907eb56b29dd212.jpeg "[ImageSource: VulnCheck]
According to Verizon's newly released Data Breach Investigations Report for 2025, exploitation of vulnerabilities as an initial access step for data breaches grew by 34%, accounting for 20% of all intrusions.
<https://www.verizon.com/about/news/2025-data-breach-investigations-report>
Data gathered by Google-owned Mandiant has also revealed that exploits were the most frequently observed initial infection vector for the fifth consecutive year, with stolen credentials overtaking phishing as the second most frequently observed initial access vector.
<https://services.google.com/fh/files/misc/m-trends-2025-en.pdf>
\"For intrusions in which an initial infection vector was identified, 33% began with exploitation of a vulnerability,\" Mandiant said. \"This is a decline from 2023, during which exploits represented the initial intrusion vector for 38% of intrusions, but nearly identical to the share of exploits in 2022, 32%.\"
⚠️That said, despite attacker’s efforts to evade detection, defenders are continuing to get better at identifying compromises. The global median dwell time, which refers to the number of days an attacker is on a system from compromise to detection, has been pegged at 11 days, an increase of one day from 2023.⚠️")