VulnCheck spotted 159 actively exploited vulnerabilities in first few months of 2025

Attackers exploited nearly a third of vulnerabilities within a day of CVE disclosure in the first quarter of 2025, VulnCheck said in a report released Thursday. The company, which focuses on vulnerability threat intelligence, identified 159 actively exploited vulnerabilities from 50 sources during the quarter.

The time from CVE disclosure to evidence of exploitation in the first quarter was marginally faster than what VulnCheck observed during 2024, Patrick Garrity, security researcher at the company, said in the report. “This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt,” Garrity wrote. 

VulnCheck’s research reinforces multiple recent reports that warned about increased exploits in 2024. Mandiant said exploits were the most common initial infection vector last year, representing 1 of every 3 attacks. Verizon reported a 34% increase in exploited vulnerabilities, and IBM X-Force said exploitation of public-facing applications accounted for 30% of incident response cases last year.

Content management systems contained the largest share of new known exploited vulnerabilities in Q1, followed by network edge devices, operating systems, open-source software and server software, according to VulnCheck. Researchers noted that the top five categories associated with new actively exploited vulnerabilities are typically public-facing or accessible to end users. 

The rankings underscore a worrying trend involving the persistent and successful targeting of network edge devices. Researchers have been consistent in warning defenders about ongoing and escalating impacts of actively exploited software defects in VPNs, firewalls and routers since 2024. 

VulnCheck identified 29 new known exploited vulnerabilities in these devices and services in Q1.

Beyond the 48 vulnerabilities that were actively exploited within a day of CVE disclosure, VulnCheck identified 14 additional software defects exploited within 31 days of disclosure. Nearly two-thirds of all new known exploited vulnerabilities identified in the first quarter were exploited within a year of disclosure, according to VulnCheck.

“On average, 11.4 KEVs were disclosed weekly, and 53 per month,” the report said. 

VulnCheck also named the top sources of exploitation evidence during the quarter. Shadowserver disclosed evidence of 31 actively exploited vulnerabilities, followed by GreyNoise at 17. The Cybersecurity and Infrastructure Security Agency added 12 software defects to its known exploited vulnerabilities catalog during the quarter. 

The National Institute of Standards and Technology’s National Vulnerability Database analyzed nearly 43% of the 159 new actively exploited vulnerabilities identified during the quarter, while 25% are still waiting or undergoing analysis, according to VulnCheck.