In the first quarter of 2025, a total of 159 Common Vulnerabilities and Exposures (CVEs) were reported as actively exploited, showing an increase from 151 cases observed in the previous quarter.
Notably, 28.3% of these vulnerabilities were exploited within just one day of public disclosure, equating to 45 flaws weaponized immediately after they became known. An additional 14 vulnerabilities were exploited within a month, while another 45 were compromised within a year.
Analysis indicates that content management systems (CMS) were the most frequent targets, followed by network edge devices, operating systems, open-source software, and server software. The distribution is as follows:
-
Content Management Systems (35 vulnerabilities)
-
Network Edge Devices (29)
-
Operating Systems (24)
-
Open Source Software (14)
-
Server Software (14)
Prominent products impacted included Microsoft Windows (15 vulnerabilities), Broadcom VMware (6), Cyber PowerPanel (5), Litespeed Technologies (4), and TOTOLINK routers (4).
During this period, an average of 11.4 Known Exploited Vulnerabilities (KEVs) were reported each week, totaling 53 per month. Of the 159 vulnerabilities, 25.8% are still awaiting review or undergoing analysis by the National Vulnerability Database (NVD), with 3.1% categorized under a newly introduced “Deferred” status.
Recent research indicates a 34% rise in the use of vulnerability exploitation as an initial attack vector for data breaches, now accounting for 20% of all intrusion cases. Exploits remained the most common method for initial system compromise for the fifth year in a row, with credential theft overtaking phishing as the second most common entry point.
While exploitation rates remain high, organizations are improving their detection capabilities. The global median dwell time — the duration between initial compromise and detection — has been measured at 11 days, slightly higher than the previous year’s 10 days.
