As many as 159 CVE identifiers have been flagged as exploited in the wild in the first quarter of 2025, up from 151 in Q4 2024.
“We continue to see vulnerabilities being exploited at a fast pace
with 28.3% of vulnerabilities being exploited within 1-day of their CVE
disclosure,” VulnCheck said in a report shared with The Hacker News.
This translates to 45 security flaws that have been weaponized in
real-world attacks within a day of disclosure. Fourteen other flaws have
been exploited within a month, while another 45 flaws were abused
within the span of a year.
The cybersecurity company said a majority of the exploited
vulnerabilities have been identified in content management systems
(CMSes), followed by network edge devices, operating systems,
open-source software, and server software.
The breakdown is as follows –
- Content Management Systems (CMS) (35)
- Network Edge Devices (29)
- Operating Systems (24)
- Open Source Software (14)
- Server Software (14)
The leading vendors and their products that were exploited during the
time period are Microsoft Windows (15), Broadcom VMware (6), Cyber
PowerPanel (5), Litespeed Technologies (4), and TOTOLINK Routers (4).
“On average, 11.4 KEVs were disclosed weekly, and 53 per month,”
VulnCheck said. “While CISA KEV added 80 vulnerabilities during the
quarter, only 12 showed no prior public evidence of exploitation.”
Of the 159 vulnerabilities, 25.8% have been found to be awaiting or
undergoing analysis by the NIST National Vulnerability Database (NVD)
and 3.1% have been assigned the new “Deferred” status.
According to Verizon’s newly released Data Breach Investigations Report
for 2025, exploitation of vulnerabilities as an initial access step for
data breaches grew by 34%, accounting for 20% of all intrusions.
Data gathered by Google-owned Mandiant has also revealed that
exploits were the most frequently observed initial infection vector for
the fifth consecutive year, with stolen credentials overtaking phishing
as the second most frequently observed initial access vector.
“For intrusions in which an initial infection vector was identified, 33% began with exploitation of a vulnerability,” Mandiant said.
“This is a decline from 2023, during which exploits represented the
initial intrusion vector for 38% of intrusions, but nearly identical to
the share of exploits in 2022, 32%.”
That said, despite attackers’ efforts to evade detection, defenders are continuing to get better at identifying compromises.
The global median dwell time, which refers to the number of days an
attacker is on a system from compromise to detection, has been pegged at
11 days, an increase of one day from 2023.
REF:https://thehackernews.com/2025/04/159-cves-exploited-in-q1-2025-283.html