The first quarter of 2025 has witnessed a significant acceleration in the exploitation of software vulnerabilities, with VulnCheck identifying public evidence of exploitation for 159 unique Common Vulnerabilities and Exposures (CVEs) for the first time.
The findings underscore an alarming trend: nearly 28.3% of these Known Exploited Vulnerabilities (KEVs) had evidence of exploitation disclosed within just one day of their CVE publication.
Such a rapid attack window highlights the evolving agility of threat actors and puts increased pressure on defenders to respond swiftly to newly emerging threats, further emphasizing the importance of patch management and vulnerability monitoring programs.
Diverse Categories, Leading Vendors, and Accelerated Disclosure Timelines
The vulnerabilities exploited in the wild during Q1 2025 spanned a broad range of product categories, with Content Management Systems (CMS) emerging as the most frequently targeted, accounting for 35 exploited CVEs.
Network edge devices, operating systems, open source software, and server software followed closely, collectively comprising the majority of newly exploited flaws.
This shift towards back-end and infrastructure components, rather than desktop applications and browsers which historically dominated, may indicate changing attacker priorities toward more impactful, internet-facing targets.
Key vendors and products affected during the quarter included Microsoft Windows, Broadcom VMware, Cyber PowerPanel, Litespeed Technologies, and Totolink Routers.
These platforms, widely deployed and often exposed to the internet, present lucrative targets for attackers seeking to gain footholds, conduct lateral movement, or launch broader attacks.
The pace of public disclosure and exploitation is noteworthy: on average, 11.4 KEVs were newly reported as exploited each week, with 53 per month.
The quarter began slowly, likely due to seasonal factors, but saw a surge in reported exploitation towards the latter half.
Notably, 25.8% of KEVs were still awaiting or undergoing analysis by the National Institute of Standards and Technology’s National Vulnerability Database (NIST NVD) at the time of reporting, while 3.1% had received the new “Deferred” status, reflecting ongoing backlogs and process changes within the NVD.
Disparate Sources and Implications for Threat Intelligence
Evidence of exploitation was sourced from 50 distinct organizations, revealing a long-tail distribution that offers defenders valuable insight into both the diversity and the collaborative nature of the threat intelligence community.
The most prominent contributors included Shadow Server, GreyNoise, CISA KEV, Microsoft, Sentinel One, Cyble, and Patchstack, among others.
Each played a pivotal role in bringing emerging exploitation activity to public attention, though the volume and timing of reports varied considerably by source.
For comparison, Q4 2024 saw a slightly higher total of 190 exploitation disclosures tied to CVEs.
However, that number was inflated by the formal assignment of CVEs to 39 older WordPress vulnerabilities with already well-known exploitation histories.
Adjusting for these retroactive disclosures, Q4’s actual new exploitation tally was 151, indicating a steady or slightly increasing tempo of attacker activity into 2025.
A critical finding from VulnCheck’s analysis is the inadequacy of prevalent vulnerability scoring systems specifically, CVSS (Common Vulnerability Scoring System) and EPSS (Exploit Prediction Scoring System) for the early identification of real-world threats.
The data showed that few KEVs had elevated EPSS scores on the day exploitation evidence became public, despite active in-the-wild exploitation.
This lag strongly suggests that EPSS currently functions more as a trailing indicator, providing little predictive value for emerging, fast-moving threats.
Organizations are cautioned against over-reliance on automated scoring tools for rapid response decisions, and instead should prioritize direct threat intelligence, collaborative information sharing, and proactive patching strategies to stay ahead of attackers.
With exploitation timelines accelerating and a growing backlog of vulnerabilities awaiting analysis, the onus on defenders to reduce vulnerability debt and strengthen their security posture has never been more critical.
The first quarter of 2025 serves as a call to action for enterprises and vendors alike to invest in more agile, intelligence-led defense mechanisms.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
