71% of critical vulnerability alerts in Q3 2025 originated from just four legacy CVEs.

CVEs added to CISA KEV jumped 80% in H1 2025.

32.1% of vulnerabilities (Known Exploited Vulnerabilities - KEVs) had exploitation evidence on or before the day of their CVE disclosure, often indicating zero-day exploitation. This marks an 8.5% increase in the percentage of KEVs exploited on or before disclosure compared to 23.6% in 2024.

65% of third-party vendors are not maintaining current patch levels, which exposes financial institutions to inherited risk from known vulnerabilities (CVEs) and potentially unpatched zero-day vulnerabilities in legacy technologies.

Over 4,400 of the disclosed CVEs in 2024 were classified as critical (CVSS 9.0+).

Over 20,000 of the disclosed CVEs in 2024 had a CVSS score of 7.0 or higher.

There was a 38% year-over-year increase in published CVEs.

Over 40,000 CVEs were disclosed in 2024.

A significant portion of vulnerabilities were weaponized within days of disclosure.

Many of 2024's most exploited vulnerabilities were found in widely used third-party software rather than internally developed applications

The total count of automotive-related vulnerabilities (“CVEs”) published in 2024 reached 530, representing another annual gain and nearly twice as many as the 2019 count.

Over 7,400 Common Vulnerabilities and Exposures (CVEs) were detected on cloud systems hosting security.txt files from insecure versions exposed to the internet as of September 2024.