40% of ransomware incidents began through vulnerability exploits

Vulnerability exploitation accounted for 21.3% of initial access vectors.

Vulnerability exploitation led to malware deployment as a follow-up activity in 68% of cases.

Exploited vulnerabilities also contributed to 12% of attacks in 2025.

Zero-day exploitation increased 46% in H1 2025.

Zero-day exploits increased 46% in H1 2025.

Publicly-available exploits rose by 179% since the start of 2025.

Exploits were observed being weaponised in minutes.

The most common cybersecurity threats reported include malware (44%) and AI-powered exploits (28%).

Exploits spiked 433% in Microsoft Office applications. Web browsers and Office applications have emerged as prime targets. Chrome specifically led all products in known attacks.

Exploits spiked 657% in browsers.

Exploits continue to be the most common initial infection vector (33%).

Federal organizations saw a 60% decline in exploitable service instances.

Over 50% of exploits in CISA’s Known Exploited Vulnerabilities (KEV) report were API-related in 2024, up from 20% in 2023.

79% of private sector organizations reduced exploitable services, while SLTT (State, Local, Tribal, and Territorial) entities experienced a 95% increase in exploitable services over the analysis period.

The five most commonly exploited services in critical infrastructure sectors were File Transfer Protocol (FTP), Remote Desktop Protocol (RDP), Remote Procedure Call (RPC), Server Message Block (SMB), Internet Relay Chat (IRC).

33.5% of the API-related exploits targeted modern APIs, like RESTful and GraphQL.

Kernel exploits accounted for 5.4% of the CISA KEV exploits.

The number of exploitable services per organization decreased from 12 in August 2022 to 8 in August 2024.

International entities experienced a 65% decrease in exploitable service instances.