Cyber Security News

159 CVEs Exploited in the Wild in Q1 2025, 8.3% Targeted Within 1-Day Vulnerabilities Exploited

VulnCheck’s latest report for Q1 2025 has identified 159 Common Vulnerabilities and Exposures (CVEs) publicly disclosed as exploited in the wild for the first time.

Alarmingly, 28.3% of these Known Exploited Vulnerabilities (KEVs) saw evidence of exploitation within just one day of their CVE disclosure, underscoring the lightning-fast pace at which threat actors capitalize on newly revealed flaws.

This trend, consistent with patterns observed in 2024, signals an urgent need for defenders to accelerate their response to emerging threats while simultaneously addressing lingering vulnerability debt.

With data sourced from 50 distinct organizations, including major contributors like Shadow Server (31 disclosures) and GreyNoise (17 disclosures), the report paints a comprehensive picture of a dynamic threat landscape.

Key Product Categories and Vendors Under Siege

The exploitation focus in Q1 2025 predominantly targeted internet-facing and end-user-accessible systems, with Content Management Systems (CMS) leading the pack at 35 KEVs, followed by Network Edge Devices (29), and Operating Systems (24).

Notably, categories like desktop applications and browsers, historically frequent targets, recorded lower exploitation rates, hinting at a potential shift in attacker priorities that bears monitoring.

1-Day vulnerabilities1-Day vulnerabilities

Among vendors, Microsoft Windows topped the list with 15 exploited vulnerabilities, trailed by Broadcom VMware (6) and Cyber PowerPanel (5), reflecting the critical nature of these widely used technologies.

The report also highlights a surge in exploitation disclosures toward the latter half of the quarter, averaging 11.4 KEVs weekly and 53 monthly, providing defenders with crucial insights for capacity planning.

Meanwhile, the CISA KEV catalog added 80 vulnerabilities, though only 12 lacked prior public exploitation evidence, emphasizing the gap between official reporting and real-world activity.

NVD Gaps and Scoring System Limitations

A deeper dive into the National Vulnerability Database (NVD) statuses reveals coverage gaps, with 25.8% of KEVs still awaiting or undergoing analysis and 3.1% marked as “Deferred,” while 69.2% are categorized as “Analyzed” or “Modified.”

Additionally, two KEVs remain in reserved status, and one has been rejected, complicating timely risk assessment.

When mapped to scoring systems like CVSS and EPSS, the data suggests a significant limitation: only a handful of vulnerabilities showed elevated EPSS scores on the day exploitation evidence emerged, positioning EPSS as a trailing rather than predictive indicator.

This finding cautions organizations against over-reliance on such metrics for emerging threat prioritization, advocating instead for real-time threat intelligence and rapid response mechanisms.

The Q1 2025 findings from VulnCheck illuminate a cybersecurity environment where speed is paramount.

With nearly a third of vulnerabilities exploited within 24 hours of disclosure, and persistent gaps in NVD analysis, defenders must adopt agile strategies to stay ahead.

The focus on CMS, network devices, and operating systems as prime targets further stresses the need for robust patching and monitoring of critical infrastructure.

As threat actors continue to exploit vulnerabilities at an unrelenting pace, the call to action for the cybersecurity community has never been clearer: act fast, prioritize effectively, and fortify defenses against both new and lingering threats.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

1 day ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

1 day ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

1 day ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

1 day ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

1 day ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

1 day ago