Cyber Security News

159 CVEs Exploited in the Wild in Q1 2025, 8.3% Targeted Within 1-Day Vulnerabilities Exploited

VulnCheck’s latest report for Q1 2025 has identified 159 Common Vulnerabilities and Exposures (CVEs) publicly disclosed as exploited in the wild for the first time.

Alarmingly, 28.3% of these Known Exploited Vulnerabilities (KEVs) saw evidence of exploitation within just one day of their CVE disclosure, underscoring the lightning-fast pace at which threat actors capitalize on newly revealed flaws.

This trend, consistent with patterns observed in 2024, signals an urgent need for defenders to accelerate their response to emerging threats while simultaneously addressing lingering vulnerability debt.

With data sourced from 50 distinct organizations, including major contributors like Shadow Server (31 disclosures) and GreyNoise (17 disclosures), the report paints a comprehensive picture of a dynamic threat landscape.

Key Product Categories and Vendors Under Siege

The exploitation focus in Q1 2025 predominantly targeted internet-facing and end-user-accessible systems, with Content Management Systems (CMS) leading the pack at 35 KEVs, followed by Network Edge Devices (29), and Operating Systems (24).

Notably, categories like desktop applications and browsers, historically frequent targets, recorded lower exploitation rates, hinting at a potential shift in attacker priorities that bears monitoring.

1-Day vulnerabilities1-Day vulnerabilities

Among vendors, Microsoft Windows topped the list with 15 exploited vulnerabilities, trailed by Broadcom VMware (6) and Cyber PowerPanel (5), reflecting the critical nature of these widely used technologies.

The report also highlights a surge in exploitation disclosures toward the latter half of the quarter, averaging 11.4 KEVs weekly and 53 monthly, providing defenders with crucial insights for capacity planning.

Meanwhile, the CISA KEV catalog added 80 vulnerabilities, though only 12 lacked prior public exploitation evidence, emphasizing the gap between official reporting and real-world activity.

NVD Gaps and Scoring System Limitations

A deeper dive into the National Vulnerability Database (NVD) statuses reveals coverage gaps, with 25.8% of KEVs still awaiting or undergoing analysis and 3.1% marked as “Deferred,” while 69.2% are categorized as “Analyzed” or “Modified.”

Additionally, two KEVs remain in reserved status, and one has been rejected, complicating timely risk assessment.

When mapped to scoring systems like CVSS and EPSS, the data suggests a significant limitation: only a handful of vulnerabilities showed elevated EPSS scores on the day exploitation evidence emerged, positioning EPSS as a trailing rather than predictive indicator.

This finding cautions organizations against over-reliance on such metrics for emerging threat prioritization, advocating instead for real-time threat intelligence and rapid response mechanisms.

The Q1 2025 findings from VulnCheck illuminate a cybersecurity environment where speed is paramount.

With nearly a third of vulnerabilities exploited within 24 hours of disclosure, and persistent gaps in NVD analysis, defenders must adopt agile strategies to stay ahead.

The focus on CMS, network devices, and operating systems as prime targets further stresses the need for robust patching and monitoring of critical infrastructure.

As threat actors continue to exploit vulnerabilities at an unrelenting pace, the call to action for the cybersecurity community has never been clearer: act fast, prioritize effectively, and fortify defenses against both new and lingering threats.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware has…

7 hours ago

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a…

8 hours ago

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black Banshee,”…

8 hours ago

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing…

8 hours ago

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

11 hours ago

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…

12 hours ago