Patching windows for organizations keep shortening, as threat actors exploit important vulnerabilities increasingly faster. According to recent report from VulnCheck, a third of flaws leveraged by attackers this year have been zero-days or 1-days. With so little advance warning, defenders must invest more in exploit detection and monitoring and ensure they keep on top of important patches.
“We observed an 8.5% increase in the percentage of KEVs [Known Exploited Vulnerabilities] that had exploitation evidence disclosed on or before the day a CVE was published — 32.1% in 1H-2025 as compared to the 23.6% we reported in 2024,” VulnCheck researchers wrote in the vulnerability intelligence firm’s report.
In the first half of 2025, VulnCheck added 432 new unique vulnerabilities (CVEs) to its KEV database, more than triple the 132 CVEs added by the US Cybersecurity and Infrastructure Security Agency (CISA) to its KEV catalog in the same period. VulnCheck takes a broader approach to monitoring than CISA does, drawing on more than 500 sources for vulnerability information and exploit evidence, including honeypot services such as GreyNoise and the Shadowserver Foundation.
For example, an audit of Shadowserver data in June revealed exploit evidence for more than 32 new vulnerabilities that didn’t yet have CVE IDs assigned by MITRE, which is a requirement for inclusion in the CISA KEV catalog. Furthermore, a third of KEVs detected in 2025 were still awaiting analysis by NIST for inclusion in the National Vulnerability Database (NVD), despite having already received CVE IDs.
The NVD, intended to provide enriched details and context around CVEs, has been facing a crippling backlog.
Content management systems and network-edge devices lead in KEVs
During the first half of 2025, content management systems (CMSes) had the highest number of KEVs, at 86, a significant number of which stemmed from WordPress plug-ins.
The second most impacted category were network-edge devices with 77 KEVs. This category includes network security appliances, routers, firewalls, and VPN gateways, which have been a growing target over the past couple of years, especially for nation-state cyberespionage groups.
Server software (61 KEVs), open-source software (55), and operating systems (38) complete the top five most targeted categories, with hardware devices — including camera systems, DVRs, NVRs, IP phones, and other embedded devices — coming in sixth. VulnCheck notes that many of the flaws in the hardware device category came from attack data collected by Shadowserver, highlighting that exposing such devices directly to the internet is never a good idea.
In terms of vendors, Microsoft was the most targeted, with 32 KEVs, 26 of which were for Windows, followed by Cisco (10), and Apple, Totolink, and VMware, each with six KEVs. It’s worth noting though that not all new KEVs are new vulnerabilities. While 1 in 3 were zero-days or 1-days, many are older vulnerabilities that just started to be exploited in 2025, putting them on the new KEV list.
Also, some zero-days disclosed in 2025 had exploitation evidence dating back to 2024 but flew under the radar. This was the case for 147 of the 181 unique CVEs that were exploited by known threat actors — groups the industry knows and tracks under various aliases.
Russian and Iranian threat activity rises
The security industry attributes only some of the newly discovered exploits to known attacker groups, and only some of those groups have known countries of origin. As a result, statistics on the origin of attacks are not perfect.
During the first half of 2025, 181 of CVEs added to the KEV database by VulnCheck were reported as being attributed to 92 known threat actors based on industry reports. Of those groups, only 56 had a country of origin attributed to them.
“If we look at the threat actors by attributed country, we quickly see that the usual suspects — China (20), Russia (11), North Korea (9), and Iran (6) — have the largest number of active threat actor groups,” the VulnCheck researchers concluded. “These countries are known for their cyber espionage and cyber activities, often being referred to as the four horsemen.”
Despite China still leading in the number of individual groups that exploit KEVs, their cumulative KEV attributions during 2025 decreased compared to 2024 based on VulnCheck’s data. Meanwhile, activity from Russian groups has increased. And while North Korea’s KEV attributions also dropped compared to last year, Iran’s has risen. These shifts, however, can be influenced by the timing of industry reports.
For example, the 2025 increase in Iranian attribution seems to be tied to a June report from security firm Tenable, which attributed 29 KEVs to Iranian threat actors. Similarly the spike in North Korean KEV attribution in 2024 could be tied to a joint report released by government agencies from the US, UK, and South Korea, in which 44 new KEVs were attributed to a North Korean state-sponsored group tracked as Silent Chollima or Andariel.
“The spike in Russian attribution isn’t tied to specific reports and attribution is broadly distributed across sources, which re-emphasizes Russia continues to be a major force behind threat activity and vulnerability exploitation,” VulnCheck said.