Exploited CVEs Rise in Q1 2025, With Faster Turnaround Times

The first quarter of 2025 saw 159 vulnerabilities exploited in the wild—an uptick from 151 in the final quarter of 2024—highlighting the growing speed and volume of exploitation following public disclosure, according to The Hacker News. According to data analyzed by VulnCheck, nearly 30% of these vulnerabilities were exploited within a single day of their CVE publication.

A closer look at the exploited CVEs reveals a concentration in specific categories. Content management systems led the count with 35 vulnerabilities, followed by network edge devices (29), operating systems (24), and equal numbers (14 each) in open-source and server software. Some of the most affected vendors included Microsoft Windows, VMware, Cyber PowerPanel, Litespeed Technologies, and TOTOLINK routers. These trends underscore the continued targeting of systems that offer broad access or are often overlooked in patch cycles.

Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 80 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in Q1, but only a fraction had no prior public record of exploitation. Additionally, around 26% of the total vulnerabilities flagged are still being reviewed or analyzed by the National Vulnerability Database, with a small percentage deferred. This lag in classification suggests that defenders may be operating without complete information even as attackers move quickly.

The broader impact of these exploited vulnerabilities is reflected in data breach trends. Verizon's 2025 DBIR noted a 34% increase in breaches beginning with vulnerability exploitation. Mandiant observed a similar pattern, with one-third of intrusions stemming from exploits—outpacing phishing for the fifth consecutive year. While defenders are improving detection capabilities, with median attacker dwell time holding at 11 days, the speed of initial compromise continues to challenge traditional security postures.