159 CVEs Exploited in Q1 2025 — 28.3% Within 24 Hours of Disclosure - The Hacker News

159 CVEs Exploited in Q1 2025 — 28.3% Within 24 Hours of Disclosure Ravie LakshmananApr 24, 2025Vulnerability / Threat Intelligence As many as 159 CVE identifiers have been flagged as exploited in the wild in the first quarter of 2025, up from 151 in Q4 2024. "We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure," VulnCheck said in a report shared with The Hacker News. This translates to 45 security flaws that have been weaponized in real-world attacks within a day of disclosure. Fourteen other flaws have been exploited within a month, while another 45 flaws were abused within the span of a year.  The cybersecurity company said a majority of the exploited vulnerabilities have been identified in content management systems (CMSes), followed by network edge devices, operating systems, open-source software, and server software. The breakdown is as follows - Content Management Systems (CMS) (35) Network Edge Devices (29) Operating Systems (24) Open Source Software (14) Server Software (14) The leading vendors and their products that were exploited during the time period are Microsoft Windows (15), Broadcom VMware (6), Cyber PowerPanel (5), Litespeed Technologies (4), and TOTOLINK Routers (4). "On average, 11.4 KEVs were disclosed weekly, and 53 per month," VulnCheck said. "While CISA KEV added 80 vulnerabilities during the quarter, only 12 showed no prior public evidence of exploitation." Of the 159 vulnerabilities, 25.8% have been found to be awaiting or undergoing analysis by the NIST National Vulnerability Database (NVD) and 3.1% have been assigned the new "Deferred" status. According to Verizon's newly released Data Breach Investigations Report for 2025, exploitation of vulnerabilities as an initial access step for data breaches grew by 34%, accounting for 20% of all intrusions. Data gathered by Google-owned Mandiant has also revealed that exploits were the most frequently observed initial infection vector for the fifth consecutive year, with stolen credentials overtaking phishing as the second most frequently observed initial access vector. "For intrusions in which an initial infection vector was identified, 33% began with exploitation of a vulnerability," Mandiant said. "This is a decline from 2023, during which exploits represented the initial intrusion vector for 38% of intrusions, but nearly identical to the share of exploits in 2022, 32%." That said, despite attackers' efforts to evade detection, defenders are continuing to get better at identifying compromises. The global median dwell time, which refers to the number of days an attacker is on a system from compromise to detection, has been pegged at 11 days, an increase of one day from 2023. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CMS, cybersecurity, data breach, Malware, Microsoft, network security, Operating Systems, Threat Intelligence, Vulnerability Trending News Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Load More ▼ Popular Resources Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps