2025 Q1 Trends in Vulnerability Exploitation (VulnCheck)
VulnCheck’s quarterly exploitation-trends report (Patrick Garrity) draws on its own tracking of vulnerabilities first observed exploited in the wild. The data is attacker-behavior telemetry and AI-agnostic, but it bounds the time-to-exploit argument the wiki tracks with a first-party number rather than vendor framing.
Key Figures
- 159 vulnerabilities were first reported as exploited in the wild in Q1 2025, drawn from 50 distinct disclosing organizations.1
- 28.3% had exploitation evidence within one day of CVE publication, marginally faster than the 2024 pace.1 This is the primary source for a figure the wiki previously cited only through secondary coverage.
- Cadence: about 11.4 newly-exploited vulnerabilities per week, 53 per month. CISA KEV added 73 during the quarter, of which only 12 had no prior public exploitation evidence.2
- NVD coverage gap: 25.8% of these KEVs were still awaiting or undergoing NIST NVD analysis, and 3.1% carried the new “Deferred” status.3
Notable Finding — EPSS Is a Trailing Indicator
Scored against EPSS on the day exploitation became public, only a handful of these vulnerabilities carried elevated EPSS, despite confirmed exploitation. The report concludes that EPSS is largely a trailing indicator rather than a predictive tool for emerging threats, and advises caution in relying on scoring systems for newly-exploited vulnerabilities.4 This supports prioritizing by observed-exploitation evidence (KEV feeds) over score-based triage for emerging threats, the logic behind the hardening plan’s KEV-first patching SLA.
Where It Fits
A first-party anchor for the “exploitation lands within a day” claim used across the Zero Day Clock and the SDLC in the AI-Attacker Era thesis. The top exploited categories — content management systems (35), network edge devices (29), operating systems (24) — are internet-facing or end-user-accessible, consistent with reconnaissance-cost collapse against exposed surface. The report does not attribute the pace to AI; it is the measured baseline that the AI-acceleration argument builds on.
Notes
Footnotes
-
VulnCheck — 2025 Q1 Trends in Vulnerability Exploitation, Patrick Garrity, April 2025. 159 vulnerabilities first reported as exploited in the wild in Q1 2025 from 50 disclosing organizations; 28.3% had exploitation evidence within one day of CVE publication. ↩ ↩2
-
VulnCheck — 2025 Q1 Trends in Vulnerability Exploitation, April 2025. Averages of 11.4 newly-exploited vulnerabilities per week and 53 per month; CISA KEV added 73 vulnerabilities, of which only 12 had no prior public exploitation evidence. ↩
-
VulnCheck — 2025 Q1 Trends in Vulnerability Exploitation, April 2025. 25.8% of Q1-2025 KEVs were still awaiting or undergoing NIST NVD analysis; 3.1% carried the “Deferred” status; 69.2% were “Analyzed” or “Modified.” ↩
-
VulnCheck — 2025 Q1 Trends in Vulnerability Exploitation, April 2025. EPSS scores on the day of exploitation disclosure were elevated for only a handful of confirmed-exploited vulnerabilities, indicating EPSS behaves as a trailing rather than predictive indicator for emerging threats. ↩