Vulnerability Prioritization Shifts Toward Known-Exploited Risk and Centralized Scanning
Security teams are increasingly de-emphasizing CVSS-only approaches in favor of prioritizing known exploited vulnerabilities (KEV), driven by evidence that only a small fraction of disclosed CVEs are exploited in the wild. Reporting citing VulnCheck research highlighted that roughly 1% of 40,000+ vulnerabilities disclosed in the prior year saw in-the-wild exploitation, with network edge devices disproportionately targeted (reported as 28% of KEV-impacted products) and recurring exposure across major enterprise stacks including Microsoft, VMware, Oracle, Ivanti, SonicWall, and Fortinet. The same research pointed to high-profile exploitation waves such as SharePoint zero-days impacting 400+ organizations and rapid weaponization dynamics like React2Shell, which reportedly accumulated 236 public exploits within a month.
In the UK public sector, the Department for Science, Innovation and Technology (DSIT) reported operational improvements from a centralized Vulnerability Monitoring Service that continuously scans internet-facing systems across roughly 6,000 organizations and drives remediation of about 400 confirmed vulnerabilities per month. DSIT said median remediation time for critical domain-related weaknesses fell to eight days (from ~50), other vulnerabilities to 32 days (from 53), and the backlog of unresolved critical flaws dropped by about three-quarters—positioning automated discovery and faster patch cycles as a practical response to long-standing government security shortfalls, even as officials did not quantify exploitation rates or overall compromise trends.
Related Entities
Sources
Related Stories
Record Surge in CVE Disclosures and Microsoft Vulnerabilities in 2025
In 2025, the cybersecurity landscape was marked by an unprecedented surge in vulnerability disclosures, with nearly 49,209 CVEs published—representing a 43% increase over the previous year. Microsoft alone issued mitigations for 1,246 CVEs, including 158 rated as critical, and faced 41 zero-day vulnerabilities. Security experts noted that while the volume of vulnerabilities reached new highs, the real risk stemmed from a small subset that were actively exploited, particularly those affecting Microsoft platforms and edge devices. Attackers increasingly leveraged AI and new tactics to exploit vulnerabilities faster, often timing attacks around Patch Tuesday cycles to maximize impact before organizations could apply updates. The overwhelming number of vulnerabilities forced security teams to rethink their prioritization strategies, as traditional severity ratings like CVSS proved insufficient for predicting exploitation. Instead, models such as the Exploit Prediction Scoring System (EPSS) and asset criticality became essential for identifying which vulnerabilities posed the greatest risk. State-sponsored actors and ransomware groups were responsible for a significant portion of exploitation activity, with remote code execution and privilege escalation flaws being the most targeted. Experts emphasized the need for rapid, risk-based patching and a shift away from patching solely based on severity scores, as attackers focused on speed, exposure, and critical assets rather than the sheer number of vulnerabilities disclosed.
2 months ago
Rising exploitation pressure from zero-days and known exploited vulnerabilities
Security reporting and research highlighted accelerating exploitation pressure on enterprises, driven by both **zero-day** activity and the growing backlog of **known exploited vulnerabilities (KEVs)**. A Talos retrospective counted **48,196 CVEs in 2025** and **241 KEVs** (up from 186 in 2024), with a notable share of KEVs originating from older CVEs and even vulnerabilities dating back to 2007—reinforcing that attackers continue to monetize long-lived weaknesses when patching and asset visibility lag. Talos also noted disproportionate exploitation targeting **network edge infrastructure** (e.g., firewalls/VPNs), underscoring the operational risk of unpatched or hard-to-patch appliances and legacy systems. Separate threat reporting pointed to expanding attack volume and shifting attacker tradecraft that can amplify exploitation impact. Check Point data cited by Dark Reading said **Latin America** is seeing substantially higher weekly attack volume than the US (including higher proportions of **ransomware** and **infostealer** activity), consistent with adversaries concentrating on regions with faster digital adoption and lower security maturity. CSO Online also reported that the *Coruna* **iOS exploit kit** rapidly evolved from a targeted spyware capability into broader criminal use, illustrating how advanced exploitation tooling can commoditize quickly and increase the likelihood of opportunistic compromise across a wider victim set.
1 weeks ago
UK Government Vulnerability Monitoring System Cuts Public-Sector Remediation Times
The UK Department for Science, Innovation and Technology (**DSIT**) reported that its **Vulnerability Monitoring System (VMS)** is significantly reducing remediation times for internet-facing public-sector systems by continuously scanning roughly **6,000** government/public-sector websites and services. VMS uses a mix of commercial and proprietary tooling to check for about **1,000** vulnerability types, with a particular focus on **domain/DNS-related weaknesses** that could be abused by attackers; DSIT said median remediation time for DNS/domain issues fell from about **50 days to 8 days** (an **84%** improvement), while median time to fix other vulnerabilities dropped from **53 days to 32 days**. DSIT also stated the service is clearing a substantial volume of risk, resolving around **400 confirmed vulnerabilities per month** and reducing the backlog of critical open domain-related issues by about **75%**. The program is positioned as part of the government’s *Blueprint for Modern Digital Government* (published January 2025), with Minister for Digital Government **Ian Murray** emphasizing operational impacts of cyberattacks on public services (e.g., NHS disruption) and announcing a related workforce initiative to build a stronger pipeline of cybersecurity talent across DSIT and the UK’s National Cyber Security Centre (**NCSC**).
2 weeks ago