Analysis of 768K+ security advisories reveals critical blind spots in traditional vulnerability management: 193K malware packages without CVE IDs, 11% missing CVSS scores, and time-to-exploit collapsed to 5 days.
By Mondoo Security Research Team |January 2026
The cybersecurity landscape in 2025 has reached an inflection point. With over 48,000 CVEs published and 193,000+ malware packages discovered in open source ecosystems, security teams face an unprecedented volume of threats. Traditional vulnerability management approaches—relying on CVE databases and CVSS scores—are no longer sufficient.
This report synthesizes data from 768,000+ security advisories, cross-referenced with major industry reports including Verizon DBIR, Mandiant M-Trends, and CISA's Known Exploited Vulnerabilities catalog. Our analysis reveals critical blind spots in vulnerability intelligence: malware packages that never receive CVEs, CVSS scores missing from 11% of vulnerabilities, and a time-to-exploit that has collapsed from 63 days to just 5 days.
The findings challenge conventional assumptions about vulnerability prioritization and highlight the growing gap between disclosure velocity and organizational response capabilities.
38%are High or Critical severity
48,175
Total CVEs
132
CVEs/day
3,996
Critical
+21%
YoY Growth
The 21% year-over-year growth represents a moderation from 2024's 38% surge, but still adds 132 new CVEs daily to the vulnerability backlog. This report examines whether this slowdown reflects improved software security or limitations in vulnerability cataloging infrastructure.
Malware packages and cloud misconfigurations are invisible to CVE scanners
There were 4.0x more malware packages (192,742) than CVEs published (48,175) in 2025. These malicious npm packages (OSSF MAL-* identifiers) have no CVE identifiers and are invisible to traditional scanners.
Cloud environments face a similar gap: 29.4% of cloud incidents stem from misconfigurations and 47.1% from weak credentials (Google Cloud Threat Horizons). These require CIS Benchmarks, not CVE scanning.
142,256 malicious packages in November 2025 alone - 26x the monthly average. The worm compromised 27K GitHub repos and 487 organizations.
Amazon Inspector identified 150,000+ malicious packages - 'one of the largest attacks ever seen in open-source registries' targeting npm ecosystem.
Cloud misconfigurations (IAM, storage, network) have no CVE identifiers. Protecting cloud infrastructure requires CIS Benchmarks and CSPM tools, not vulnerability scanners.
Supply chain attacks visualized
Aug: Shai-Hulud v1 (35K)|Nov: Shai-Hulud v2 (142K)
The gap is growing, not shrinking
The gap is growing, not shrinking
6xgap increase from January (3.3%) to December (19.6%)
The CVSS coverage gap increased 6x throughout 2025 (3.3% to 19.6%) - the opposite of what should happen as NVD catches up. Sonatype found that after scoring missing items, almost half were High or Critical.
5,803 kernel CVEs published in 2025, but 85% have NO CVSS score. The kernel became a CNA in 2024 but intentionally doesn't score vulnerabilities.
92% of unscored vulnerabilities have 'UNKNOWN' severity. If you filter by 'CVSS 7+', you're ignoring half your High/Critical risks.
Only 24% of 2025 CVEs have CVSS 4.0 scores. VulDB alone accounts for 49% of v4 scores, while NVD, Microsoft, Red Hat, and Oracle rarely publish v4. Severity shifts may reflect adoption gaps, not real changes.
Linux Kernel CNA and curl both refuse to provide CVSS scores. Greg KH and Daniel Stenberg argue scores are misleading without context. NVD adds them anyway - same CVE scored 9.8 (CISA) vs 4.4 (IBM).
Microsoft (25%) & Adobe (20%) lead v4.0. Linux: 90% missing (by policy).
Plugin ecosystem now dominates CVE volume
WordPress security firms (Patchstack + Wordfence) assigned 5.3x more CVEs than Microsoft, Google, and Apple combined. The vulnerability landscape has shifted from core OS issues to third-party plugin ecosystems.
10,474
WordPress CNAs
21.7% of total
1,976
MSFT + GOOG + AAPL
4.1% of total
96% of WordPress vulnerabilities are in plugins, 4% in themes, only 7 in core (none critical). Your CMS plugin ecosystem is now your biggest attack surface.
OS and mobile CVEs grew from 2,733 → 9,180 (236% increase). Mobile chipset vendors (Qualcomm, MediaTek, Samsung) drove significant growth. Traditional OS security is mature but mobile attack surface expands.
WordPress CVEs exploded from 1,007 → 11,067 (999% increase). In 2023, WordPress overtook OS. Plugin ecosystems with thousands of third-party developers have become the primary source of new vulnerabilities.
From 63 days to 5 days in 6 years
The window is closing fast
44%
of zero-days target edge
8x
increase in targeting
0 days
median TTE for edge
22%
of exploitation breaches
Mandiant M-Trends 2025 reports time-to-exploit collapsed to just 5 days - down from 63 days in 2018-2019. Yet organizations take a median of 32 days to patch (Verizon DBIR).
Vulnerability exploitation now accounts for 20% of all breaches (Verizon DBIR, up 34% YoY) and 21.3% of intrusions (ENISA). Two attack surfaces are under siege: edge devices (VPNs, firewalls) and web frameworks (React, Next.js, npm packages).
44% of zero-days target enterprise edge devices. These are internet-facing, always-on, and often running vulnerable firmware.
Ivanti (Nominet breach), Fortinet (auth bypass), WatchGuard (125K exposed), Cisco (CVSS 10), Citrix (CitrixBleed 2) - the most exploited vulns of 2025 are all edge devices.
China-nexus APT (UNC5221) exploits edge appliances, then pivots to VMware vCenter/ESXi. Average dwell time: 393 days. Edge devices are the entry point to your entire infrastructure.
Microsoft Incident Response found 18% of breaches were via unpatched web assets, 28% via phishing. Exploits incorporated faster than ever.
44% of zero-days target edge infrastructure. 8x increase in edge exploitation (Verizon DBIR).
React2Shell exploited in 2 days. China-nexus groups (UNC6600, UNC6586) + cryptominers weaponized immediately.
Both edge infrastructure and web frameworks are being weaponized in days. With median patch time at 32 days (Verizon DBIR), organizations are 6x too slow regardless of which surface gets hit.
132 CVEs/day, limited resources, and CVSS doesn't predict exploitation
At 132 CVEs per day, no team can patch everything. The traditional approach (prioritize by CVSS 7+) means patching 57% of all vulnerabilities. That's unsustainable.
Worse, CVSS doesn't predict what attackers actually exploit. Only 2.3% of CVSS 7+ vulnerabilities were observed being exploited in the wild. You're spending 97% of your effort on vulnerabilities that will never be attacked.
CVSS measures theoretical severity, not real-world exploitation likelihood. A 'Critical' vulnerability in unused software is less urgent than a 'Medium' being actively exploited.
EPSS predicts exploitation probability. Combined with CISA KEV (known exploited), you can reduce patching workload by 95% while covering 63% of likely-exploited vulnerabilities.
A 2025 study found <20% of exploited CVEs scored ≥0.5 by EPSS before KEV addition, and 22% had no EPSS score at all. EPSS is useful but not a silver bullet - combine with KEV and threat intelligence.
Patch 57.4% of all CVEs to catch exploited ones
Patch only 2.7% of CVEs - focus on likely exploited
16x better efficiency - Same real-world protection with 95% less effort
| Strategy | Effort | Coverage | Efficiency |
|---|---|---|---|
| CVSS 7+ | 57.4% | 82.2% | 3.96% |
| EPSS 0.1+ | 2.7% | 63.2% | 65.2% |
46% of exploited vulnerabilities are from before 2021
Attackers aren't just chasing zero-days. CISA KEV data shows 46% of actively exploited vulnerabilities are from before 2021. Old, unpatched systems remain reliable targets.
EOL systems still receive new CVEs and are actively exploited. 106 KEVs (7.1% of the catalog) affect EOL Windows systems. Windows Server 2008 is 5 years past EOL and still actively exploited.
684 pre-2021 CVEs in CISA KEV. These aren't theoretical - they're being actively exploited in real attacks right now.
End-of-life software, forgotten servers, and 'stable' systems that never get updated are prime targets. EOL doesn't mean safe.
7.1% of all CISA KEV entries affect end-of-life Windows. These aren't theoretical risks - they're actively exploited.
Targeted systems average 4.4 years past their end-of-life date. Windows 10 1507 is 8 years past EOL and still getting new CVEs.
46% of KEV vulnerabilities are from before 2021. Legacy systems are actively targeted.
106 KEVs (7.1% of catalog) affect EOL Windows systems. Windows Server 2008 is 5 years past EOL and still actively exploited.
Classic attack vectors surge dramatically in 2025
Injection-class vulnerabilities exploded in 2025. CWE-74 (generic injection) grew 746%, while SQL injection increased 75%. These aren't new techniques - they're decades-old attack vectors resurging dramatically.
By volume, XSS (CWE-79) dominates with 6,383 CVEs - nearly double the next category. High growth rate doesn't always mean high volume: CWE-74's 746% surge still only reaches #6 by count.
Generic injection vulnerabilities grew from 302 in 2024 to 2,556 in 2025. This category includes command injection, LDAP injection, and other code/data boundary violations.
CWE-119 buffer errors grew from 152 to 1,059. Memory corruption vulnerabilities continue to plague C/C++ codebases.
Cross-Site Scripting leads all vulnerability classes in 2025 with 6,383 CVEs. With only 23% growth, it's a persistent baseline threat rather than an emerging one.
SQL Injection (CWE-89) ranks #2 in 2025 with 3,349 CVEs and 75% growth. The combination of high volume and rising trend makes it a priority concern.
CVE count doesn't equal real-world risk - exploitation rates tell the real story
Which OS is "most secure"? Raw CVE counts are misleading. Linux kernel published 5,803 CVEs in 2025 - more than Windows and macOS combined. But only 1 was exploited in the wild (0.02%).
Windows published 1,244 CVEs with 29 KEVs (2.33% exploitation rate) - and 76% were zero-days exploited before disclosure. macOS had 730 CVEs with 8 KEVs (1.1% exploitation). The real security metric is exploitation rate, not CVE count.
5,803 CVEs but only 0.02% exploitation rate. Linux kernel policy is to CVE every fix - most lack CVSS scores. Volume doesn't mean risk.
2.33% of 2025 CVEs exploited - 116x higher than Linux. 22 of 29 exploited CVEs (76%) were zero-days, meaning attackers had them before patches.
730 CVEs with 1.1% exploitation rate. 3 zero-days (37.5% of KEVs). Apple's closed ecosystem means fewer CVEs but when they're exploited, it matters.
Windows had 22 zero-days in 2025, macOS had 3, Linux had 0. Zero-days represent the highest risk - exploitation before any patch is available.
Key Insight: CVE count ≠ real-world risk. In 2025, Linux has 5,803 CVEs with 0.02% exploited. Windows has 1,244 CVEs with 2.33% exploited - and 76% were zero-days.
Methodology: Compares 2025 CVEs only to measure current security posture, not historical issues. Exploitation rate = KEVs for 2025 CVEs / 2025 CVE count. Linux kernel has more CVEs because their policy is to CVE every fix (most lack CVSS). Zero-days = CVEs exploited at or before publication.
MITRE steps back as EU and project CNAs rise
The vulnerability disclosure landscape is decentralizing. MITRE, the original CVE authority, saw a 13% drop in assignments as project-specific CNAs took over. Research CNAs like VulDB (5,901 CVEs, #2 overall) are filling the gap alongside vendor CNAs like Linux kernel (5,803 CVEs, #3).
Meanwhile, the EU is building its own vulnerability infrastructure. ENISA became a CVE Program Root in November 2025, empowering it to authorize new European CNAs. The EU Vulnerability Database (EUVD) launched in May 2025 under NIS2 Directive, providing European-focused tracking of critical, exploited, and EU-coordinated vulnerabilities.
ENISA became CVE Root in Nov 2025 (+1200% CVE growth). EUVD launched under NIS2. EU government CNAs grew 46% while US CNAs dropped 10%.
VulDB assigned 5,901 CVEs (#2 CNA). Linux kernel published 5,803 CVEs (#3). Research and project-specific CNAs now dominate the top 10.
GitHub Security (2,813 CVEs) operates separately from parent Microsoft (1,245 CVEs). Same ownership, different CNA processes and quality standards.
Key shift: MITRE dropped 13% as it becomes a "CNA of last resort." WordPress CNAs and Linux dominate volume.
Government CERT share of CVE assignments declined from 18% to 14% as private sector CNAs grow.
US CNA Structure: MITRE operates the CVE Program under CISA contract as "CNA of Last Resort" (6,018 → 5,233). ICS-CERT (CISA) handles ICS (258 → 336). CERT/CC (Carnegie Mellon SEI) is the original CERT (24 → 47). The -11% overall decline reflects MITRE's shrinking role.
Four of five Five Eyes nations (UK, Canada, Australia, NZ) have no government CNA activity. Germany's CERT-VDE is industry-funded (ZVEI), not government.
Note: Germany excluded - CERT-VDE (86 → 137 CVEs) is industry-funded (ZVEI), not government. BSI is not a CNA. US CNAs (MITRE, CERT/CC) are federally funded (FFRDCs).
Key shift: ENISA became a CVE Root in November 2025, empowering EU-wide vulnerability coordination. The EU Vulnerability Database (EUVD) launched under NIS2 Directive.
Both defenders and attackers are now using AI - the race is already on
In 2025, AI-powered security research moved from theory to practice. Google's Big Sleep became the first AI to discover a real-world vulnerability before exploitation, while CodeMender began automatically fixing critical flaws. PentestGPT (USENIX Security 2024) showed 228% better task completion than base LLMs.
But attackers aren't waiting. In September 2025, Anthropic disclosed the first AI-orchestrated cyber espionage campaign: a Chinese state-sponsored group used Claude to perform 80-90% of the attack, including vulnerability discovery, exploitation, and data exfiltration. The AI made thousands of requests per second - impossible for human hackers.
Microsoft's Digital Defense Report 2025 confirms AI is amplifying attacks: AI-automated phishing hits 54% click-through vs 12% for standard phishing (4.5x more effective). AI can make phishing operations up to 50x more profitable by scaling targeted attacks.
Big Sleep found first real-world vulnerability, CodeMender auto-fixes critical flaws, PentestGPT shows 228% improvement. AI vulnerability discovery is now operational.
Anthropic disclosed the first large-scale AI cyberattack in Sept 2025. State-sponsored hackers used AI for 80-90% of the campaign, attacking 30 targets including tech companies and government agencies.
AI-automated phishing emails hit 54% click-through vs 12% standard. Cloud attacks up 87%. Adversaries using AI for vulnerability discovery and evasion.
The race is already on. Both sides are using AI. The question is who scales faster.
PentestGPT (USENIX Security 2024) provided academic validation that LLMs can effectively assist penetration testing. The research showed 228.6% task completion improvement over base GPT-3.5.
Our analysis of 48,175 CVEs published in 2025, combined with CISA KEV exploitation data and threat intelligence from Mandiant, Google, and Microsoft, reveals a vulnerability landscape that has fundamentally shifted. Traditional approaches built around CVE tracking and CVSS scoring are no longer sufficient.
The data tells a clear story: attackers are faster than ever (5-day average time-to-exploit), targeting specific infrastructure (edge devices account for 44% of zero-days), and exploiting gaps in visibility (193K malware packages bypass CVE tracking entirely). Organizations that adapt their security programs to this new reality will significantly reduce their risk exposure.
These four findings represent the most significant shifts in the 2025 vulnerability landscape and should inform your security strategy going forward.
CVE-centric approaches miss 193K+ threats
Malware packages in open source ecosystems bypass traditional vulnerability tracking entirely.
11% of CVEs lack severity scores
The CVSS coverage gap increased 6x during 2025 (3.3% to 19.6%), with Linux kernel alone contributing 5,000+ unscored CVEs.
5-day exploit window demands automation
Time-to-exploit has collapsed 92% since 2018, outpacing manual remediation cycles.
EPSS delivers 16x better efficiency than CVSS
Exploit probability scoring reduces remediation workload while maintaining coverage.
The 2025 vulnerability landscape demands a fundamental shift in how organizations approach security. CVE counts alone are misleading: Linux published 5,803 CVEs with only 0.02% exploited, while Windows published 1,244 with 2.33% exploited. The metric that matters is exploitation probability, not raw volume. Based on this year's threat landscape, these five actions will have the highest impact on reducing your organization's vulnerability exposure.
Expand beyond CVE-only vulnerability management
Integrate malware detection for open source dependencies. Monitor GHSA, OSV, and package registry advisories alongside CVEs.
Adopt exploit-probability prioritization
Supplement CVSS with EPSS and CISA KEV data. Focus remediation on vulnerabilities with evidence of active exploitation or high exploit probability.
Accelerate patching for edge infrastructure
VPNs, firewalls, and load balancers account for 44% of zero-days. Prioritize these devices for rapid patching with 24-48 hour SLAs.
Audit and retire end-of-life systems
46% of CISA KEV vulnerabilities target pre-2021 software. Create an inventory of EOL systems and establish migration timelines.
Automate vulnerability response workflows
With 132 CVEs published daily and 5-day exploit windows, manual triage is unsustainable. Implement automated detection, prioritization, and remediation pipelines.
Google Threat Intelligence predicts these trends will define the 2026 threat landscape. Organizations that succeed will be those that embrace automation (132 CVEs/day is unsustainable manually), prioritize by exploitation evidence (EPSS + KEV), and maintain visibility beyond CVEs into malware and supply chain threats. The window between disclosure and exploitation has collapsed. Your response capabilities must keep pace.
AI becomes the norm for attackers
Threat actors will move from using AI as an exception to using it across the entire attack lifecycle - reconnaissance, exploitation, and evasion.
Edge devices remain primary targets
China-nexus groups will continue aggressively targeting VPNs and firewalls with zero-day exploitation for stealthy, persistent access.
Virtualization infrastructure under attack
Already happening: BRICKSTORM pivots from edge devices to VMware vCenter/ESXi, cloning domain controllers. A single hypervisor compromise can expose hundreds of VMs.
Third-party providers become ransomware focus
Ransomware groups increasingly target service providers for high-volume data exfiltration via zero-day vulnerabilities.
Explore the vulnerability database