Full Report
Too many defenders and researchers are paying attention to defects and unsubstantiated exploit concepts that aren’t worth their time, VulnCheck’s Caitlin Condon said. The post Vulnerabilities grew like weeds in 2025, but only 1% were weaponized in attacks appeared first on CyberScoop.
Analysis Summary
# Industry News: The 2025 Vulnerability Deluge vs. Reality Gap
## Summary
A new report from VulnCheck reveals a massive "signal-to-noise" problem in cybersecurity: while over 40,000 vulnerabilities were disclosed in 2025, only 1% (422) were actually weaponized in real-world attacks. The data suggests that current prioritization metrics are failing, as defenders struggle to distinguish between theoretical defects and verified operational risks.
## Key Details
- **Date:** February 25, 2026
- **Companies Involved:** VulnCheck (Primary), Microsoft, Ivanti, Fortinet, VMware
- **Category:** Market Analysis / Threat Intelligence Report
## The Story
In 2025, the volume of Common Vulnerabilities and Exposures (CVEs) reached a "ludicrous" level, according to VulnCheck. Despite the flood of over 40,000 new defects, the vast majority remain unexploited. The report highlights a critical breakdown in traditional vulnerability management: Common Vulnerability Scoring System (CVSS) ratings are losing their effectiveness as a primary prioritization tool because they often grade theoretical severity rather than active exploitation.
The research identifies "Network Edge" devices (firewalls, VPNs, and gateways) as the primary battleground, accounting for 28% of the top targeted technologies. Many of these devices rely on decade-old codebases that attackers can easily analyze and exploit using automated pipelines. Microsoft led the "repeat offender" list with nine of the top 50 most-targeted vulnerabilities, notably in SharePoint, where four zero-days were leveraged to breach over 400 organizations, including major U.S. federal agencies.
## Business Impact
### For the Companies Involved
- **VulnCheck:** Positions itself as a critical filter for the "noise" in the market, strengthening its value proposition in the threat intelligence space.
- **Top Vendors (Microsoft, Ivanti, Fortinet):** Facing continued reputational pressure and "patch fatigue" among their customer bases due to their frequent appearance on "most-targeted" lists.
### For Competitors
- **Security Rating Services:** Competitors must shift focus from quantity (finding every bug) to quality (identifying weaponized bugs) to remain relevant.
- **Next-Gen Edge Vendors:** Startups offering modern, "memory-safe" edge architectures may find a competitive advantage over legacy vendors with 10-year-old codebases.
### For Customers
- **Resource Allocation:** Organizations are wasting significant labor costs patching high-CVSS vulnerabilities that have a 0% chance of being exploited.
- **Operational Risk:** The focus on "weeds" (minor bugs) leaves organizations vulnerable to the 1% of vulnerabilities that act as "heavy hitters."
### For the Market
- **Shift in Prioritization Tools:** Increased market demand for "Exploit Intelligence" and the Stakeholder-Specific Vulnerability Enumeration (SSVC) over traditional CVSS-heavy models.
## Technical Implications
Attackers have achieved a "technical asymmetry" by using automated analysis pipelines to reverse-engineer patches and identify zero-days in legacy edge software. The report emphasizes that the "Known Exploited Vulnerabilities" (KEV) approach is becoming the only viable technical strategy for managing risk at scale.
## Strategic Analysis
- **Market Positioning:** Vulnerability management is shifting from a "discovery" market to a "curation" market.
- **Competitive Advantage:** Firms that can provide "verified" exploit intelligence will dominate over those providing simple scanning tools.
- **Challenges:** The sheer volume of CVEs is outstripping the human capacity to verify them, requiring more AI-driven defensive automation.
## Industry Reactions
- **Caitlin Condon (VulnCheck VP):** Notes that defenders "don't know what to pay attention to" and that indicators of risk which used to be reliable are now failing.
- **Market Sentiment:** Growing frustration with "unsubstantiated exploit concepts" and academic researchers who publish defects that pose no real-world threat.
## Future Outlook
- **Predictive Prioritization:** Expect a surge in products that promise to predict *which* 1% of vulnerabilities will be weaponized before it happens.
- **Legacy Edge Retirement:** Increased regulatory and insurance pressure on companies to replace edge devices running on ancient, un-refactored codebases.
## For Security Professionals
Practitioners should immediately pivot their vulnerability management programs toward the **CISA Known Exploited Vulnerabilities (KEV) catalog** and commercial exploit intelligence feeds. Relying solely on "Critical" CVSS scores is no longer an efficient use of security budget or personnel; the focus must shift to vulnerabilities with a proven link to ransomware and state-sponsored activity.