We’re constantly told that the number of vulnerabilities is ever increasing, but a new report from VulnCheck shows that while CVE disclosures and public proof-of-concept code increased significantly in 2025, just one percent of vulnerabilities were confirmed to be exploited in the wild, with a small subset driving disproportionate real-world impact.
“The data shows that exploitation is concentrated in a very small number of vulnerabilities, but those vulnerabilities are being weaponized faster and at greater scale,” says Jacob Baines, chief technology officer, VulnCheck. “At the same time, the volume of exploit content, much of it AI-generated slop, is making it harder to distinguish real operational risk from background noise.”
The VulnCheck Exploit Intelligence Report (VEIR) is based on data from over two dozen unique VulnCheck indices, more than 500 data sources and proprietary first-party intelligence. It examines attacker behavior and which vulnerabilities drove confirmed compromise during a year marked by AI-generated exploit code, geopolitical tension and uncertainty surrounding core vulnerability programs.
Findings include that 56.4 percent of 2025 ransomware CVEs were first identified through active zero-day exploitation, and roughly a third still lacked public or commercial exploits as of January 2026.
There has been a 13 percent decrease in new vulnerabilities linked to named state-sponsored groups overall, with China-linked exploit attributions increasing and Iranian-linked activity decreasing.
“Organizations are managing more disclosures than ever, but only a small fraction of those
vulnerabilities see active exploitation,” says Caitlin Condon, vice president of research, VulnCheck. “The difficulty is identifying that fraction early enough to act. This analysis focuses on confirmed exploitation trends to improve prioritization decisions.”
You can get the full report from the VulnCheck site.
Image credit: weerapat/depositphotos.com
