26.9% of KEVs first seen in 1H-2025 were still awaiting analysis by NIST.

The top five categories for KEVs in 1H-2025 are: Content Management Systems (CMS): 86 KEVs, with a significant volume attributed to WordPress Plug-ins; Network Edge Devices: 77 KEVs; Server Software: 61 KEVs; Open Source Software: 55 KEVs; and Operating Systems: 38 KEVs.

Vendors with Highest Number of KEVs in 1H-2025: Microsoft: 32 KEVs, with 26 of these being for Windows; Cisco: 10 KEVs; Apple OS: 6 KEVs; Totolink Networking Devices: 6 KEVs; and VMware: 6 KEVs.

In 2H-2024, 44 KEVs were attributed to the North Korean cyber group Silent Chollima.

Reports of KEVs associated with China and North Korea decreased in 1H-2025, while reports associated with Russia and Iran increased.

In 1H-2025, 29 KEVs were attributed to Iranian threat actors.

4.4% of KEVs are in a deferred status by NIST, meaning they are no longer maintained or updated

32.1% of vulnerabilities (Known Exploited Vulnerabilities - KEVs) had exploitation evidence on or before the day of their CVE disclosure, often indicating zero-day exploitation. This marks an 8.5% increase in the percentage of KEVs exploited on or before disclosure compared to 23.6% in 2024.

In 2H-2024, 66 KEVs were attributed to the Chinese threat actor Flax Typhoon (AKA Ethereal Panda).

75% of organisations have BMS affected by known exploited vulnerabilities (KEVs).

Within organisations affected by KEVS that are also linked to ransomware and are insecurely connected to the internet, 2% of devices contain the same high level of risk, meaning they are essential to business operations and are operating at the highest level of risk exposure

Of the organisations affected by KEVs, 51% are affected by KEVs that are also linked to ransomware and are insecurely connected to the internet.