99% of API vulnerabilities are remotely exploitable.

In 2025, 17% of 67,058 published vulnerabilities (11,053 vulnerabilities) were API-related.

25% of ICS-CERT and NVD vulnerabilities have incorrect CVSS scores.

11% of detected vulnerabilities have a known exploit.

The most widely detected vulnerability is CVE-2013-2566, which dates to 2013.

In 2025, 14% of published AI vulnerabilities were MCP-related (315 MCP-related vulnerabilities).

97% of API vulnerabilities can be exploited with a single request.

MCP vulnerabilities grew 270% from Q2 to Q3 in 2025.

98% of API vulnerabilities are easy or trivial to exploit.

59% of API vulnerabilities require no authentication.

26% percent of advisories in 2025 contained no patch or mitigation from vendors.

63% of mid-sized AppSec teams (11–50 members) that use SCA cite the inability to verify if vulnerabilities are exploitable in production as their biggest pain point.

58% of large AppSec teams (50 members or more) that use SCA cite the inability to verify if vulnerabilities are exploitable in production as a major pain point.

38% of small AppSec teams (1–10 members) that use SCA cite the inability to verify if vulnerabilities are exploitable in production as their biggest pain point.

N-day vulnerabilities represent over 80% of all Known Exploited Vulnerabilities (KEVs) tracked over the past four years.

In 2025, 37 N-day vulnerabilities and 52 zero-day vulnerabilities specifically targeted security and perimeter software.

Of the 65 CVEs discussed by the BlackBasta ransomware group, 54 are Known Exploited Vulnerabilities (KEVs).

71% of exploited vulnerabilities are not in the CISA KEV catalog.

242 vulnerabilities are added to the CISA Known Exploited Vulnerabilities catalog, a 30% year-over-year increase, and 285 vulnerabilities are added to the Vedere Labs KEV, a 213% year-over-year increase.

AI-generated code results in 15–18% more security vulnerabilities per line of code compared to human-written code.