VulnCheck Report: Only 1% of Flaws See Real-World Exploitation

LEXINGTON, Mass. – February 25, 2026 – A groundbreaking report released today by exploit intelligence firm VulnCheck reveals a stark disconnect between the sheer volume of cybersecurity vulnerabilities disclosed and the number that are actually weaponized by attackers. The 2026 VulnCheck Exploit Intelligence Report (VEIR) found that while over 40,000 new vulnerabilities were reported in 2025, a mere 1% saw confirmed exploitation in the wild, challenging long-held security practices and highlighting a growing “prioritization crisis” for defenders.

The comprehensive analysis, which draws from over 500 data sources and proprietary intelligence, argues that security teams are being overwhelmed by a deluge of alerts for theoretical risks, while a small, concentrated set of vulnerabilities drives the vast majority of real-world compromises. To help organizations focus their efforts, the report was released alongside VulnCheck's inaugural list of the 50 most routinely targeted vulnerabilities of the past year.

The Prioritization Crisis: Drowning in a Sea of Alerts

For years, cybersecurity teams have contended with an ever-increasing number of Common Vulnerabilities and Exposures (CVEs). However, the VEIR data suggests this explosion in disclosures is creating more noise than signal. With only 422 of the tens of thousands of new defects in 2025 being actively exploited, the report validates the feeling of “vulnerability fatigue” that has become pervasive across the industry.

“Organizations are managing more disclosures than ever, but only a small fraction of those vulnerabilities see active exploitation,” said Caitlin Condon, Vice President of Research at VulnCheck, in the company's announcement. “The difficulty is identifying that fraction early enough to act.”

The report posits that traditional indicators of risk are becoming less reliable. Security teams that attempt to patch every high-severity flaw are fighting a losing battle, wasting critical resources on threats that may never materialize. Instead, the VEIR advocates for a shift in strategy: prioritizing remediation based on operational risk informed by real-world exploit intelligence.

This approach moves away from a compliance-driven, patch-everything model to an intelligence-driven framework focused on what attackers are actively doing. By separating confirmed exploitation from the background noise of theoretical vulnerabilities, organizations can allocate their limited time and personnel to mitigating the threats that pose a clear and present danger.

Beyond CVSS: A New Paradigm for Risk Management

The findings present a direct challenge to the industry’s long-standing reliance on the Common Vulnerability Scoring System (CVSS). While CVSS provides a standardized measure of a vulnerability’s technical severity, it was never designed to predict its likelihood of exploitation. A critical-rated vulnerability that is difficult to exploit may pose less real-world risk than a medium-severity flaw that has a simple, publicly available exploit.

VulnCheck's analysis underscores this gap. The company added 884 vulnerabilities to its Known Exploited Vulnerabilities (KEV) dataset in 2025, with nearly half (47.7%) being flaws disclosed that same year. Critically, the report found that 28.96% of these KEVs were exploited on or before the day their CVE identifier was publicly published, highlighting the prevalence of zero-day attacks and the incredible speed at which attackers weaponize newly disclosed flaws (n-days).

This velocity renders traditional, disclosure-based patching timelines dangerously inadequate. By the time a CVE is published and scored, attackers may already be inside a network. The report argues that the only effective defense is to operate on attacker timelines, using evidence-driven intelligence to identify and remediate exploited vulnerabilities with extreme prejudice. This model emphasizes the importance of threat intelligence feeds that track exploitation activity in real-time, allowing security teams to react to what is happening, not just what could happen.

The Attacker's Playbook: AI, Zero-Days, and Edge Devices

The VEIR also provides a detailed look into the evolving tactics of cyber adversaries. One of the most significant trends of 2025 was the rise of AI-generated exploit code. VulnCheck tracked a 16.5% year-over-year increase in exploit development, much of it associated with artificial intelligence. However, this has been a double-edged sword.

“The volume of exploit content, much of it AI-generated slop, is making it harder to distinguish real operational risk from background noise,” noted Jacob Baines, Chief Technology Officer at VulnCheck. While AI can accelerate exploit creation, it also floods the ecosystem with nonfunctional or misleading code, further complicating the prioritization challenge for defenders.

Meanwhile, attackers continue to favor high-impact strategies. The report reveals a strong link between zero-day vulnerabilities and ransomware, with 56.4% of ransomware-related CVEs in 2025 first being identified through active, in-the-wild exploitation. This indicates that criminal groups are increasingly purchasing or developing their own zero-day exploits rather than waiting for public disclosures.

The report's “Routinely Targeted Vulnerabilities” list identifies the specific flaws and technologies that attracted the most sustained attacker interest. Network edge devices—such as VPNs, firewalls, and other internet-facing appliances—were the most targeted category, accounting for 28% of the top threats. Vendors like Microsoft (with nine vulnerabilities on the list), Ivanti (five), and Fortinet (four) featured prominently. Notable examples of mass exploitation in 2025 included the React2Shell vulnerability (CVE-2025-55182) and a series of SharePoint zero-days that compromised over 400 organizations, including U.S. government agencies.

Shifting Geopolitical Tides in Cyberspace

Beyond criminal activity, the report sheds light on trends in nation-state cyber operations. Overall, 2025 saw a 13% decrease in new vulnerabilities linked to named state-sponsored groups. However, the landscape is not uniform. The data shows a notable increase in exploit attributions linked to Chinese state-sponsored actors, while activity attributed to Iranian groups appeared to decrease.

This finding provides a geopolitical lens through which to view the threat landscape, suggesting shifts in focus and priorities among major global cyber powers. As tensions evolve, the types of vulnerabilities and targets selected by these advanced persistent threat (APT) groups will likely change in tandem, requiring continuous monitoring by threat intelligence analysts and national security organizations.

Ultimately, the 2026 VulnCheck Exploit Intelligence Report serves as a critical call to action for the cybersecurity industry. In an environment defined by overwhelming data and rapidly evolving adversaries, the path forward requires a fundamental shift from theoretical risk management to an evidence-based defense strategy. For security teams on the front lines, focusing on the 1% of vulnerabilities that truly matter is no longer just a best practice—it is an operational imperative for survival.