Exposed and unaware: The state of enterprise security in 2025

The Edgescan 2025 Vulnerability Statistics Report offers a data-rich snapshot of the global cybersecurity landscape, drawing from thousands of assessments and penetration tests conducted in 2024.

Now in its 10th year, the report analyzes full-stack security trends across industries, highlighting common vulnerabilities, patching delays, and risk hotspots. With insights into exploit availability, attack surface exposure, and remediation timelines, it equips organizations with the data they need to make smarter, risk-based decisions.

The report highlights a persistent challenge in cybersecurity: not all vulnerabilities are created equal. Some occur infrequently but carry high breach potential—what Edgescan describes as “intensive” risks. Despite the availability of prioritization models like EPSS, CISA KEV, CVSS, and SSVC, their inconsistencies make it difficult to rely on any single framework for decision-making.

Patching continues to be a significant obstacle, particularly in production environments, as reflected in sluggish Mean Time to Remediation (MTTR) metrics. Many organizations still struggle with visibility, which is an essential factor in reducing risk. Alarmingly, vulnerabilities dating back to 2015 are still being exploited in active ransomware and malware campaigns.

Internal systems remain especially vulnerable, with attackers often chaining weaknesses across the technology stack to magnify impact. This makes Attack Surface Management (ASM) more critical than ever. Edgescan’s continuous asset profiling reveals that sensitive systems are frequently exposed to the public internet, often without the knowledge of the organizations themselves.

Ultimately, the data paints a clear picture: effective risk management depends on improving visibility, integrating multiple risk models, and addressing legacy vulnerabilities before they’re used against you.

Key findings from the 2025 report include:

• Across the full stack, more than 33% of discovered vulnerabilities were of critical or high severity.
• SQL Injection (CWE-89) remains the most common critical web application vulnerability, continuing a trend since 2022.
• The MTTR a critical severity web application vulnerability is 35 days, while internet-facing host/cloud vulnerabilities take 61 days on average.
• In 2024, a record-breaking 40,009 CVEs were published.
• The CISA KEV catalog contained 1,238 vulnerabilities by the end of 2024, with 185 added during the year.
• 768 CVEs were publicly reported as exploited for the first time in the wild in 2024, representing 2% of all discovered vulnerabilities and a 20% increase from 2023.

Download: 10th Edition of the Edgescan 2025 Vulnerability Statistics Report.