Download: Edgescan 2025 Vulnerability Statistics Report
Edgescan’s 2025 Vulnerability Statistics Report explores risk density patterns across network/device and application layers, uncovers complex vulnerabilities that automated tools consistently miss, and evaluates the real-world effectiveness of leading vulnerability scoring methodologies, including EPSS, CISA KEV, CVSS, and our proprietary EVSS system.
This year’s findings reveal significant industry variances in vulnerability remediation efficiency, with software companies achieving the fastest mean time to remediate (63 days), while construction sector organizations lag considerably (104 days).
Edgescan also identified concerning patterns in vulnerability management, with larger enterprises leaving 45.4% of discovered vulnerabilities unresolved within a 12-month period—predominantly within the network/device layer.
Key findings from the 2025 report include:
- Across the full stack, more than 33% of discovered vulnerabilities were of critical or high severity
- SQL Injection (CWE-89) remains the most common critical web application vulnerability, continuing a trend since 2022
- In 2024, a record-breaking 40,009 CVEs were published
- The CISA KEV catalog contained 1,238 vulnerabilities by the end of 2024, with 185 added during the year
- 768 CVEs were publicly reported as exploited for the first time in the wild in 2024, representing 2% of all discovered vulnerabilities and a 20% increase from 2023