APIs and hardware are under attack, and the numbers don’t look good

Attackers have a new favorite playground, and it’s not where many security teams are looking. According to fresh data from Bugcrowd, vulnerabilities in hardware and APIs are climbing fast, even as website flaws hold steady. The shift shows how attackers are adapting to infrastructure, going after the hidden systems that keep businesses running.

This graph shows the number of vulnerabilities over the past three years (Source: Bugcrowd)

“We are in a high-stakes innovation race, but with every AI advance, the security landscape becomes exponentially more complex. Attackers are exploiting this complexity, but still targeting foundational layers like hardware and APIs. No single CISO can win this race alone. To thrive, we must move beyond isolated efforts and cultivate a collective resilience of collaboration—pooling our knowledge of the hacker community to outpace emerging threats together,” said Nicholas McKenzie, CISO, Bugcrowd.

Why some vulnerabilities are rising

Hardware weaknesses saw the steepest climb in 2024, with an 88% increase compared to the previous year. Many security researchers reported encountering entirely new hardware vulnerabilities they hadn’t seen before.

API vulnerabilities also rose, increasing by 10% year over year. APIs remain a key target because they sit at the heart of applications, directly exposing business logic and sensitive data. Attackers know that even a small flaw can have an outsized impact.

Many security programs start by focusing on websites, then expand to other areas as they mature. As teams widen their scope, they uncover vulnerabilities in less targets like IoT devices, networks, and hardware systems. The data suggests attackers are following this expansion closely.

Broken access control leads critical flaws

Some vulnerability categories stand out for their growth and impact. Broken access control rose by 40% overall in 2024 and jumped 36% for critical, top-priority issues. This type of flaw is attractive to attackers because it’s easy to exploit and often exposes sensitive data or internal systems.

Access control issues are also difficult for developers to manage, especially as apps grow more complex and teams adopt AI-driven coding tools. Rapid release cycles can cause security to slip through the cracks, making broken access control a persistent problem.

The good news is that critical API and website vulnerabilities have decreased slightly over the past three years, with APIs down about 25% and websites down 30%. This suggests developers are making progress in these areas, though attackers are shifting their attention to other targets.

Sensitive data exposure remains a top concern

Sensitive data exposure is another area seeing significant activity. The report found a 42% increase in critical vulnerabilities tied to personal information like names, addresses, and account details.

Exposed data often ends up being sold, used for phishing, or held for ransom. Sometimes the breach isn’t discovered for months or even years, giving attackers plenty of time to cause damage.

Rising payouts signal shifting priorities

As vulnerabilities shift, so do the rewards for finding them. Average payouts for critical vulnerabilities rose 32% in 2024. While overall payout levels stayed relatively flat, organizations are paying more for the most severe issues and less for lower-priority ones.

This trend shows that companies are placing higher value on preventing catastrophic breaches. By directing more budget toward the biggest risks, CISOs can incentivize testing that uncovers the flaws that matter most.

Download: Edgescan 2025 Vulnerability Statistics Report