Analysis Finds 1% of Vulnerabilities Were Exploited in the Wild in 2025 and Identifies the 50 Most Routinely Targeted Flaws of Last Year

VulnCheck, the exploit intelligence company, today released the 2026 VulnCheck Exploit Intelligence Report (VEIR), a first-of-its-kind analysis of real-world exploitation trends and attacker behavior, along with its inaugural list of the 50 most routinely targeted vulnerabilities of the past year. By separating vulnerability disclosure data from confirmed exploitation, the report is designed to help security teams prioritize remediation based on operational risk instead of raw volume.

The VEIR shows that while CVE disclosures and public proof-of-concept code increased significantly in 2025, just 1% of vulnerabilities were confirmed to be exploited in the wild, with a small subset driving disproportionate real-world impact. The report is based on data from over two dozen unique VulnCheck indices, more than 500 data sources and proprietary first-party intelligence. It examines attacker behavior and which vulnerabilities drove confirmed compromise during a year marked by AI-generated exploit code, geopolitical tension and uncertainty surrounding core vulnerability programs.

“The data shows that exploitation is concentrated in a very small number of vulnerabilities, but those vulnerabilities are being weaponized faster and at greater scale,” said Jacob Baines, Chief Technology Officer, VulnCheck. “At the same time, the volume of exploit content, much of it AI-generated slop, is making it harder to distinguish real operational risk from background noise.”

In 2025, VulnCheck tracked more than 14,400 exploits developed for 10,480 unique 2025 CVEs, a 16.5% year-over-year increase in same-year exploit coverage. Much of that growth was associated with AI-generated proof-of-concept code, including nonfunctional or misleading exploit content. Other key findings from the 2026 VEIR report include:

• 56.4% of 2025 ransomware CVEs were first identified through active zero-day exploitation, and roughly one-third still lacked public or commercial exploits as of January 2026
• A 13% decrease in new vulnerabilities linked to named state-sponsored groups overall, with China-linked exploit attributions increasing and Iranian-linked activity decreasing
• 884 vulnerabilities were added to VulnCheck’s Known Exploited Vulnerabilities dataset with 47.7% carrying 2025 CVE identifiers
• Deep dives into React2Shell, SharePoint exploitation, and ransomware groups including Cl0p, DragonForce, Earth Lamia, and RomCom.

“Organizations are managing more disclosures than ever, but only a small fraction of those vulnerabilities see active exploitation,” said Caitlin Condon, Vice President of Research, VulnCheck. “The difficulty is identifying that fraction early enough to act. This analysis focuses on confirmed exploitation trends to improve prioritization decisions.”

The report also includes VulnCheck’s first-ever Routinely Targeted Vulnerabilities list, a rankable set of 50 CVEs disclosed and exploited in 2025 that demonstrated sustained attacker interest. The list is also available separately, along with associated metadata. See the full list here: https://www.vulncheck.com/2025-routinely-targeted-vulnerabilities.

The 2026 VulnCheck Exploit Intelligence Report is available here: https://wwv.vulncheck.com/2026-vulncheck-exploit-intelligence-report.

About VulnCheck

VulnCheck closes the exploitation-timing gap by enabling security teams to operate on attacker timelines instead of disclosure timelines. By delivering machine-consumable, evidence-driven intelligence on when vulnerabilities become exploitable and how attackers actually use them, VulnCheck helps organizations prepare earlier, respond decisively, and verify exploitation without relying on scores or delayed consensus. Follow the company on LinkedIn or X. To learn more about VulnCheck, visit https://vulncheck.com.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260225646974/en/