2025 vs. 2024
The Year the Rules Broke
OVERVIEW
2025 was not just another year of incremental growth in vulnerabilities. It was a year where the rules changed.
A side-by-side comparison of the 2024 and 2025 landscapes tells the story. Global CVE publications crossed 48,000+ for the first time. And the metrics that actually govern risk, such as severity distribution, exploitation speed, and zero-day volume, spiked aggressively. Attackers are finding, weaponizing, and exploiting flaws fundamentally faster than traditional supply chain defenses can adapt.
Year-over-year: The 2025 shift
2024
2025
Change
CVES
Global CVEs published
CVES
added
CISA KEV additions
CVES
zero-days
Zero-days tracked
zero-days
high/critical
High/critical (of KEV)
high/critical
before disclosure
Time-to-exploitation
before disclosure
⟲ INVERTED
The Problem
You Can’t Patch 48,000 CVEs
Global CVE publications surpassed 48,000+ in 2025, an 18% increase from approximately 41,000 CVEs published in 2024. This trajectory shows no signs of slowing. Vulnerability researchers, AI-assisted discovery tools, and expanded bug bounty programs are accelerating disclosure rates across the industry.
But raw volume is a distraction. Patching 48,000+ vulnerabilities is impossible. The real question for Third-Party Cyber Risk Management (TPCRM) is: which ones actually matter to your supply chain?
The answer lies in three filters: discoverability, exploitability, and vendor exposure.
CVEs Published by Year (1999-2025)
Four Key Shifts in 2025
1. More Exploited Vulnerabilities, Same High Bar.
CISA's Known Exploited Vulnerabilities catalog expanded by 32% in one year, from 186 additions in 2024 to 245 in 2025. This isn't noise; KEV has a high bar for new additions. Roughly 85% of the 2025 additions were High or Critical severity (CVSS 7.0+), consistent with prior years.
The signal: more vulnerabilities are being actively weaponized and documented. Microsoft led the list (39 entries), followed by Apple (9), Cisco (8), and Google (7). Fortinet's footprint grew notably (+3 entries YoY), while Ivanti's dropped (-4) after surging in 2024.
For TPCRM teams, the implication is clear: the volume of confirmed threats your vendors face is expanding. Prioritization can't scale through manual review.
CISA KEV Additions by Vendor
2. The Exploitation Window Closed. Then Inverted.
The remediation window didn't just shrink in 2025, it inverted. In 2023, average time from disclosure to exploitation was 5 days. In 2024, it stretched to 14 days, partly due to a surge in medium-severity disclosures. In 2025, the trend flipped to -7 days. Attackers are now routinely exploiting vulnerabilities a full week before public disclosure or patch availability, which means the traditional patch lifecycle is fundamentally broken.
Compounding this: the median time from initial access to hand-off to a secondary threat actor (such as a ransomware operator) plummeted from 8 hours in 2022 to just 22 seconds in 2025. Once a vendor is compromised, escalation in severity is nearly instantaneous. A compromised vendor becomes a ransomware target in seconds.
Time-to-Exploitation: From Disclosure to Attack
3. The KEV Catalog Grew, But Attribution Stayed Murky.
The CISA Known Exploited Vulnerabilities (KEV) catalog expanded by 32% from 2024 to 2025, with 245 new actively exploited flaws added. Despite this growth in confirmed exploitation, attribution remains a significant intelligence gap. Only 24 of these additions (9.8%) were explicitly linked to known ransomware campaigns. The remaining 221 exploited vulnerabilities carry "Unknown" attribution, proving that severe threat intelligence gaps persist even as active exploitation scales globally.
KEV Additions by Month in 2025
KEV Additions by Attribution
4. AI Entered the Vulnerability Conversation.
Artificial intelligence shifted from a theoretical threat to a tracked attack vector. In 2025, over 2,100 AI-related CVEs were published, accounting for approximately 4.4% of all vulnerabilities. Major AI coding assistants and agentic frameworks, including GitHub Copilot, Cursor, and Claude Code, recorded their first high-severity CVEs. Prompt injection is now recognized as a legitimate, weaponizable vulnerability class, frequently receiving CVSS scores exceeding 9.0.
AI-related CVEs Published Over Time
What Stayed the Same
While the speed and severity of attacks escalated, fundamental targets remained stubbornly consistent:
Old Vulnerabilities Still Work
The top vulnerabilities actively exploited in the supply chain include flaws from 2021, 2022, and 2023. Ransomware groups still favor proven, reliable exploits over novel attacks.
The Usual Suspects
Microsoft, Cisco, and Ivanti remain the top commercial vendors represented in the CISA KEV catalog, dominating the edge infrastructure and enterprise software attack surface.
Open Source Foundations
Open source software remains the largest category of risk in Black Kite's discoverability analysis. This confirms that third-party risk begins deep within software dependencies, long before a commercial product is even purchased.
These numbers don't exist in a vacuum.
Behind every CVE and every compromised vendor is a threat actor with a playbook. The next question is: who is exploiting these vulnerabilities, and exactly where are they getting in?