Vulnerability Trends and Statistics
Why Aren’t All Vulnerabilities Exploited?
OVERVIEW
With over 40,000 CVEs published in 2024, organizations cannot afford to treat every vulnerability as an equal priority. Most vulnerabilities never get exploited, while a select few become major threats. Understanding why only certain vulnerabilities are actively targeted is key to improving risk-based vulnerability management in third-party risk management (TPRM).
To cut through the noise, the Black Kite Research & Intelligence Team (BRITE) analyzed over 1,000 vulnerabilities in 2024, identifying 780 as high-priority vulnerabilities based on exploitability, vendor exposure, and supply chain impact.
We'll look at:
1. Product Concentration and CVSS
CVE Trends Across Products in All Published CVEs
Throughout 2024, certain software products and platforms consistently appeared in vulnerability reports, not necessarily because they were the most insecure, but because they were widely used and highly scrutinized.
Monthly Trend of Vendors with Total Vulnerabilities (CVSS-Independent)
As this data shows, Linux, Microsoft, Adobe, and Apple are the recurring top vendors for CVEs.
Vulnerabilities Analyzed
Vendor Concentration in High-Priority Vulnerabilities: A Misleading Metric?
While analyzing 780 high-priority vulnerabilities, one trend stands out—certain vendors appear more frequently than others. But does this mean their vulnerabilities are inherently riskier? Not necessarily.
Vendor-Based Analysis of CVE Counts
A few key takeaways from this data:
- Microsoft, Ivanti, Cisco, Apple, and VMware have high concentrations of high-priority CVEs.
- Open-source software also represents a large share, driven by the transparency of security research in widely used projects.
- A vendor having many vulnerabilities does not automatically mean its products are riskier. Many vendors, especially Microsoft, patch vulnerabilities aggressively, meaning that focusing solely on vendor-based CVE counts can be misleading.
Severity Breakdown (CVSS-Based Analysis)
The analyzed vulnerabilities were categorized using the Common Vulnerability Scoring System (CVSS), which assigns a severity score from 0 (low risk) to 10 (critical risk).
- Critical (CVSS 9.0–10.0): 15.20%
- High (CVSS 7.0–8.9): 28.40%
- Medium (CVSS 4.0–6.9): 35.60%
- Low (CVSS 0.1–3.9): 20.80%
This means that 44% of the vulnerabilities analyzed were classified as High or Critical, reinforcing the need for prioritization in remediation efforts. However, CVSS alone does not determine risk—many low and medium-severity vulnerabilities have been weaponized by attackers.
Instead of simply ranking vendors by the number of high-priority CVEs, we must focus on what truly matters to threat actors: exploitability and exposure. This leads us to the next step—understanding which vulnerabilities are actually exploitable in real-world attacks rather than just existing as theoretical risks.
2. What Makes a Vulnerability a Target?
Exploitability Metrics
Threat actors don’t target software just because it has many vulnerabilities and they don’t care about CVSS scores. Instead, they look for:
Discoverable systems
Can the vulnerability be easily found using OSINT tools?
Weaponization potential
Is there a public PoC or exploit available?
Strategic value
Does it affect a widely used enterprise product?
This is why raw vulnerability counts are misleading. The real risk lies not in how many vulnerabilities exist, but in how many can be exploited at scale.
Publicly Available Exploits: Lowering the Barrier to Attack
One of the biggest risk multipliers for a vulnerability is the presence of a publicly available PoC exploit. In 2024, 42% of the vulnerabilities analyzed by BRITE had publicly available PoC exploits, significantly reducing the technical barrier for cybercriminals.
When an exploit is available, attackers can quickly integrate it into malware, ransomware, or botnets, allowing rapid and large-scale exploitation.
Time-to-Exploitation: From Disclosure to Attack
The time between public disclosure and real-world exploitation has dropped significantly in recent years.
23.6% of Known Exploited Vulnerabilities (KEVs) were exploited on or before the day their CVEs were publicly disclosed—highlighting how quickly attackers move to take advantage of newly reported weaknesses.
This trend means that organizations cannot afford to wait weeks or months to patch high-risk vulnerabilities. Attackers are moving faster than ever, leveraging automation and AI-powered exploit development to streamline attacks.
The time between public disclosure and real-world exploitation has dropped significantly in recent years.
23.6% of Known Exploited Vulnerabilities (KEVs) were exploited on or before the day their CVEs were publicly disclosed—highlighting how quickly attackers move to take advantage of newly reported weaknesses.
This trend means that organizations cannot afford to wait weeks or months to patch high-risk vulnerabilities. Attackers are moving faster than ever, leveraging automation and AI-powered exploit development to streamline attacks.
3. Exploits in the Wild: ExploitDB & Metasploit and CISA KEV
ExploitDB & Metasploit
Two of the most widely used platforms for tracking exploit availability are ExploitDB and Metasploit.
ExploitDB is a publicly accessible database containing known exploits for software vulnerabilities, widely used by both security professionals and attackers.
Metasploit is an offensive security framework that allows users to test and execute exploits—a tool used for both penetration testing and malicious attacks.
2024 ExploitDB & Metasploit Trends
318 exploit codes were published in ExploitDB in 2024, reflecting high interest from threat actors.
Over 100 CVE-related payloads were released on Metasploit, demonstrating the rapid adoption of exploits by both attackers and security researchers.
Remote Code Execution (RCE) vulnerabilities were the most targeted, making up over 50 published Metasploit modules in 2024, primarily targeting:
- WordPress plugins
- Palo Alto Networks PAN-OS
- Ivanti Connect Secure
- Apache web services
Why RCE Matters: Remote Code Execution vulnerabilities allow attackers to gain full control over a system, making them some of the most dangerous security threats. These are prime targets for ransomware, botnets, and APT groups.
Number of RCE CVE-Related Payloads Released on Metasploit
Notably, multiple RCE vulnerabilities in Ivanti Connect Secure attracted significant attention from attackers, emphasizing how certain vendors become high-risk targets. SQL injection, authentication bypass, and privilege escalation vulnerabilities were also widely exploited, reinforcing the importance of securing externally exposed assets.
For more details, view the full data (pdf): Metasploit-Integrated Vulnerabilities Published in 2024.
CISA KEV Analytics: Tracking Exploited Vulnerabilities
The CISA Known Exploited Vulnerabilities (KEV) Catalog is a list of vulnerabilities confirmed to be exploited in the wild.
KEV Trends in 2024
186 vulnerabilities were added to the KEV catalog, highlighting the continued exploitation of known vulnerabilities.
The highest monthly KEV additions occurred in January (21), September (25), and November (22).
Ransomware groups continue to exploit KEVs, reinforcing the importance of timely patching and proactive security measures.
Monthly Breakdown of CISA KEV Listings
Breakdown of Most Affected Vendors and Products
The vulnerabilities added to KEV in 2024 spanned a wide range of software and infrastructure components, but certain vendors and products were disproportionately affected. Enterprise software, cloud services, and widely used operating systems remained prime targets.
Products from these vendors play a critical role in enterprise environments, making them valuable targets for both ransomware groups and nation-state actors.
Top Affected Vendors (2024 KEV Additions)
Breakdown of Most Affected Vendors and Products
The vulnerabilities added to KEV in 2024 spanned a wide range of software and infrastructure components, but certain vendors and products were disproportionately affected. Enterprise software, cloud services, and widely used operating systems remained prime targets.
Products from these vendors play a critical role in enterprise environments, making them valuable targets for both ransomware groups and nation-state actors.
Top Affected Vendors (2024 KEV Additions)
On mobile, swipe left to see more of the table.
Ransomware and KEV Exploitation Trends
One of the most alarming trends in CISA KEV for 2024 is the continued use of known vulnerabilities in ransomware campaigns.
Ransomware Campaigns Linked to KEV Vulnerabilities
🔹 At least 24 vulnerabilities were explicitly tied to ransomware attacks, while many more (162) were likely exploited but lacked direct attribution.
4. Ransomware and APT Groups
Exploited Vulnerabilities – The Intersection of CVEs, Ransomware, and APTs
To understand the real-world impact of vulnerabilities, it's crucial to examine both the typical lifecycle of a CVE and the specific ways ransomware groups and APTs weaponize them.
The Lifecycle of Exploited CVEs
Not all Common Vulnerabilities and Exposures (CVEs) remain theoretical risks—many become active attack vectors for ransomware groups and Advanced Persistent Threats (APTs). Black Kite’s analysis reveals a significant overlap between publicly disclosed vulnerabilities and the tactics used by both financially motivated cybercriminals and nation-state actors.
By visualizing these relationships, we can better understand how CVEs flow through the cyber threat landscape—from their initial discovery to their exploitation by adversarial groups.
Ransomware Groups: Targeting the Most Impactful CVEs
Ransomware operators frequently leverage vulnerabilities in widely used enterprise products such as Microsoft Exchange, Cisco ASA, and Fortinet FortiOS. These exploits often become central to large-scale supply chain attacks, giving cybercriminals direct access to critical infrastructure.
- Certain vulnerabilities, such as CVE-2021-34527 (PrintNightmare) and CVE-2019-0708 (BlueKeep), have been weaponized by multiple ransomware groups, proving their lasting impact.
- Attackers capitalize on unpatched systems and misconfigurations—many ransomware campaigns exploit CVEs that are years old but still present in enterprise environments.
- Black Kite’s research highlights Cuba, LockBit 3.0, and RansomHub among the most aggressive ransomware groups exploiting known vulnerabilities.
Flow of CVEs to ransomware groups, emphasizing which vulnerabilities are most exploited across multiple ransomware families.
APT Groups: Nation-State Actors’ Persistent Exploitation of CVEs
Unlike ransomware groups that seek financial gain, APTs focus on cyber espionage, intelligence gathering, and long-term infiltration of high-value targets. Many of the CVEs exploited by ransomware groups also appear in nation-state campaigns, illustrating the convergence between cybercrime and geopolitically motivated attacks.
- China-based APTs (Winnti, Mustang Panda, APT31) heavily exploit vulnerabilities in Microsoft and Cisco products.
- Russia-linked APTs (APT29, APT44, RomCom) frequently leverage zero-days and high-profile exploits, particularly in VMware, Fortinet, and Microsoft Windows.
- Iran and North Korea-based groups exhibit a pattern of targeting remote code execution vulnerabilities, particularly those affecting Zoho, Fortinet, and Apache Log4j.
Mapping CVE exploitation by APTs, revealing patterns in cyber espionage activities.
