🔐 New Vulnerabilities Rapidly Exploited: 159 CVE Vulnerabilities Used in Active Attacks in First Three Months of 2025

In the first quarter of 2025, the cybersecurity landscape faced an alarming situation—researchers identified that 159 vulnerabilities (CVE—Common Vulnerabilities and Exposures) were actively exploited in real-world attacks. This figure starkly illustrates the scale of the threat: hackers are swiftly leveraging newly disclosed vulnerabilities.

Most concerning is the increasing speed of attackers’ responses—28.3% of vulnerabilities were exploited within just one day of their CVE identifiers being published. This leaves security teams with little to no time to patch vulnerabilities before facing threats.

🔥 Primary Targets of Attackers

Analyses reveal that attacks primarily targeted internet-connected systems and those interacting with end users. The following technologies were the most frequently exploited:

• Content Management Systems (CMS) — 35 vulnerabilities
• Network Edge Devices — 29 vulnerabilities
• Operating Systems — 24 vulnerabilities
• Open-Source Software — 14 vulnerabilities
• Server Software — 14 vulnerabilities

These numbers indicate that attackers prioritize systems with broad attack surfaces, large user bases, and valuable data.

🎯 Most Targeted Platforms:

• Microsoft Windows — 15 exploited vulnerabilities
• Broadcom VMware — 6 vulnerabilities
• Cyber PowerPanel — 5 vulnerabilities
• LiteSpeed Technologies — 4 vulnerabilities

Additionally, a seasonal pattern was observed: attack activity, which started slowly in January, surged significantly in February and March.

Today, attackers rely heavily on automated tools to exploit vulnerabilities. They possess code capable of rapidly scanning server networks, identifying vulnerable systems, and deploying malicious payloads. The following example code underlies many attacks:

Such tools enable exploitation almost immediately after a CVE is published, leaving organizations with a very narrow window to apply security updates.

📊 Insights from External Observers

The following organizations played a key role in identifying exploitation cases:

• Shadow Server — 31 cases
• GreyNoise — 17 cases
• CISA KEV (Known Exploited Vulnerabilities) — 12 cases
• Microsoft — 12 cases

Moreover, 25.8% of exploited vulnerabilities are still undergoing in-depth analysis by the National Institute of Standards and Technology (NIST), complicating prioritization efforts for security teams.

Modern cyber threats are becoming increasingly automated, and the window for defense is shrinking rapidly. The trends observed in the first quarter of 2025 raise pressing questions for cybersecurity professionals: Are updates being deployed quickly enough? Can our defensive tools keep pace with these rapid threats?

For these reasons, organizations are strongly urged to bolster their infrastructure through real-time monitoring, swift patch management, and continuous awareness of cybersecurity threats.