In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild.

In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild. The disclosure of known exploited vulnerabilities was from 50 different sources. We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure. This trend continues from a similar pace we saw in 2024. This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt.

Here are the key take-aways from our analysis and coverage of known exploited vulnerabilities:

• 159 KEVs were publicly disclosed in Q1-2025
• 28.3% of KEVs had exploitation evidence disclosed in < 1-day of a CVE being published
• 25.8% of KEVs are still awaiting or undergoing analysis by NIST NVD
• 3.1% of KEVs have been assigned the new "Deferred" status by NIST NVD
• 2 KEVs reported publicly have reserved but unpublished CVEs
• 1 KEV reported is now rejected

VulnCheck and partner GreyNoise discovered Zyxel-related vulnerabilities being targeted in the wild. In this blog, VulnCheck describes the vulnerabilities CVE-2024-40891 and CVE-2025-0890.

VulnCheck faces a horde of honeypots while assessing the potential impact of Atlassian Confluence's CVE-2023-22527. This blog delves into Shodan queries to filter out honeypots and uncover the actual on-premise Confluence install base.

VulnCheck discovers a network of fake security researcher accounts promoting hidden malware.

CVE-2023-1671 is a pre-authenticated command injection in Sophos Web Appliance. In this blog post, VulnCheck researchers analyze the vulnerability and develop a proof of concept (PoC) for it.

Sophos took immediate steps to remediate CVE-2022-3236 – an unauthenticated and remote code execution vulnerability affecting the Sophos Firewall Webadmin and User Portal HTTP interfaces – with an automated hotfix sent out in September 2022. Through its advisory published on September 23, 2022, it also alerted users who don't receive automatic hotfixes to apply the update themselves. The advisory stated the vulnerability had previously been used against "a small set of specific organizations, primarily in the South Asia region." In December, Sophos released v19.5 GA GA with an official fix.
Key Takeaways

• As there are no public proof-of-concept exploits for CVE-2022-3236, we created our own to determine its potential for mass exploitation.
• We scanned internet-facing Sophos Firewalls and found more than 4,000 firewalls that were too old to receive a hotfix.
• We encourage Sophos Firewall administrators to look through their logs to determine if they see indications of exploit attempts. Two files to focus on include /logs/csc.log and /log/validationError.log.
• Internet-facing firewalls appear to largely be eligible for hotfixes and the default authentication captcha likely prevented mass exploitation.