If Spotify made a vulnerability recap, nobody would want to see theirs.

In 2025, roughly 50,000 CVEs were published. That's not a typo. Fifty thousand. For comparison, 2024 had just over 40,000, which felt overwhelming at the time. We blew past that by 22%.

That's approximately 130 new vulnerabilities disclosed every single day. If you took a long weekend, you came back to 500+ new CVEs waiting for you. And this brought the cumulative total of all CVEs ever published above 300,000. A milestone that really puts the "management" in vulnerability management to the test.

CISA KEV: The "Actually Getting Exploited" List

The CISA Known Exploited Vulnerabilities catalog is the closest thing we have to a "patch this or get owned" list. In 2025, CISA added 244 new entries, up 28% from 2024, bringing the total catalog to 1,483 vulnerabilities.

Network appliances dominated the catalog, accounting for 35% of all additions. Microsoft led individual vendors with 54 KEVs (22%), followed by Cisco at 28 (11%) and Fortinet at 22 (9%). If your perimeter runs on these vendors, 2025 was a rough year.

Here's what keeps me up at night as a security engineer: 65% of the vulnerabilities added were rated CVSS Critical (9.0+), but we already know CVSS scores are inconsistent at best. The real question is which ones actually got exploited, and how fast.

The answer is: faster than you can patch.

According to Hadrian's analysis of Mandiant data, the average time to exploit in 2025 was negative one day. Read that again. Attackers are exploiting vulnerabilities before patches are publicly available. 56% of vulnerabilities were weaponized within the first month of disclosure. Meanwhile, 50% of critical CISA KEV vulnerabilities remain unpatched 55 days after a fix is available.

Attackers need less than zero days. Defenders need almost two months. That gap isn't closing.

A few vulnerabilities dominated the year. If you were in incident response, you probably dealt with at least one of these:

React2Shell (CVE-2025-55182) hit hard. A CVSS 10.0 unauthenticated RCE in React Server Components that let attackers execute arbitrary code on vulnerable servers. The Shadowserver Foundation detected 28,964 IP addresses still vulnerable, and it quickly became a favorite for deploying cryptominers and backdoors. Chinese APT UNC5174 was among those exploiting it.

Oracle EBS Zero Day (CVE-2025-61882) was a pre-auth RCE in Oracle E-Business Suite's BI Publisher Integration. Cl0p used it as their front door for one of 2025's most aggressive extortion waves, hitting GlobalLogic and Barts Health NHS Trust among others. Oracle pushed an emergency patch on October 5th.

SharePoint ToolShell (CVE-2025-53770 and CVE-2025-53771) chained two critical vulnerabilities together against internet-facing SharePoint servers. 396 systems were confirmed compromised. Chinese-aligned APT groups including Linen Typhoon (APT27), Violet Typhoon (APT31), and potentially Salt Typhoon were behind the campaigns.

Cisco AsyncOS (CVE-2025-20393) was a maximum severity zero day (CVSS 10.0) in Cisco Secure Email Gateway, actively exploited by China-nexus APT UAT-9686 to drop tunneling tools like ReverseSSH and Chisel, plus custom backdoors for persistence.

Notice a pattern? Network appliances, enterprise software, and a lot of Chinese APT activity. The perimeter is still where attacks land first.

The ransomware numbers are staggering. According to ransomware.live, 8,149 victims were listed by ransomware groups in 2025. That's up from 6,129 in 2024 and 5,336 in 2023. A 33% year over year increase.

Qilin topped the charts with 1,056 victims on its data leak site. In the first half of 2025 alone, 96 unique ransomware groups were observed operating. Taking down one group barely dents the problem when there are 95 others waiting.

Manufacturing got hit hardest: 930 victims, a 61% increase from 2024. Technology followed with 893, then healthcare with 529. The US accounted for nearly half of all victims globally (3,328).

And ransomware isn't just a side effect of breaches anymore. It's the main event. Verizon's 2025 DBIR found ransomware present in 44% of all breaches analyzed, up from 32% the previous year.

Here's where it gets interesting for anyone doing vulnerability research:

AI-assisted discovery is real. CVE-2025-37899, a critical use-after-free in the Linux kernel's ksmbd (SMB server), was discovered using OpenAI's o3 model. The AI simulated multi-threaded behavior and identified unsafe memory reuse scenarios that would have taken a human researcher significantly longer to find. This isn't theoretical anymore. AI is finding real bugs in production code.

AI-powered exploitation is also real. In July 2025, Carnegie Mellon researchers demonstrated that LLMs can autonomously plan and execute sophisticated cyberattacks without human intervention. In a controlled environment, an LLM successfully replicated the 2017 Equifax breach: scanning for vulnerabilities, deploying exploits, installing malware, and exfiltrating data. Across 10 test enterprise networks, LLMs fully compromised half and partially breached four others.

Then attackers weaponized AI. In November 2025, Anthropic disclosed what they called "the first documented case of a large-scale cyberattack executed without substantial human intervention." A Chinese state-sponsored group manipulated Claude Code into attempting infiltration of roughly 30 global targets, including tech companies, financial institutions, and government agencies. The AI performed 80-90% of the campaign autonomously: reconnaissance, exploit development, credential harvesting, data exfiltration, and backdoor creation. Human operators only intervened at 4-6 critical decision points per target.

You can't patch 130 CVEs a day. Nobody can. And you definitely can't patch them faster than attackers can exploit them when the time to exploit is literally negative.

So what actually works? Focus on what's actually exploitable. Not every critical CVE is exploitable in your environment. An unpatched vulnerability on an isolated internal system, behind authentication, with no network path from the internet is a different problem than the same CVE on an exposed server. Know your attack surface and prioritize accordingly.

And accept that you won't get to everything. The goal isn't zero vulnerabilities. The goal is making sure the vulnerabilities that remain aren't the ones that will actually get you breached.

1. 2025 Vulnerability Forecast: Year-End Review – FIRST
2. The Hidden Problem With CVSS: The Same CVE Gets Different Scores – Maze
3. Understanding Negative Time-to-Exploit in 2025 – Hadrian
4. CVE-2025-55182 – NVD
5. CVE-2025-61882 – NVD
6. CVE-2025-53770 – NVD
7. CVE-2025-53771 – NVD
8. CVE-2025-20393 – NVD
9. CVE-2025-37899 – NVD
10. When LLMs Autonomously Attack – Carnegie Mellon University
11. Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign – Anthropic