Global organizations still struggle with basic ground truth on vulnerabilities and risk. Vulnerability and exploit information, on the whole, is still unstructured, fragmented, and opaque, with most threat notifications trailing real-world risk by days, weeks, or longer in spite of increased spending on early warning systems and “enterprise-grade” tooling. In other words, the threat ceiling has risen noticeably for defensive practitioners and front-line operators, but the industry baseline for reliable, high-quality data has arguably not only not risen — it’s falling.
At VulnCheck, we believe that data quality and consumability are solvable problems, and that timely exploit intelligence should be accessible to everyone.
Today, we are proud to announce the release of a new annual research report: The 2026 VulnCheck Exploit Intelligence Report draws on 500+ data sources to build an evidence-based picture of vulnerability and exploit trends from the past year, incorporating first-party analysis from our research teams in addition to broad coverage of open-source and other security intelligence.
Key report findings include:
- VulnCheck tracked 14,000+ exploits developed for 10,000+ unique “CVE-2025” vulnerabilities, a 16.5% YoY increase in same-year CVE exploit coverage. This rise has been driven in part by an uptick in AI-generated PoC code, much of which is non-functional or outright fake. Despite the prevalence of public PoCs, a mere 1% of 2025 CVEs were exploited in the wild by the end of the year.
- 884 vulnerabilities were added to VulnCheck’s industry-leading Known Exploited Vulnerabilities (KEV) dataset in 2025. 47.7% of VulnCheck KEVs in 2025 were CVEs with 2025 identifiers, underscoring the speed with which adversaries weaponize and deploy exploits for recent vulnerabilities.
- There was a small decrease (-13%) in new vulnerabilities linked to named state-sponsored threat groups and APTs over the course of 2025. New CVE exploits attributed to China-nexus groups increased while Iranian exploit activity fell.
- Only a small number of new vulnerabilities were leveraged in known ransomware incidents in 2025, but 56.4% of 2025 ransomware CVEs were discovered as a result of zero-day exploitation, and a third of known 2025 ransomware CVEs still had no public or commercial exploits available as of January 2026.
- Deep dives on individual threat actor techniques and CVE exploits: Read in-depth analysis of Earth Lamia (China), RomCom (Russia), Cl0p, DragonForce Ransomware Cartel, and the RondoDox botnet.
We’re also pleased to announce the first annual list of VulnCheck Routinely Targeted Vulnerabilities. Our team identified 50 CVEs disclosed and exploited in 2025 that have elevated, multi-dimensional threat profiles. We’re releasing that list of Routinely Targeted Vulnerabilities and associated metadata to the community along with this report so readers can explore the data themselves.
VulnCheck closes the exploitation-timing gap by enabling security teams to operate on attacker timelines instead of disclosure timelines. By delivering machine-consumable, evidence-driven intelligence on when vulnerabilities become exploitable and how attackers actually use them, VulnCheck helps organizations prepare earlier, respond decisively, and verify exploitation without relying on scores or delayed consensus.
Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and Exploit & Vulnerability Intelligence products.
