Security professionals entered 2026 confronting an overwhelming landscape of newly documented software flaws, with a staggering 40,000 vulnerabilities reported throughout the previous year. Defenders and organizations found themselves tasked with sifting through vast lists of potential dangers, though only a fraction ever presented real-world risk. Many industry observers expressed growing concern that existing vulnerability scoring systems fail to guide resources effectively, as cybercriminals focus their efforts on a small number of high-value targets.
Other years saw a similar explosion in vulnerability disclosures but lacked the current year’s stark disparity between sheer volume and those actually leveraged in attacks. Previously, emphasis on Common Vulnerability Scoring System (CVSS) ratings guided patch priorities, yet mounting data challenges this practice. Security teams, once reassured by severity scores, now struggle to keep pace as threat actors concentrate on only a handful of exploits. These developments point to a need for revised strategies in identifying and mitigating genuine threats.
How Effective Are Existing Prioritization Methods?
VulnCheck reported that just 1% of the vulnerabilities tracked in 2025—422 out of more than 40,000—were exploited in real-world incidents, bringing the necessity for improved risk assessment into focus. Many defenders mistakenly allocate resources to countless theoretical or unproven exploits, complicating security workflows. As highlighted by Caitlin Condon, Vice President of Security Research at VulnCheck,
“The growth in CVE volume is ludicrous, not necessarily unfounded, but it’s large. Defenders don’t know what to pay attention to.”
Which Products and Vendors Remain Major Targets?
Networks edge devices and widely deployed technologies faced persistent attacks, with 28% of all newly known exploited vulnerabilities affecting this category. Microsoft products accounted for nine of the top 50 most targeted flaws, while Ivanti, Fortinet, VMware, SonicWall, and Oracle each featured multiple high-profile vulnerabilities. Microsoft’s SharePoint alone suffered from four exploited zero-day vulnerabilities, impacting over 400 organizations, including several U.S. government departments. Meanwhile, the React2Shell flaw in React Server Components accumulated an extensive 236 public exploits soon after its disclosure, impacting numerous organizations worldwide.
What Drives Attackers’ Choices?
Attackers favor vulnerabilities in products occupying privileged positions in network infrastructure, utilizing automated analysis to uncover exploitable flaws in longstanding software code bases. Exploits often originate from both state-sponsored and cybercrime collectives, with most top threats linked to active ransomware and botnet campaigns. Defensive responses, however, lag behind, as patch reversals rapidly fuel new attack methods. Condon commented,
“Threat actors are much more organized presently than we all collectively are on defense.”
Overall research concludes that today’s technology landscape presents systemic challenges that extend beyond any single vendor. High-profile incidents involving Microsoft SharePoint and React2Shell exemplify persistent industry-wide risks. A clear lesson emerges: organizations cannot rely solely on volume-based or severity-driven vulnerability lists but must instead focus on active exploitation intelligence and attack patterns. Treating all newly discovered weaknesses as equally dangerous dilutes the effectiveness of defensive teams and siphons attention from the most pressing threats. Emphasizing coordinated information sharing, continuous monitoring, and adaptive mitigation based on real-world exploit data are vital. By critically reassessing traditional patching and risk assessment strategies in light of recent trends, organizations stand a better chance to protect themselves against the small portion of threats that matter most.
