✅ Report Title: Recent Trends in Known Exploited Vulnerabilities (KEV)

✅ Executive Summary:

- S2W Threat Intelligence Center (TALON) has released a report that provides a comprehensive analysis of Known Exploited Vulnerabilities (KEV), covering the scale of KEV, exploitation trends, CVSS score distribution, major target products, and trends observed across the Deep and Dark Web (DDW) and Telegram.

📌 Exploited Vulnerability Statistics

- As of September 10, 2025, a total of 1,414 publicly disclosed vulnerabilities with confirmed real-world exploitation cases, referred to as Known Exploited Vulnerabilities (KEV), have been identified, accounting for 0.004% of the total 312,011 reported vulnerabilities.

  - When examining the trend of vulnerabilities registered in KEV since November 2021, excluding the initial registration period, the number of vulnerabilities registered averages roughly 5–30 per month.

- The most common target vector among vulnerabilities registered in KEV is Network-related vulnerabilities, accounting for 69.5% of all KEV vulnerabilities.

📌 KEV Statistics by CWE Category

- CWE, or Common Weakness Enumeration, is a software vulnerability classification system managed by MITRE.

- The CWE type most frequently exploited among vulnerabilities registered in KEV is CWE-20 (Improper Input Validation), i.e., vulnerabilities that arise from incorrect validation of user input.

  - Threat actors can inject unintended values or malicious payloads to cause systems to behave unexpectedly, potentially causing serious damage to web applications, network services, and local software.

📌 KEV Distribution by CVSS Score

- The average CVSS score for vulnerabilities registered in KEV is 8.21, which is approximately 1.2 points higher than the average CVSS score of 7.01 for vulnerabilities registered from 2021 through 2024, indicating that threat actors prefer vulnerabilities with low attack complexity and high impact when exploited.

📌 Statistics by Target Product

- Microsoft was identified as the most frequently exploited target product among vulnerabilities registered in KEV.

  - Analysis of year-by-year changes in target products shows that from 2021 through 2025 Microsoft-related vulnerabilities were registered most frequently, and recently exploitation of VPN-related vulnerabilities — such as those affecting Citrix, Cisco, and Ivanti — has been on the rise.

📌 Correlation with Vulnerabilities Mentioned on the Deep and Dark Web (DDW)

- Between November 2024 and September 2025, approximately 1,140 of the vulnerabilities registered in KEV were mentioned on DDW and Telegram, accounting for about 80.8% of all KEV-registered vulnerabilities.

  - Of these, a total of 160 vulnerabilities — approximately 14.1% of the whole — were mentioned on DDW and Telegram prior to their KEV registration; these mentions were mainly found in posts where vulnerability-related information, such as PoC (Proof of Concept) code sharing and exploit sales, is actively traded and circulated.

  - These pre-mentioned vulnerabilities have, on average, about 5.1 times the number of mentions compared with subsequently mentioned vulnerabilities, indicating they are considered subjects of concentrated interest by threat actors.

✅ Recommended Threat Detection and Mitigation Actions:

- Most of the vulnerabilities that experienced many exploit attempts over the past year are old vulnerabilities (about 67.5%), so care is needed to update and maintain legacy systems that have not received the latest patches.

🧑‍💻 Author: S2W TALON

👉 Read the full report: https://bit.ly/4seHfud

*The full report is available upon request or with a subscription to the S2W platform.