vulnerabilities

New research from Miggo Security suggests that CISA’s Known Exploited Vulnerabilities (KEV) catalog now reflects only a small slice of real-world exploit risk in open source, and it raises questions about how the industry should be using KEV going forward.

Using open source code speeds innovation but expands the attack surface with every imported library and dependency. The result is a growing catalog of vulnerabilities, each one a potential entry point for attackers.

A new report finds that the Common Vulnerabilities and Exposures (CVE) system struggles to keep pace with the realities of modern software development.

The study from Sonatype analyzed 1,552 open source vulnerabilities disclosed in 2025 and found that nearly two-thirds (64 percent) lacked severity scores from the National Vulnerability Database (NVD).

As the number of CVEs continues to rise, a new study finds 46 percent of respondents say that the volume of vulnerabilities has placed additional strain on their security teams’ resources impacting not only organizational security but also staff well being.

The report from Hackuity also shows that 26 percent, admit this pressure has contributed to a data breach, while 36 percent, report it resulted in a regulatory fine.

There’s been an 88 percent increase in hardware vulnerabilities amid a proliferation of IoT devices, and 81 percent of security researchers have encountered new hardware vulnerabilities in the past 12 months.

New attack vectors and often forgotten targets like APIs and hardware are vulnerable and should be a key focus for CISOs today according to a new report from crowdsourced security company Bugcrowd, which shows organizations face growing challenges as applications go through multiple development cycles under pressure to release features quickly, often aided by AI-assisted coding.

Six newly discovered Windows vulnerabilities, including one rated as critical, could crash systems, allow attackers to run malicious code, or expose sensitive data. The flaws were uncovered by Check Point Research and privately reported to Microsoft under a responsible disclosure process.

One of the most notable discoveries involves what is likely the first publicly disclosed bug in a Rust-based Windows kernel component. Rust is often chosen for its ability to prevent memory errors that have historically led to security flaws

New analysis from Forescout of more than 23,000 vulnerabilities and 885 threat actors across 159 countries worldwide during the first half of 2025 finds 47 percent of newly exploited vulnerabilities were originally published before 2025, and zero-day exploitation has increased 46 percent.

The report also shows ransomware attacks are averaging 20 incidents per day, zero-day exploits increased 46 percent, and attackers are increasingly targeting non-traditional equipment, such as edge devices, IP cameras and BSD servers. These footholds are often used for lateral movement across IT, OT, and IoT environments, allowing threat actors to get deeper into networks and compromise critical systems.

According to a new report 39 percent of security professionals say they struggle to prioritize risk remediation and patch deployment, with 35 percent saying they struggle to maintain compliance when it comes to patching vulnerabilities.

The study from Ivanti also finds 87 percent of security pros feel they do do not have access to the critical data needed to make informed security decisions. In addition 46 percent believe IT teams lack urgency when addressing cybersecurity problems.

The manufacturing industry is the most targeted industry for cyberattacks and this has has now been the case for four consecutive years.

A new study from KnowBe4 shows that this combined with the manufacturing sector’s expanding digital footprint is putting operations, intellectual property, and economic resilience at risk from critical vulnerabilities.

A new report from CyCognito highlights critical security vulnerabilities across cloud-hosted material, revealing that one in three easily exploitable vulnerabilities or misconfigurations are found on cloud assets.

Though uncommon, critical vulnerabilities (CVSS 9.0 or higher) have been detected on assets hosted by all cloud providers, with assets hosted by Azure showing a slightly higher percentage (0.07 percent) compared to assets hosted by AWS and Google Cloud (0.04 percent).

The latest annual Microsoft Vulnerabilities Report from BeyondTrust, reveals a record-breaking number of reported vulnerabilities last year.

Total vulnerabilities reached an all-time high of 1,360 in 2024, an 11 percent increase from the previous record of 1,292 in 2022. Elevation of Privilege (EoP) vulnerabilities comprised 40 percent of all those reported.

The latest State of Pentesting report from Cobalt reveals that organizations are fixing less than half of all exploitable vulnerabilities, with just 21 percent of GenAI app flaws being resolved.

It also highlights a degree of over-confidence with 81 percent of security leaders saying they are 'confident' in their firm's security posture, despite 31 percent of the serious findings discovered having not been resolved.

As organizations increasingly rely on third-party vendors, open-source components, and cloud services to bolster efficiency and scalability, they also open themselves to risks.

Historically they've relied on CVSS scores to measure the severity of risks, but a new report from Black Kite suggests that this method alone is not enough.

We're always being encouraged to be greener in our energy usage these days and many people have turned to solar power as a means of doing their bit and reducing their bills.

But the inverter used to convert energy from solar panels to usable household electricity is usually an IoT device and could therefore be vulnerable. New research from Forescout analyzed equipment from six of the top 10 vendors of solar power systems worldwide: Huawei, Sungrow, Ginlong Solis, Growatt, GoodWe, and SMA. It has uncovered 46 new vulnerabilities across three of these inverter vendors, Sungrow, Growatt, and SMA.

Analysis of 965 commercial codebases across 16 industries during 2024 by Black Duck Software finds 86 percent contain open source software vulnerabilities and 81 percent high- or critical-risk vulnerabilities.

Black Duck's Open Source Security and Risk Analysis (OSSRA) report also shows that the number of open source files in an average application has tripled from around 5,300 in 2020 to more than 16,000 in 2024.

More than ever enterprises are turning to Linux solutions. But while the open source OS has a good reputation for security that doesn't mean that it’s invulnerable and it's important to stay on top of updates and patching.

Seal Security is launching Seal OS, a holistic solution designed to automatically fix vulnerabilities in both Linux operating systems and application code.