Vulnerability exploitation surged as the initial access vector for 20% of breaches—a 34% increase year over year and now rivalling the top initial access vector (credential abuse), according to the newly released 2025 Verizon Data Breach Investigation Report (DBIR). To dig deep into this risk, Tenable contributed enriched data on the most exploited vulnerabilities to the Verizon DBIR and published a complementary deep-drive analysis.
Tenable Research analysed over 160 million data points across our telemetry data to uncover how quickly organisations are patching the 17 high-risk CVEs Verizon highlights in the report — segmented by industry.
Some of the key findings include:
● The Bad News: Critical vulnerabilities in high-value targets go unremediated for 100+ days
➤ The average remediation time worldwide for these 17 CVEs is 213 days. In APAC, the average remediation rate was 199 days for these 17 edge device CVEs.
➤ Citrix vulnerabilities CVE-2023-6548 and CVE-2023-6549: Even the fastest three industries took over 160 days to patch; the slowest industry averaged 288 days.
➤ Ivanti vulnerabilities CVE-2023-46805 and CVE-2024-21887: Despite active RCE exploitation, remediation averaged up to 294 days in some industries.
● The Good News: Industries can mobilise quickly
➤ Fortinet CVE-2024-47575 (FortiJump) had the lowest average remediation rates of the 17 CVEs, with 2 on the low end and 7 on the high. Fortinet vulnerability CVE-2024-47575 (FortiJump): On average, organisations across industries resolved this critical bug in 2-7 days.
➤ SonicWall vulnerability CVE-2024-40766: Used by ransomware groups to gain initial access, this vulnerability had low remediation rates across the board – engineering resolved in just 6 days, while consulting lagged at 52 days.
➤ In APAC, CVE-2024-47575 (CVSS 9.8) and SonicWall CVE-2024-40766 (9.8) were remediated on average in 28 days or less.
Scott Caveza, senior staff research engineer, Tenable, on the Tenable Research blog and Verizon DBIR:
The number of new vulnerabilities disclosed continues to increase sharply, giving cyber defenders a never-ending “to-do list.” Generally, the most critical vulnerabilities should be at the “top of the list, especially for edge devices that serve as a metaphorical door into your environment. However, the context around vulnerabilities – where a given vulnerability exists in your environment, what data or systems are potentially at risk, ease of exploitation, the existence of a proof-of-concept, and so much more – drives informed prioritisation and remediation. The biggest, baddest vulnerability could be a non-issue in some circumstances depending on context.
For the Verizon DBIR though, we evaluated the 17 edge device vulnerabilities featured in the report, each of which impacts valuable targets for attackers and is often the entry point for a breach. There are very limited circumstances, if any, where leaving an edge device vulnerable to a critical vulnerability makes sense given the nature of the device. While 54% of organisations have achieved full remediation of these 17 CVEs, our data revealed the average time to patch was a staggering 209 days. This gap is highly concerning, considering that attackers’ average time-to-exploitation is five days.
Our research underscores that considerable work remains. The data compiled by Verizon, in collaboration with Tenable, highlights the urgency to remediate known vulnerabilities and offers valuable insights to help organisations protect their networks, devices, and people.”
Tenable’s contributions to the Verizon DBIR are on pages 29-31.