Research Report

2026 VulnCheck Exploit Intelligence Report

500+ data sources, thousands of exploits, and 48K+ new CVEs: What actually mattered to adversaries in 2025

In 2025, barely 1% of disclosed vulnerabilities were exploited in the wild. Yet those that were exploited were operationalized quickly, attracted diverse threat actors, and often caused outsized damage before organizations had a chance to respond. This report identifies which vulnerabilities mattered, why attackers targeted them, and where timing failures left organizations exposed.

VulnCheck tracked exploitation patterns, threat actor behavior, and weaponization timelines across hundreds of thousands of vulnerabilities in 2025. The data revealed how quickly new vulnerabilities became bona fide threats, how AI proof-of-concept code is polluting risk assessment pipelines, and which threat actors ramped up vulnerability exploitation amid geopolitical tension:

VulnCheck identified 50 Routinely Targeted Vulnerabilities from 2025 that had elevated risk profiles by the end of the year, drawing interest from ransomware, threat actors, botnets, and researchers (often simultaneously)

Proof-of-concept exploits for new CVEs increased 16.5% in 2025, inundating organizations with “risk” signals that often turned out to be false or misleading AI-generated slop

 China-nexus threat actor attributions increased 52% year-over-year, while ransomware groups shifted toward zero-day exploitation at accelerating rates, with 56.4% of ransomware CVEs discovered through zero-day activity

The report examines which vulnerabilities proved useful to attackers across different operational models, which threat actors demonstrated notable activity or new techniques, and how AI-generated exploit misinformation is distorting risk signals, complicating vulnerability analysis for defenders attempting to separate genuine threats from noise.

VulnCheck analysis focuses on confirmed patterns of sustained attacker interest, selecting vulnerabilities not by theoretical severity but by evidence of how threat actors, ransomware operators, botnet campaigns and the research community actually behaved throughout the year.

Download the full 2026 VulnCheck Exploit Intelligence Report.