The latest SecPod Q2 2025 Vulnerability Report highlights a concerning escalation in enterprise risk. With a 15% rise in total vulnerabilities this quarter, and a disproportionate 13% classified as critical or high severity, the findings underscore a growing attacker advantage and shrinking time-to-exploit.
For both public and private organizations, the report reinforces that traditional, siloed vulnerability management is no longer sufficient.
SecPod tracked 5,711 CVEs during Q2, including 16 zero-days and 40+ CISA Known Exploited Vulnerabilities (KEVs). Importantly, the decline in raw CVE counts from April to June (4,033 in April versus 2,495 in June) did not correspond to reduced risk. Instead, SecPod warns that "volume doesn't equate to lower risk"—exploitability and business impact remained stubbornly high.
The report found a persistent core of 1,300+ highly-exploitable vulnerabilities and more than 500 capable of severe business disruption still active in June. This aligns with attackers' increasing speed in weaponizing vulnerabilities: "40 widely exploited vulnerabilities highlight attackers' agility in weaponizing known flaws."
Key findings show concentrated risks in vendors, OS, and applications. Risk exposure remains unevenly distributed:
Vendors: Adobe topped the list with 323 vulnerabilities, followed by PHPgurukul (254), Linux (203), Microsoft (160), and Apple (152).
Applications: Adobe Experience Manager led with 224 vulnerabilities, more than four times the next highest application.
Operating Systems: The Linux Kernel showed 695 vulnerabilities, nearly three times macOS, underscoring the urgency of kernel-level patch adoption.
These concentrations suggest attackers will continue to exploit high-profile vendors and widely-deployed platforms. As SecPod notes, "a small number of platforms, devices, and applications account for the majority of critical vulnerabilities, making them prime targets for attackers."
The Top 10 critical vulnerabilities included high-impact flaws such as:
CVE-2025-32432 (Craft CMS): Remote server takeover via insecure deserialization (CVSS 10.0)
CVE-2025-31324 (SAP NetWeaver): Full application compromise through unauthenticated file upload (CVSS 10.0)
CVE-2025-53770 (Microsoft SharePoint): Persistent backdoors and token forgery (CVSS 9.8)
The Zero-Day Vulnerability List reveals similar high-risk exposures, particularly in Ivanti Connect Secure, VMware ESXi, Citrix NetScaler, and core Windows drivers, underscoring how attackers are targeting both critical enterprise gateways and fundamental OS components.
Beyond CVEs, the report highlights 959 misconfigurations and systemic weaknesses like:
Disabled SELinux enforcement
Blank or weak root passwords
Insecure Netlogon channels
Disabled firewalls and misconfigured UAC
SecPod warns that these conditions "significantly broaden the attack surface," giving adversaries easier paths for privilege escalation or persistence.
For businesses, the findings highlight an urgent need for Continuous Vulnerability and Exposure Management (CVEM). Episodic scans and reactive patching cannot keep pace with the speed at which adversaries are exploiting known flaws. The report emphasizes Unified Security Intelligence (USI) as the strategic enabler: consolidating CVE data, exploit intelligence, misconfigurations, and patch management into a single operational view.
For public sector organizations, with adversaries actively targeting government systems and critical infrastructure, the risks are amplified by legacy systems, compliance mandates, and limited resources. The presence of vulnerabilities in platforms like Windows Server, VisionOS, and Linux Kernel demands that municipalities and agencies adopt proactive patch orchestration and misconfiguration remediation to avoid cascading impacts on essential services.
For the cybersecurity industry, vulnerability management vendors and MSSPs face pressure to deliver real-time, risk-prioritized remediation guidance. The integration of exploitability scoring, KEV mapping, and posture anomaly detection into platforms like SecPod's Saner CVEM points toward where the industry is headed—a unified, intelligence-driven approach to shrinking attack surfaces.
The Q2 2025 data tells a clear story: attackers are moving faster, and the clustering of vulnerabilities in widely-used platforms magnifies the threat. SecPod's call for continuous, intelligence-driven vulnerability management is not optional—it is essential.
The report concludes: "The only way to mitigate these risks is to continuously scan your IT infrastructure and avoid periodic scans."