Q1 2025: 159 Vulnerabilities Exploited in the Wild – Is Your Firm Still Behind on Patching?

Threat-intelligence analysts have counted 159 distinct CVEs actively exploited in the wild during Q1 2025—a 28 percent rise on the same period last year. Nearly half of the in-use flaws date from 2023 or earlier, confirming that organisations still struggle to patch “old” vulnerabilities. The report highlights three trends:
• Cloud & SaaS under fire – Microsoft 365, Google Workspace and several popular developer platforms account for a growing share of weaponised bugs.
• Edge devices as launch pads – VPN concentrators, firewalls and SOHO routers remain favoured entry points, with ransomware crews chaining older CVEs to bypass MFA.
• Rapid weaponisation – The average time between public disclosure and first observed exploit fell to 6 days, down from 12 days in 2024.
Researchers urge firms to adopt risk-based patching, tighten cloud identities and monitor for exploit kits that target long-patched CVEs.

Still Behind on Patching?
Cyber criminals wasted no time in 2025. Fresh data show 159 separate CVEs were actively exploited between January and March—up by nearly a third year-on-year. Worryingly, almost half of those flaws were well over a year old, underscoring how slowly many organisations update critical systems.
Cloud and SaaS Take Centre Stage
Attackers are shifting focus to online services such as Microsoft 365 and Google Workspace, where a single credential bypass can expose vast stores of data.
Edge Gear Remains a Soft Target
Out-of-date VPNs, firewalls and small-office routers continue to act as open doors. Ransomware groups chain multiple historic CVEs to sidestep multi-factor authentication and gain initial access.
Exploits Hit Faster Than Ever
The time between public disclosure and real-world abuse has dropped to six days. In other words, by the time Patch Tuesday rolls around, exploit kits may already be circulating on dark-web markets.

How to Respond
1. Prioritise risk-based patching – Patch by impact, not by publish date.
2. Harden cloud identities – Enforce MFA, conditional access and least privilege.
3. Monitor for legacy CVEs – Don’t assume “old” means “safe”; half of today’s attacks prove otherwise.
Keeping pace with threat actors in 2025 will mean fixing yesterday’s holes as urgently as today’s.