Preloader

At Risk and Unaware: The State of Enterprise Security in 2025

At Risk and Unaware: The State of Enterprise Security in 2025

At Risk and Unaware: The State of Enterprise Security in 2025

According to Medad News, the tenth annual edition of this report analyzes full-stack security trends across various industries, highlighting common vulnerabilities, patching delays, and critical exposure points. By offering insights into exploit availability, attack surface exposure, and remediation timelines, it equips organizations with the data needed to make smart, risk-based decisions.

The report emphasizes a persistent challenge in cybersecurity: “Not all vulnerabilities are created equal.” Some occur infrequently but carry high impact—what Edgescan calls “compressed risks.” Despite the presence of prioritization models such as EPSS, CISA KEV, CVSS, and SSVC, inconsistencies between them make it difficult to rely on a single framework for decision-making.

Patching remains a significant hurdle, especially in production environments, a challenge reflected in slow Mean Time to Remediate (MTTR) metrics. Many organizations still struggle with visibility, a crucial factor in reducing risk. Alarmingly, vulnerabilities dating back to 2015 are still being exploited in active ransomware and malware campaigns.

Internal systems remain vulnerable, as attackers often chain together weaknesses across multiple technology layers to amplify the impact of their attacks. This makes Attack Surface Management (ASM) more critical than ever. Continuous asset profiling by Edgescan shows that sensitive systems are often exposed to the public internet—without the organization’s knowledge.

Ultimately, the data paints a clear picture: effective risk management depends on improving visibility, integrating multiple risk models, and addressing legacy vulnerabilities before they are used against you.

Key Findings from the 2025 Report

  • Across all technology layers, over 33% of discovered vulnerabilities were critical or high severity.

  • The average MTTR for a critical vulnerability in web applications was 35 days, while internet-facing host/cloud vulnerabilities took an average of 61 days to remediate.

  • The CISA KEV list included 1,238 vulnerabilities by the end of 2024, with 185 added during the year.

  • In 2024, for the first time, 768 CVEs were confirmed to be exploited in the wild, accounting for 2% of all discovered vulnerabilities, representing a 20% increase over 2023.

 

Source: MedadPress
www.medadpress.ir