Edgescan Midyear Vulnerability Statistics Report 2025 Title

Keypoints

• Annual cybersecurity reports like this one typically begin with an executive summary, followed by methodology, detailed findings, vulnerability breakdowns, scoring/priority models, platform or product descriptions, and closing observations that explain how the data was collected and how it should be interpreted.
• The executive summary usually frames major market or threat trends, explains why the report matters, and highlights the scale of the underlying dataset, such as thousands of assessments, scans, or tests across many organizations and asset types.
• The methodology section generally describes how the vendor measures security, including asset discovery, vulnerability scanning, penetration testing, validation steps, and the use of historical data or analytics to reduce false positives and improve confidence in findings.
• Detailed insights sections commonly present vulnerability distribution by asset class and severity, closure or remediation rates, and comparisons across environments such as network, cloud, web applications, and APIs.
• In this report, the scale is significant: more than 40,000 assessments and 1,000+ penetration tests were performed, with the workload split across Network/Cloud at 47%, Web Applications at 32% to 33%, and APIs at 20% to 21%.
• The report shows that severity remains a major concern across the stack, with full-stack critical and high findings both at 13%, and medium findings accounting for 40% overall.
• Web applications and APIs carry the highest critical-risk concentration, with critical findings at 25% for Web/API versus only 3% for Network/Cloud, indicating that layer 7 exposures remain especially dangerous.
• Closure activity is strong but still leaves room for improvement: 56% of discovered vulnerabilities were retested and verified as closed between January and June 2025.
• The most common critical web application weaknesses are dominated by SQL injection at 31.4% and file path traversal at 29.6%, followed by out-of-band resource load issues, authorization flaws such as IDOR/BOLA, and arbitrary file upload.
• Other notable web findings include stored cross-site scripting, APIs accessible without authentication, vulnerable software, information disclosure, and unauthorized admin access, showing that both classic injection flaws and access-control failures remain prevalent.
• Average vulnerability density is highest in Web Applications/API at 25 vulnerabilities per asset, compared with 17.5 across the full stack and 16.19 for Network, suggesting web-facing assets remain more exposed and complex.
• The report’s EPSS data shows that 13% of issues have greater than an 80% likelihood of exploitation within 30 days, while 16% exceed 60% and 26% exceed 10%, reinforcing the need to prioritize likely-to-be-exploited weaknesses.
• The Exposure Factor metric, combining CVSS, EPSS, and CISA KEV, indicates high prioritization pressure as well, with 39% above 10, 34% above 50, and 26% above 80.
• A recurring theme is the shift toward continuous, automated PTaaS and attack surface management, but the report stresses that human expertise is still required for business logic testing, deep validation, and confirming real-world exploitability.
• Another major takeaway is that accuracy and scale are increasingly being balanced through AI, analytics, and expert review, with 92% of vulnerabilities validated automatically and 8% requiring expert validation.
• The broader cybersecurity message is that organizations need continuous visibility, validated intelligence, and rapid retesting because exposure changes constantly and the most damaging weaknesses are often not the ones easiest to detect automatically.