A new report from exploit intelligence company VulnCheck separates real-world exploitation trends and attacker behavior from theoretical ones.
The report, the 2026 VulnCheck Exploit Intelligence Report (VEIR), offers a first-of-its-kind analysis of those trends, along with an inaugural list of the 50 most routinely targeted vulnerabilities of the past year. The company said that by separating vulnerability disclosure data from confirmed exploitation, the report can help security teams prioritize remediation based operational risk.
“The data shows that exploitation is concentrated in a very small number of vulnerabilities, but those vulnerabilities are being weaponized faster and at greater scale. At the same time, the volume of exploit content, much of it AI-generated slop, is making it harder to distinguish real operational risk from background noise,” Jacob Baines, CTO with VulnCheck, said.
According to the report VEIR tracked more than 14,400 exploits developed for 10,480 unique 2025 CVEs, a 16.5 percent increase in same-year exploit coverage. The company said much of the growth was associated with AI-generated proof-of-concept code, including nonfunctional or misleading exploit content. More than half of the 2025 ransomware CVEs (56.4 percent) were first identified through active zero-day exploitation and roughly one-third lacked public or commercial exploits as of January 2026. The report noted a 13 percent decrease in new vulnerabilities linked to named state-sponsored groups overall, with China-linked exploit attributions increasing and Iranian-linked activity decreasing.
“The VEIR shows that while CVE disclosures and public proof-of-concept code increased in 2025, just 1 percent of vulnerabilities were confirmed to be exploited in the wild, with a small subset driving disproportionate real-world impact,” the company said.