Introduction
Between 2020 and 2025, the cybersecurity landscape underwent a fundamental shift: vulnerability volume exploded, but real-world exploitation remained selective and strategic. While defenders scrambled to triage tens of thousands of new CVEs annually, only a fraction ever posed operational risk. This dossier delivers the hard evidence behind the Noorstream doctrine:
Volume ≠ Risk. Exploitation + Context = Priority.
This analysis isn’t just a call for reform. It’s a surgical breakdown of how adversaries operate—and how defenders must evolve.
Historical Evolution
The modern CVE deluge began accelerating in 2020:
- 2020: 18,444 CVEs
- 2021: 20,171
- 2022: 23,896
- 2023: 28,955
- 2024: 40,289 — a 72% jump YoY
- 2025: 21,528 as of June; projected 43,000+
But while volume doubled, attacker behavior didn’t scale equally. Historical exploitation rates held steady:
- Only 1.1–2% of all CVEs were ever exploited [VulnCheck – Exploitation Trends, 2024].
- Even CVSS 9.8+ vulnerabilities saw 96% non-exploitation [VulnCheck – CVSS Exploitation, 2024].
The result: an operational disconnect between vulnerability disclosure and threat relevance.
Only 1–2% of CVEs are ever exploited in the wild. Vulnerability programs built around volume instead of context are burning remediation capacity on risks that will never materialize.
Noorstream delivers threat intelligence, vulnerability management, and offensive security assessments for high-risk environments.
Technical Breakdown
Exploitation Timelines (2024–2025)
- 28.3% of exploited vulns were hit within 24 hours of disclosure [Mandiant – Threat Trends Q1, 2025].
- 56% within 7 days.
- 75% within 30 days.
- Over 98% of all CVEs were never touched [CISA – KEV Catalog Review, 2024].
High CVSS Score Paradox
| CVSS Range | Exploitation Rate |
|---|---|
| 10.0 | 6.3% |
| 9.8–9.9 | 4.0% |
| 9.0–9.7 | 3.0% |
Severity ≠ exploitation likelihood [VulnCheck – CVSS Exploitation, 2024].
Common Exploit Types
| Type | % of Exploited CVEs |
|---|---|
| Remote Code Execution | 32% |
| Auth Bypass | 18% |
| Privilege Escalation | 15% |
| SQL Injection | 12% |
| Deserialization | 8% |
| Path Traversal | 7% |
| OS Command Injection | 6% |
Attack Surface Focus
| Surface | Exploitation % |
|---|---|
| Network Edge (VPNs, FW) | 36% |
| Internet-Facing Apps | 35% |
| Identity Systems | 25% |
| OS Platforms | 24% |
| Cloud Misconfigs | 20% |
| Internal-Only Systems | 15% |
Zero-Day Exploitation Trends
- 2021: 106 zero-days
- 2022: 62
- 2023: 97 (↑57%)
- 2024: ~70–80 estimated [Google TAG – Zero-Day Review, 2023]
Top categories:
- 53% began as zero-days
- 36% hit network edges
- 75% were memory-safety bugs [Mandiant – Zero-Day Exploits, 2024]
Case Studies
| Incident | CVE / Type | Vector | Impact |
|---|---|---|---|
| SolarWinds | Supply Chain | Supply chain | 18,000+ targets |
| Log4Shell | CVE-2021-44228 | Internet-facing RCE | 100,000+ systems |
| Microsoft Exchange | CVE-2021-26855 | ProxyShell stack | 30,000+ orgs |
| MOVEit Transfer | CVE-2023-34362 | Internet-facing RCE | 2,700+ orgs |
| Ivanti Connect Secure | CVE-2024-21887 | VPN/edge device | 1,000+ orgs |
| Palo Alto PAN-OS | CVE-2024-3400 | Edge RCE | 2,000+ orgs |
None were high-CVSS internal bugs. All were exploited fast, at scale, and aligned with attacker objectives.
Strategic Implications
For Defenders
- CVSS is broken as a standalone metric.
- Asset context, internet exposure, and adversary behavior must dictate prioritization.
- Delay in patching KEV-class vulns = breach.
For Regulators
- NIST, DHS, and industry compliance standards must update patching mandates to reflect exploitation likelihood, not theoretical severity.
- Encourage contextual risk modeling across industries.
For Adversaries
- Nation-states and ransomware crews increasingly share playbooks, creating unified exploitation paths.
- Preference for edge-to-internal pivoting remains dominant.
Future Outlook
Expect continued volume surges. But two trends matter more:
- Speed to weaponization is accelerating. Exploits now hit live assets within hours, not weeks.
- AI-driven triage will be the only scalable response to sift signal from noise.
By 2027, CVE counts may surpass 60,000 annually, but only contextual awareness will keep defenders in the fight.
Noorstream Perspective
The cybersecurity industry has become obsessed with metrics that don’t matter.
CVSS is easy to score, but blind to real-world behavior.
Volume-based patching strategies burn resources, delay remediation, and distract analysts.
Noorstream’s doctrine is clear:
Volume ≠ Risk. Exploitation + Context = Priority.
This is not philosophy. It’s operational truth backed by data. Our red teams, threat analysts, and vulnerability operators are aligned under one model: prioritize only what adversaries target—at speed, with precision.
Context is the new perimeter. Prioritize accordingly.
References
[[VulnCheck – State of Exploitation 1H‑2025] https://www.vulncheck.com/blog/state-of-exploitation-1h-2025
[VulnCheck – Exploitation Trends Q1‑2025] https://www.vulncheck.com/blog/exploitation-trends-q1-2025
[VulnCheck – 2024 Exploitation Trends] https://www.vulncheck.com/blog/2024-exploitation-trends
[VulnCheck – State of Exploitation 1H‑2024] https://www.vulncheck.com/blog/state-of-exploitation-1h-2024
[CISA – KEV Catalog Review, 2024] https://www.cisa.gov/known-exploited-vulnerabilities
[Google TAG – 0-Day Exploits in the Wild, 2023] https://blog.google/technology/safety-security/a-review-of-zero-day-in-the-wild-exploits-in-2023
[Mandiant – M-Trends 2025: State-Sponsored Threat Shifts] https://www.securityweek.com/m-trends-2025-state-sponsored-it-workers-emerge-as-new-global-threat
[Zero-Day Exploitation & Time-to-Exploit Trends, 2023] https://www.criticalstart.com/resources/google-mandiant-timetoexploit-falls-zeroday-exploits-rise