Blog
Vulnerability Insights and Prioritization Report 2025 H1 Analysis
Part one of our two-part series explores why public sources like NVD and CVE fall short, the impact that has on an organization, and how Flashpoint helps security teams cut through the noise and prioritize what truly matters.
Table Of Contents
Organizations face a growing challenge of extracting meaningful insights from vast, varied, and rapidly diverse sources of vulnerability disclosures. This has been further compounded by the recent Common Vulnerabilities and Exposures (CVE) scare and the ongoing funding uncertainty and slowdowns surrounding the National Vulnerability Database (NVD) and CVE programs. Without robust strategies and tools, security teams often fall into “analysis paralysis,” leading to inefficient data processing, poor prioritization, misguided decisions, wasted resources, and slow responses. Effective vulnerability prioritization, driven by accurate intelligence, is crucial for a successful model that provides a competitive advantage and resilience.
To address this gap, Flashpoint launched the Weekly Vulnerability Insights and Prioritization Report in January 2025. Leveraging Flashpoint leading Vulnerability Intelligence, our analysts deliver actionable insights on the previous week’s published vulnerabilities to help organizations prioritize remediation efforts and stay ahead of real world threats. In the first half of 2025 alone, our analysts identified and suggested prioritization for 96 vulnerabilities out of more than 21,100 vulnerabilities published to Flashpoint VulnDB and Ignite. These selections met strict criteria based on operational risk, not theoretical CVSS scores or passive references. These vulnerabilities could affect enterprises because many are found in widely used products and all of them contain one or more of the following criterion:
- Are in widely used products and are potentially enterprise-affecting
- Have critical severity and high CVSS score
- Are exploited in the wild or have exploits available
- Allow full system compromise
- Can be exploited via the network alone or in combination with other vulnerabilities
- Have a solution to take action on
If exploited, the vulnerabilities could result in full system or data compromise, and potentially significant disruption to business operations. This midyear analysis distills six months of weekly assessments into insights for defenders and highlights the growing needs to move beyond legacy sources of vulnerability data, like NVD and open-sourced models that merely regurgitate its data.
Additionally, today, we are introducing the Flashpoint Method for Threat-Informed Vulnerability Prioritization, a data-driven approach that helps you focus on the vulnerabilities that pose the greatest real-world risk to your organization. This method complements the weekly reports by offering a dynamic, real-time approach to vulnerability management, moving beyond static scoring to enable faster, more decisive action. Whether you are new to deploying a Continuous Threat Exposure Management (CTEM) program or are confidently executing a Proactive Security and Readiness program, Flashpoint’s proprietary vulnerability intelligence will deliver the intelligence you need.
A Broken Foundation: Why Public and Open-Sourced Vulnerability Data Falls Short
Delays in Enrichment
The gap between CVE publication and NVD enrichment now routinely lags between weeks to months and in some cases, even years, creating critical intelligence blind spots. These delays leave security teams without timely, actionable insights during periods when vulnerabilities are most dangerous. Two key figures illustrate the severity of this issue:
As of July 14, 2025
- 94,589: NVD’s backlog, “old” entries that NVD is choosing not to analyze but that could still pose a risk.
- 44,092: The number of vulnerabilities currently awaiting analysis by NVD that are unlikely to be enriched or reviewed in sufficient time to assist an organization.
NVD and similar open-sourced vulnerability feeds were intended to provide timely, enriched intelligence for vulnerability management and security operations. In practice, however, a significant amount of vulnerabilities lack crucial information such as CPEs, CVSS scores, affected products and versions, and much more, leaving defenders without vital insights for effective triage and response.
As the threat landscape continues to deteriorate, and critical products and technologies frequently experience severe, business-impacting vulnerabilities due to sub-standard software development practices, cybersecurity defenders are finding themselves without the foundational support resources like NVD were meant to provide.
Lacking Exploitation Context
NVD doesn’t inherently indicate whether a vulnerability is being weaponized in the wild, leaving defenders with limited visibility into active threats. CVE details, available in JSON format, contain information on known exploited vulnerabilities; this data largely mirrors the CISA Known Exploited Vulnerabilities (KEV) catalog with minor additions. And although CISA’s KEV is the most well-known by many, it is just one of many KEV databases being maintained, and falls short in comparison to Flashpoint’s own KEV in both scope and depth.
- As of July 14, 2025 the CISA KEV catalog had 1379 vulnerabilities listed
- Flashpoint KEV catalog by comparison had 5400+ vulnerabilities listed
Without real-time, contextualized, curated intelligence, defenders are forced to rely on outdated or incorrect information, significantly impacting their ability to prioritize and respond before attackers strike.
Fortunately, an alternative vulnerability intelligence source exists that integrates the strengths of both automation and human analysis. Flashpoint vulnerability intelligence delivers real-time, timely, and enriched vulnerability intelligence, complete with relevant metadata such as:
- CVSS (v2,v3,v4)
- EPSS (v1,v3)
- Social risk
- Ransomware likelihood
- Exploit maturity
- Location required for exploitation
- Cross-referenced vulnerability IDs
- Vendor and product alignment
- Secure product versions when available
- MITRE ATT&CK mapping
- Classifications: attack type, impact, solution, and disclosure
What NVD/Open-Sourced Doesn’t Tell You, But Should Know
| Flashpoint Vulnerability Intelligence (Human-Curated) | NVD / Open-Sourced | |
| Exploitation Signal | ✅ | ❌ |
| Patch / Fix Availability | ✅ | Partial/Sometimes |
| Threat Actor Context | ✅ | ❌ |
| Vendor-Specific Guidance | ✅ | Partial/Sometimes |
| Vulnerability Chaining Risk | ✅ | ❌ |
| Ransomware Likelihood Risk | ✅ | ❌ |
| Social Risk Score | ✅ | ❌ |
Flashpoint Method for Threat-Informed Vulnerability Prioritization: Tactical by Design
The vulnerabilities highlighted in our H1 report underscore a broader challenge: security teams don’t just need more data, they need the right data, delivered with the context to act. That’s exactly what the Flashpoint Method for Threat-Informed Vulnerability Prioritization provides. Developed by Flashpoint’s vulnerability intelligence experts, this tactical methodology helps defenders cut through noise and focus on vulnerabilities that matter most – those vulnerabilities with exploitation evidence, high business impact, and available solutions. Unlike legacy approaches that rely solely on theoretical CVSS scores or incomplete metadata, our framework prioritizes real-world threats based on criteria such as:
- Active exploitation in the wild
- Remote exploitability
- Ransomware association
- Asset exposure and criticality
- Available fixes and mitigations
By combining human-curated intelligence with automation and rich metadata, including CVSS (v2, v3, v4), EPSS (v1, v3), Social Risk, and Ransomware Likelihood. Flashpoint Vulnerability Intelligence enables organizations to triage vulnerabilities with confidence and speed. Whether you’re dealing with zero-days or assessing a backlog of CVEs, this method helps teams focus limited resources on the most urgent threats.
Download the full guide for:
- A clear framework for assessing which vulnerabilities demand immediate attention and why.
- A checklist of key prioritization criteria based on real-world exploitation, business impact, and threat intelligence.
- Insights into how Flashpoint’s vulnerability intelligence platform and analyst expertise can help put threat-informed vulnerability management into action, at scale.
Real-World Examples
These examples highlight specific vulnerabilities Flashpoint published and suggested prioritization for, in the first half of 2025, demonstrating the real-world impact and diverse nature of threats. They serve to illustrate key trends and provide actionable insights into our ability to deliver early warning awareness for vulnerabilities that may pose significant risk to your organization.
| Microsoft Windows Server Delegated Managed Service Accounts (dMSA) Feature Remote Privilege Escalation | |
|---|---|
| Vulnerability Description | Microsoft Windows Server contains a flaw related to the delegated Managed Service Account (dMSA) feature. The issue is triggered as the SIDs of the superseded service account and its associated groups is included in the Privilege Attribute Certificate (PAC) that is embedded in the ticket when a dMSA authenticates. By creating a new dMSA and setting certain attributes, an authenticated, remote attacker with ‘CreateChild’ permissions on an organizational unit (OU) can compromise arbitrary users in the domain and gain similar privileges to the Replicating Directory Changes privilege used to perform DCSync attacks. |
| Product(s) | Windows Server 2025 |
| Classifications | Attack Type: OtherImpact: Loss of IntegritySolution: WorkaroundDisclosure: Vendor verified, Coordinated disclosure, No vendor actionFP Classification: Authentication required |
| Ransomware Likelihood | High |
| Time to Exploit | N/A |
| Disclosure Date | 05/21/2025 |
| CVE Assignment | 50 days without a CVE assignmentAs of July 10, 2025 – still no CVE assignment |
| Apache Tomcat PreResources / PostResources Use Improper Access Control Enforcement Authentication Bypass | |
|---|---|
| Vulnerability Description | CVE-2025-49125Apache Tomcat contains a flaw that is triggered as authentication mechanisms are not properly implemented when using PreResources or PostResources mounted at an unexpected path other than at the root of the web application. This may allow a context-dependent attacker to potentially bypass intended security constraints to gain access to those resources. |
| Product(s) | Policy Manager for Secure Connect Gateway (SCG)Apache Tomcat |
| Classifications | Attack Type: Authentication ManipulationImpact: Loss of IntegritySolution: UpgradeDisclosure: Vendor verified, Coordinated disclosureFP Classification: Web-related |
| Ransomware Likelihood | High |
| Time to Exploit | N/A |
| Disclosure Date | 06/05/2025 |
| uniapi Package for Python __init__.py Malicious Code Remote Code Execution | |
|---|---|
| Vulnerability Description | uniapi Package for Python was reported to contain malicious code in __init__.py that allows a remote attacker to execute arbitrary code and disclose system information. |
| Product(s) | uniapi Package for Python |
| Classifications | Attack Type: Input ManipulationImpact: Loss of IntegritySolution: WorkaroundDisclosure: Discovered in the WildFP Classification: Backdoor |
| Ransomware Likelihood | Medium |
| Time to Exploit | Zero-day (FP KEV) |
| Disclosure Date | 1/27/2025 |
| CVE Assignment | 164 days without CVE assignment yet |
Proactively Defend Against Vulnerability Risk with Flashpoint
Curated, timely vulnerability intelligence transforms vulnerability management from a reactive exercise to a proactive defense strategy. In today’s threat environment, speedy action, not just discovery and analysis, makes the difference between staying defended or breached.
This crucial shift is becoming ever more apparent as the limitations of traditional vulnerability data sources, particularly NVD, become glaringly obvious. The delays in enrichment, the frequent lack of critical metadata, and the absence of exploitation context have created a significant intelligence gap, leaving defenders exposed and vulnerable.
This gap has not gone unnoticed. In response, numerous new public sources of vulnerability data have emerged, each attempting to fill the void left by the NVD; however, most of these “VDBs” are merely rebranded CVE/NVD data, sometimes with minor additions. This signals a growing acknowledgment of the problem and the increasing demand for more timely, accurate, and actionable vulnerability intelligence as a foundation for defenders to deliver better security outcomes. To address this need, Flashpoint’s Method for Threat-informed Vulnerability Prioritization provides a solution to the silent pain experienced by security teams, reducing wasted time on false positives, accelerating patching, and mitigating breach risks.
To learn more, check out the Flashpoint Method for Threat-Informed Vulnerability Prioritization for an in-depth view into how Flashpoint helps organizations deliver an 85% reduction in vulnerability triage, including the strategy and prioritization criteria. Previously only available for customers, we showcase how curated intelligence, supported by weekly insights, can help security teams cut through the noise.