11 Million Critical Vulnerabilities Exposed — Act Now
New research reveals 11 million critical vulnerabilities are exposed to the public internet.
While security vulnerabilities are an integral part of the world of technology, some are more critical than others. The Cybersecurity and Infrastructure Defense Agency, part of the U.S. Department of Homeland Security, has warned time and time again about the dangers of vulnerabilities to organizations. Yet that message does not appear to be getting through if the staggering numbers revealed in a new technology sector risk report are anything to go by: more than 11 million critical vulnerabilities in tech sector environments are currently exposed to the public internet.
11.4 Million Critical Vulnerabilities Are Currently Exposed To The Public Internet
Two recent warnings from the Federal Bureau of Investigation should be burned into the psyche of anyone and everyone who has any influence when it comes to the security of technology environments. The first, from earlier in June this year, involved a skyrocketing number of victims of the Play ransomware group. The primary infection vector was reported as being unpatched critical vulnerabilities: CVE-2025-29824, iCVE-2022-41040, CVE-2022-41082, CVE-2020-12812 and CVE-2018-13379 if you want to go and check that your organization isn’t open to these specific attacks. The second, a joint advisory with CISA, warning that unsophisticated hackers are a real danger, including those exploiting vulnerabilities that should already have been patched but have not. The 2025 Risk Radar Report from Trust SpiderLabs has now confirmed the real extent of this danger to the technology sector.
The researchers revealed that a total of more than 11.4 million critical vulnerabilities are exposed to the public internet within the technology sector. That’s a staggering and truly frightening number. “Services are often publicly exposed for a good reason,” Trust SpiderLabs said, “that is to allow the public to visit your website, and to receive email from people outside your organization.” However, oftentimes services are exposed by mistake, usually as a result of a configuration error. Combine this with the number of critical vulnerabilities that have yet to be patched by the organizations concerned, and Houston, we have a problem.
The report analyzed those vulnerabilities within the CISA Known Exploited Vulnerabilities catalog for 2024 and 2025, and discovered that nine of the top ten were web server vulnerabilities that coincided with the top exposed service in the tech industry. The single KEV vulnerability that was not web-based is BlueKeep, a critical vulnerability in the Remote Desktop Protocol, commonly used by hackers for lateral movement within networks. “With that service exposed to the public internet,” the report stated, “it could be used to establish an initial foothold.”
If it’s not yet clear, here’s what you should do: take an inventory of all currently open services running outside the network perimeter and conduct an immediate access audit. “It’s also essential to prioritize patching for any publicly exposed systems,” Trustwave SpiderLabs said, in order to mitigate the risk from unpatched critical vulnerabilities.