From Virginia to California, state and local cybersecurity experts have identified quickly patching vulnerabilities as a top cybersecurity priority.
However, new data from SonicWall suggests that patching isn’t enough. In its 2025 Threat Brief, SonicWall notes a 110% increase in attacks targeting Microsoft vulnerabilities, amounting to more than 6.9 million threats blocked by SonicWall firewalls.
Crucially, the most commonly patched vulnerabilities weren’t always the most exploited. Remote code execution flaws made up 40% of vulnerabilities but only accounted for 19% of exploits. By contrast, elevation of privilege (EoP) bugs — which can be less visible but are often more dangerous — were the most exploited, accounting for 38% of real-world attacks.
“With over 1,000 vulnerabilities patched and millions of associated threats blocked, one thing is clear: Patching alone isn’t enough,” says Douglas McKee, executive director of threat research at SonicWall. “Attackers are moving faster than ever to exploit the paths that provide the most rewards and least resistance.”
Click the banner below for deeper insight into modern cyber resilience.
The Most Common Vulnerabilities Aren’t the Most Exploited
The clearest takeaway from SonicWall’s data is that patching the most common types of vulnerabilities simply isn’t as effective as it used to be. The report indicates that, in the wild, hackers flock to what works.
For example, EoP bugs accounted for only 29% of known vulnerabilities but 38% of real-world attacks, making them the most exploited type of vulnerability.
Security feature bypass methods accounted for just 8% of known vulnerabilities but represented 29% of exploits.
Image courtesy of SonicWall
These figures are a reminder that volume alone cannot guide patching priorities. Instead, state and local agencies should also be guided by how attackers behave in the real world.
Vulnerability Severity Isn’t Always What It Seems
By volume, remote code execution vulnerabilities were the most common. They also accounted for 77% of the most critical vulnerabilities. But being the most common and most critical category of vulnerability didn’t make them most likely to be exploited.
For example, security feature bypass flaws were less common and less critical in severity than remote code execution vulnerabilities. However, SonicWall’s data revealed that they were frequently used to help attackers escalate access or disable security tools, and these actions can turn a moderate vulnerability into an exploit with critical consequences.
SonicWall also noted that Microsoft labeled 123 vulnerabilities as “Exploitation More Likely” in 2024, which is an important indicator for cyberdefense. However, only 10 of them made it onto the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog. Two of those 10 had been labeled “Exploitation Less Likely,” demonstrating that even the best predictions can be undone by real-world cybercriminal behavior.
Image courtesy of SonicWall
Layered, Proactive Defenses Have Become Mandatory
Microsoft’s 2024 vulnerability landscape reflected the variety and volatility of cyberthreats over sheer volume. Patching is and always will be important, but figuring out how to prioritize patches is becoming more complicated.
“Organizations need a smarter, faster approach, one that blends real-time detection and response with layered defenses across every attack surface,” McKee says. He flagged the following as priorities:
- Identifying sophisticated privilege escalation attempts
- Neutralizing malware hidden in Office documents
- Blocking exploits before they ever reach users
- Having integrated protections across endpoints, email accounts and networks
“Organizations that invest in coordinated, intelligence-driven security aren’t just keeping pace with threats, they’re staying ahead of them,” he says. “That can often be the difference.”