SMBs Remediate 89% of Critical Issues within 30 days—Outpacing Larger Enterprises, but Remain Vulnerable to Long-Known Flaws
LONDON — Intruder, a leader in exposure management, today announced the release of its 2025 Exposure Management Index, tracking the most critical vulnerabilities facing small and midsize businesses (SMBs) and how those organizations’ responses are evolving over time. The Index equips SMBs with security insights that have historically been gated behind massive enterprise budgets and external consultants.
“For small and mid cap organizations, cybersecurity is a structural challenge – they face the same vulnerability landscape as large enterprises but with fewer resources, smaller budgets, and leaner teams,” said Chris Wallis, CEO of Intruder. “As a result, cyberattacks can be much more devastating to SMBs and can cause an entire organization to lose its livelihood. Intruder is releasing this report to provide effective and actionable knowledge, because cybersecurity shouldn’t be a luxury reserved for those with the deepest pockets.”
The most crucial takeaway from the Index is how SMBs in 2025 continue to contend with long-known cybersecurity threats and attack surface weaknesses due to the rise of AI. While the zero-day ToolShell grabbed a top spot, many SMBs remain threatened by vulnerabilities disclosed one, two, or even three years ago but left unpatched in their environments. AI-assisted coding is lowering the technical barrier for hackers and writing new exploits for older CVEs has become easier and faster. This accelerates the pace of attacks and makes it more “cost-effective” to go after those vulnerabilities.
Additional findings include:
- Critical issues are being fixed faster: high-profile incidents in 2025 keep making the cost of delay harder for organizations to ignore. 89% of critical vulnerabilities identified have been remediated within 30 days, a 14% improvement from 2024 remediation levels.
- Size matters: larger organizations (51-2,000 employees) take an average of 17 days to resolve critical vulnerabilities due to complex and time consuming processes for ticketing, approvals, and testing that delay the release of fixes, even when vulnerabilities are well understood. Smaller organizations can act with agility, resolving issues without red tape in an average of 14 days.
- Software and financial sectors remediate fastest: Software organizations remediate critical vulnerabilities faster than any other sector, averaging 13 days, likely due to modern infrastructures and compliance pressures from enterprise buyers. Financial service organizations are the next fastest, with critical issues resolved in an average of 22 days likely due to sector realities: stringent regulation and comparatively large security budgets.
SMBs are Increasingly at Risk
2025 has shown how exposure emerges from multiple fronts. Vibe coding has created new risks as some teams rush AI-generated code into production without sufficient review for gaps or errors. Rapid cloud adoption delivers agility but also introduces new attack vectors. Shadow IT continues to expose sensitive data and expand attack surfaces without sufficient oversight. And SMB vendors, often part of critical supply chains, remain attractive entry points for attackers seeking leverage over larger organizations – as seen in the September 2025 UK and European air travel disruptions at Heathrow and the cyberattack that brought Jaguar Land Rover’s production lines to a standstill.
In 2024, Intruder customers saw an average of 474 critical and high vulnerabilities. This year, organizations are pacing for a similar number of criticals at 198, but the average number of high severity vulnerabilities is forecasted to rise from 281 to 334. Faced with this expanding attack surface, stretched IT teams may struggle to prioritize those that pose the biggest risk.
The Top Five Vulnerabilities in 2025
Thousands of CVEs are published each year, but only a fraction become the focus of widespread exploitation or present serious, real-world impact. Intruder’s security team identified the current, most dangerous vulnerabilities based on their prevalence across SMB environments, likelihood of exploitation and chance of real-world impact.
- Apache Tomcat RCE (CVE-2025-24813): The single most commonly occurring critical CVE across customer estates, a classic example of an impactful, widely distributed application vulnerability.
- ToolShell (CVE-2025-53770): ToolShell stood out because exploitation required little sophistication and there was a gap between disclosure and patch availability that attackers quickly took advantage of. Failing to patch within a few days meant many organizations were already in a post-exploitation scenario.
- Palo Alto Auth Bypass (CVE-2025-0108): This vulnerability highlights a recurring theme—when authentication controls on management interfaces fail, attackers gain an immediate foothold in security-critical devices. Previous patches proved insufficient, and attackers found new ways to abuse how different technologies process requests.
- Apache mod_rewrite RCE (CVE-2024-38475): Despite being disclosed in 2024 – and the most commonly observed CVE of last year – it’s still relevant as widely deployed web server modules remain attractive targets and attackers quickly adopt application-layer bugs into their toolkits.
- Fortinet Perimeter Vulnerabilities (CVE-2024-55591 & CVE-2025-32756): Fortinet has seen critical vulnerabilities across its product lines, underscoring why edge appliances are prime targets: they are internet-facing, widely deployed, and hold the keys to network access. For most enterprises, rapidly changing hardware vendors isn’t realistic, so fast-patching and compensating controls are the only viable defenses.
About the 2025 Exposure Management Index
To build this report, Intruder analyzed the attack surfaces and infrastructures across thousands of customers and compiled the insights into a comprehensive package, tracking how small and midsize companies (1-2000 employees) are exposed to security vulnerabilities, how and why their responses vary, and what can be learned from those patterns. The full 2025 Exposure Management Index report is available here for download.
About Intruder
Intruder’s exposure management platform helps lean security teams stop breaches before they start by proactively discovering attack surface weaknesses. By unifying attack surface management, cloud security and continuous vulnerability management in one intuitive platform, Intruder makes it easy to stay secure by cutting through the noise and complexity. Founded in 2015 by Chris Wallis, a former ethical hacker turned corporate blue teamer, Intruder is now protecting over 3,000 companies worldwide. Learn more at https://intruder.io.
Q&A: Intruder’s 2025 Exposure Management Index Explained
Q: What is the purpose of this report?
For smaller organizations, cybersecurity is a structural challenge – they face the same vulnerability landscape as enterprises but with fewer resources, smaller budgets, and leaner teams. Intruder decided to release this report to provide effective and actionable knowledge, because cybersecurity shouldn’t be a luxury reserved for those with the deepest pockets.
Q: What are the key findings?
The most crucial takeaway from the Index is how most of the largest cybersecurity threats to SMBs in 2025 have been focused on long-known weaknesses. While the zero-day ToolShell grabbed a top spot, most SMBs are still threatened by vulnerabilities disclosed one, two, or even three years ago but left unpatched in many environments. The reason is the pace of attacks: writing new exploits for older CVEs has become easier and faster, with AI-assisted coding lowering the technical barrier for hackers.
Q: What are the top vulnerabilities in 2025 that SMBs should be aware of?
Thousands of CVEs are published each year, but only a fraction become the focus of widespread exploitation or present serious, real-world impact. Intruder’s security team identified the current, most dangerous vulnerabilities based on prevalence across SMB environments, likelihood of exploitation and chance of real-world impact: Apache Tomcat RCE (CVE-2025-24813), ToolShell (CVE-2025-53770), Palo Alto Auth Bypass (CVE-2025-0108), Apache mod_rewrite RCE (CVE-2024-38475) and Fortinet Perimeter Vulnerabilities (CVE-2024-55591 & CVE-2025-32756).
Q: Where can I learn more?
The full 2025 Exposure Management Index report is available here for download.
