Vendor Intelligence
Security scorecards – CVE volume, patch rates, exploit exposure, and composite risk for 59 vendors
| # | Vendor | Risk Score | CVEs | Severity | KEV | PoC | Avg EPSS | Patch Rate | Trend |
|---|---|---|---|---|---|---|---|---|---|
| 1 | Suse | 10840 | 3941 |
278 CRITICAL
1466 HIGH
2195 MEDIUM
|
6 | 237 | 0.1% | 97% | +2082 |
| 2 | Microsoft | 8212 | 2040 |
174 CRITICAL
1236 HIGH
579 MEDIUM
44 LOW
|
16 | 91 | 0.2% | 89% | +1347 |
| 3 | Red Hat | 7260 | 3201 |
142 CRITICAL
1140 HIGH
1918 MEDIUM
|
4 | 135 | 0.1% | 96% | +1485 |
| 4 | 7004 | 2256 |
209 CRITICAL
1060 HIGH
885 MEDIUM
96 LOW
|
5 | 53 | 0.1% | 88% | +1638 | |
| 5 | WordPress | 6590 | 2603 |
164 CRITICAL
688 HIGH
1726 MEDIUM
22 LOW
|
0 | 272 | 0.1% | 6% | +956 |
| 6 | Linux | 5480 | 2623 |
131 CRITICAL
960 HIGH
1322 MEDIUM
14 LOW
|
1 | 35 | 0.0% | 95% | +814 |
| 7 | Oracle | 2496 | 531 |
148 CRITICAL
183 HIGH
172 MEDIUM
27 LOW
|
3 | 15 | 0.2% | 23% | +518 |
| 8 | Tenda | 2169 | 253 |
22 CRITICAL
195 HIGH
19 MEDIUM
17 LOW
|
0 | 143 | 0.2% | 0% | +92 |
| 9 | Apache | 2102 | 505 |
102 CRITICAL
204 HIGH
172 MEDIUM
20 LOW
|
1 | 27 | 0.2% | 78% | +415 |
| 10 | D-Link | 2046 | 222 |
31 CRITICAL
130 HIGH
18 MEDIUM
43 LOW
|
0 | 149 | 0.1% | 3% | +109 |
| 11 | Apple | 1570 | 664 |
38 CRITICAL
249 HIGH
350 MEDIUM
26 LOW
|
1 | 18 | 0.1% | 77% | +279 |
| 12 | Mozilla | 1486 | 295 |
95 CRITICAL
124 HIGH
74 MEDIUM
1 LOW
|
0 | 5 | 0.1% | 92% | +182 |
| 13 | Cisco | 1015 | 181 |
13 CRITICAL
65 HIGH
103 MEDIUM
|
10 | 13 | 0.2% | 8% | +75 |
| 14 | Nginx | 732 | 144 |
30 CRITICAL
74 HIGH
36 MEDIUM
3 LOW
|
0 | 17 | 0.2% | 75% | +128 |
| 15 | IBM | 648 | 350 |
36 CRITICAL
72 HIGH
225 MEDIUM
15 LOW
|
0 | 0 | 0.1% | 55% | +211 |
| 16 | Adobe | 607 | 239 |
20 CRITICAL
61 HIGH
153 MEDIUM
5 LOW
|
2 | 5 | 0.4% | 4% | +189 |
| 17 | Gitlab | 508 | 164 |
6 CRITICAL
44 HIGH
93 MEDIUM
21 LOW
|
0 | 34 | 0.1% | 68% | +103 |
| 18 | Canonical | 484 | 117 |
18 CRITICAL
52 HIGH
42 MEDIUM
5 LOW
|
0 | 12 | 0.1% | 92% | +92 |
| 19 | Ubiquiti | 462 | 44 |
18 CRITICAL
25 HIGH
1 MEDIUM
|
3 | 4 | 0.2% | 96% | +39 |
| 20 | Debian | 456 | 133 |
10 CRITICAL
77 HIGH
34 MEDIUM
4 LOW
|
0 | 6 | 0.1% | 100% | -237 |
| 21 | Nvidia | 450 | 122 |
9 CRITICAL
82 HIGH
31 MEDIUM
|
0 | 2 | 0.1% | 18% | +13 |
| 22 | Ivanti | 438 | 26 |
5 CRITICAL
15 HIGH
6 MEDIUM
|
5 | 6 | 6.5% | 4% | +5 |
| 23 | Dell | 402 | 177 |
6 CRITICAL
73 HIGH
90 MEDIUM
8 LOW
|
1 | 0 | 0.3% | 74% | +91 |
| 24 | Fortinet | 397 | 87 |
9 CRITICAL
23 HIGH
49 MEDIUM
6 LOW
|
3 | 5 | 0.1% | 0% | +40 |
| 25 | Hashicorp | 346 | 67 |
14 CRITICAL
27 HIGH
19 MEDIUM
4 LOW
|
1 | 6 | 0.1% | 76% | +49 |
| 26 | TP-Link | 204 | 64 |
49 HIGH
14 MEDIUM
|
0 | 1 | 0.1% | 58% | +53 |
| 27 | SAP | 183 | 94 |
12 CRITICAL
10 HIGH
64 MEDIUM
8 LOW
|
0 | 0 | 0.1% | 4% | +25 |
| 28 | Juniper | 174 | 54 |
5 CRITICAL
31 HIGH
18 MEDIUM
|
0 | 0 | 0.2% | 89% | +31 |
| 29 | Samsung | 167 | 97 |
5 CRITICAL
24 HIGH
66 MEDIUM
|
0 | 0 | 0.0% | 8% | +32 |
| 30 | Paloalto | 154 | 45 |
1 CRITICAL
7 HIGH
24 MEDIUM
9 LOW
|
2 | 2 | 0.5% | 91% | +31 |
| 31 | Amd | 146 | 83 |
1 CRITICAL
34 HIGH
43 MEDIUM
1 LOW
|
0 | 0 | 0.0% | 59% | +47 |
| 32 | TOTOLINK | 130 | 7 |
4 CRITICAL
2 HIGH
1 MEDIUM
|
0 | 7 | 1.0% | 0% | -21 |
| 33 | Citrix | 116 | 11 |
1 CRITICAL
8 HIGH
2 MEDIUM
|
1 | 3 | 0.3% | 82% | +7 |
| 34 | Atlassian | 114 | 22 |
5 CRITICAL
12 HIGH
5 MEDIUM
|
0 | 2 | 0.2% | 77% | +2 |
| 35 | VMware | 112 | 18 |
1 CRITICAL
10 HIGH
6 MEDIUM
1 LOW
|
1 | 0 | 0.4% | 28% | +8 |
| 36 | Intel | 99 | 56 |
2 CRITICAL
19 HIGH
34 MEDIUM
1 LOW
|
0 | 0 | 0.0% | 45% | -82 |
| 37 | Jenkins | 89 | 69 |
1 CRITICAL
17 HIGH
49 MEDIUM
2 LOW
|
0 | 1 | 0.1% | 45% | +54 |
| 38 | Elastic | 76 | 50 |
2 CRITICAL
11 HIGH
36 MEDIUM
1 LOW
|
0 | 1 | 0.1% | 42% | +41 |
| 39 | Zte | 65 | 11 |
4 HIGH
7 MEDIUM
|
0 | 3 | 0.0% | 0% | +7 |
| 40 | Wazuh | 64 | 16 |
4 CRITICAL
2 HIGH
10 MEDIUM
|
0 | 2 | 0.1% | 75% | +12 |
| 41 | Zyxel | 63 | 19 |
1 CRITICAL
7 HIGH
11 MEDIUM
|
0 | 0 | 0.2% | 0% | +17 |
| 42 | Broadcom | 63 | 7 |
3 HIGH
2 MEDIUM
|
1 | 0 | 1.1% | 71% | -8 |
| 43 | Mikrotik | 53 | 5 |
3 HIGH
2 MEDIUM
|
0 | 2 | 0.1% | 0% | +4 |
| 44 | Abb | 53 | 9 |
7 HIGH
2 MEDIUM
|
0 | 0 | 0.0% | 0% | +1 |
| 45 | HP | 52 | 16 |
2 CRITICAL
8 HIGH
5 MEDIUM
|
0 | 0 | 0.1% | 56% | – |
| 46 | Drupal | 44 | 20 |
5 HIGH
15 MEDIUM
|
0 | 3 | 0.0% | 85% | +4 |
| 47 | Lenovo | 44 | 20 |
9 HIGH
10 MEDIUM
|
0 | 1 | 0.0% | 85% | +3 |
| 48 | Synology | 38 | 29 |
1 CRITICAL
7 HIGH
18 MEDIUM
3 LOW
|
0 | 0 | 0.0% | 97% | +20 |
| 49 | Sonicwall | 37 | 7 |
3 HIGH
2 MEDIUM
2 LOW
|
0 | 0 | 0.1% | 0% | +6 |
| 50 | Qnap | 30 | 18 |
1 CRITICAL
5 HIGH
10 MEDIUM
2 LOW
|
0 | 0 | 0.2% | 56% | -46 |
| 51 | Netgear | 28 | 21 |
3 HIGH
18 MEDIUM
|
0 | 2 | 0.1% | 71% | +8 |
| 52 | Nokia | 27 | 9 |
4 HIGH
5 MEDIUM
|
0 | 1 | 0.2% | 44% | +9 |
| 53 | Ericsson | 24 | 8 |
6 HIGH
2 MEDIUM
|
0 | 0 | 0.0% | 100% | +2 |
| 54 | Qualcomm | 18 | 6 |
1 CRITICAL
2 HIGH
2 MEDIUM
|
0 | 0 | 0.1% | 100% | -1 |
| 55 | Huawei | 12 | 3 |
1 HIGH
2 MEDIUM
|
0 | 1 | 0.1% | 67% | – |
| 56 | Mediatek | 12 | 7 |
3 HIGH
4 MEDIUM
|
0 | 0 | 0.0% | 86% | -7 |
| 57 | Dahua | 4 | 4 |
1 HIGH
1 MEDIUM
2 LOW
|
0 | 0 | 0.0% | 0% | +2 |
| 58 | Fortigate | 4 | 3 |
1 HIGH
1 MEDIUM
1 LOW
|
0 | 0 | 0.0% | 0% | +3 |
| 59 | Siemens | 0 | 3 |
1 MEDIUM
2 LOW
|
0 | 0 | 0.0% | 67% | +2 |
How to read this table
Risk Score – composite metric: KEV ×50, Critical ×10, High ×4, PoC ×8, EPSS weight, patch rate penalty. Higher = riskier vendor.
Severity – bar + counts: C=Critical, H=High, M=Medium, L=Low.
KEV – CISA Known Exploited Vulnerabilities – confirmed actively exploited in the wild.
PoC – CVEs with public Proof of Concept exploit code available.
Avg EPSS – average Exploit Prediction Scoring System probability across vendor CVEs.
Patch Rate – % of CVEs where vendor has released a patch. Green ≥80%, Yellow ≥50%, Red <50%.
Trend – CVE count change vs previous period of same length. +N = more new CVEs, −N = fewer.