Vendor Intelligence
Security scorecards – CVE volume, patch rates, exploit exposure, and composite risk for 57 vendors
| # | Vendor | Risk Score | CVEs | Severity | KEV | PoC | Avg EPSS | Patch Rate | Trend |
|---|---|---|---|---|---|---|---|---|---|
| 1 | Suse | 6758 | 1657 |
159 CRITICAL
588 HIGH
791 MEDIUM
1 LOW
|
4 | 327 | 0.1% | 96% | -926 |
| 2 | Redhat | 5846 | 1444 |
130 CRITICAL
588 HIGH
723 MEDIUM
1 LOW
|
5 | 243 | 0.1% | 94% | -915 |
| 3 | WordPress | 3528 | 2487 |
136 CRITICAL
474 HIGH
1593 MEDIUM
14 LOW
|
0 | 31 | 0.2% | 2% | +808 |
| 4 | Microsoft | 2742 | 616 |
55 CRITICAL
357 HIGH
182 MEDIUM
17 LOW
|
10 | 31 | 0.4% | 18% | -217 |
| 5 | 2442 | 676 |
40 CRITICAL
319 HIGH
238 MEDIUM
24 LOW
|
7 | 52 | 0.1% | 54% | +194 | |
| 6 | D-Link | 2135 | 225 |
30 CRITICAL
133 HIGH
55 MEDIUM
6 LOW
|
0 | 160 | 0.1% | 4% | +69 |
| 7 | Tenda | 1449 | 144 |
8 CRITICAL
114 HIGH
22 MEDIUM
|
0 | 111 | 0.2% | 1% | -84 |
| 8 | Linux | 1230 | 1173 |
23 CRITICAL
190 HIGH
310 MEDIUM
8 LOW
|
0 | 30 | 0.0% | 66% | -577 |
| 9 | Apple | 1129 | 447 |
26 CRITICAL
123 HIGH
259 MEDIUM
37 LOW
|
4 | 20 | 0.0% | 16% | +99 |
| 10 | Debian | 738 | 437 |
7 CRITICAL
111 HIGH
84 MEDIUM
9 LOW
|
0 | 28 | 0.1% | 98% | -523 |
| 11 | Mozilla | 666 | 99 |
47 CRITICAL
43 HIGH
8 MEDIUM
1 LOW
|
0 | 3 | 0.0% | 90% | +16 |
| 12 | Apache | 542 | 154 |
17 CRITICAL
75 HIGH
53 MEDIUM
6 LOW
|
0 | 9 | 0.4% | 69% | +47 |
| 13 | Cisco | 427 | 132 |
8 CRITICAL
33 HIGH
91 MEDIUM
|
3 | 5 | 0.1% | 0% | -20 |
| 14 | Fortinet | 392 | 57 |
6 CRITICAL
20 HIGH
26 MEDIUM
5 LOW
|
4 | 3 | 2.5% | 0% | +18 |
| 15 | TOTOLINK | 368 | 30 |
5 CRITICAL
15 HIGH
10 MEDIUM
|
0 | 29 | 1.4% | 0% | -192 |
| 16 | Dell | 255 | 73 |
4 CRITICAL
36 HIGH
25 MEDIUM
4 LOW
|
1 | 0 | 0.5% | 10% | -21 |
| 17 | Gitlab | 251 | 96 |
1 CRITICAL
31 HIGH
48 MEDIUM
15 LOW
|
0 | 12 | 0.0% | 8% | +21 |
| 18 | Ivanti | 233 | 6 |
2 CRITICAL
3 HIGH
1 MEDIUM
|
3 | 1 | 26.6% | 17% | -36 |
| 19 | Nginx | 222 | 52 |
9 CRITICAL
27 HIGH
11 MEDIUM
3 LOW
|
0 | 3 | 0.2% | 62% | +32 |
| 20 | Samsung | 222 | 73 |
7 CRITICAL
32 HIGH
31 MEDIUM
1 LOW
|
0 | 0 | 0.0% | 3% | +11 |
| 21 | Oracle | 198 | 87 |
5 CRITICAL
29 HIGH
49 MEDIUM
4 LOW
|
0 | 3 | 0.0% | 34% | +74 |
| 22 | IBM | 196 | 243 |
5 CRITICAL
35 HIGH
185 MEDIUM
16 LOW
|
0 | 0 | 0.0% | 39% | +28 |
| 23 | TP-Link | 185 | 56 |
46 HIGH
9 MEDIUM
|
0 | 0 | 0.1% | 48% | -9 |
| 24 | Juniper | 177 | 52 |
4 CRITICAL
28 HIGH
20 MEDIUM
|
0 | 0 | 0.0% | 0% | +28 |
| 25 | Nvidia | 171 | 53 |
2 CRITICAL
32 HIGH
16 MEDIUM
3 LOW
|
0 | 0 | 0.0% | 4% | -37 |
| 26 | Sap | 146 | 73 |
8 CRITICAL
11 HIGH
49 MEDIUM
5 LOW
|
0 | 0 | 0.1% | 6% | -15 |
| 27 | Adobe | 145 | 82 |
1 CRITICAL
22 HIGH
58 MEDIUM
1 LOW
|
0 | 3 | 0.0% | 4% | -233 |
| 28 | Broadcom | 132 | 20 |
2 CRITICAL
11 HIGH
5 MEDIUM
|
1 | 0 | 0.4% | 15% | +16 |
| 29 | Linksys | 122 | 9 |
6 HIGH
3 MEDIUM
|
0 | 9 | 1.1% | 0% | -46 |
| 30 | Canonical | 120 | 27 |
6 CRITICAL
13 HIGH
5 MEDIUM
|
0 | 1 | 0.0% | 93% | +11 |
| 31 | Fortigate | 93 | 8 |
1 CRITICAL
2 HIGH
4 MEDIUM
1 LOW
|
1 | 0 | 0.4% | 0% | +7 |
| 32 | Intel | 76 | 74 |
14 HIGH
48 MEDIUM
7 LOW
|
0 | 0 | 0.0% | 11% | -76 |
| 33 | Citrix | 73 | 3 |
1 CRITICAL
1 HIGH
1 MEDIUM
|
1 | 1 | 0.8% | 0% | -7 |
| 34 | Qnap | 69 | 33 |
2 CRITICAL
6 HIGH
25 MEDIUM
|
0 | 0 | 0.1% | 0% | -17 |
| 35 | Wazuh | 69 | 8 |
2 CRITICAL
1 HIGH
4 MEDIUM
1 LOW
|
0 | 4 | 0.1% | 25% | +6 |
| 36 | Drupal | 64 | 29 |
6 HIGH
21 MEDIUM
2 LOW
|
0 | 5 | 0.1% | 83% | -23 |
| 37 | Elastic | 60 | 18 |
1 CRITICAL
7 HIGH
10 MEDIUM
|
0 | 1 | 0.1% | 22% | +8 |
| 38 | VMware | 59 | 9 |
2 HIGH
4 MEDIUM
1 LOW
|
1 | 0 | 0.9% | 56% | -17 |
| 39 | Netgear | 54 | 13 |
9 HIGH
3 MEDIUM
1 LOW
|
0 | 2 | 0.1% | 46% | -25 |
| 40 | Zyxel | 51 | 10 |
1 CRITICAL
4 HIGH
5 MEDIUM
|
0 | 0 | 0.2% | 0% | +7 |
| 41 | Hashicorp | 51 | 10 |
1 CRITICAL
7 HIGH
2 MEDIUM
|
0 | 1 | 0.0% | 40% | -7 |
| 42 | Joomla | 43 | 6 |
1 CRITICAL
2 HIGH
2 MEDIUM
|
0 | 0 | 0.0% | 0% | -35 |
| 43 | Abb | 43 | 5 |
1 CRITICAL
2 HIGH
2 MEDIUM
|
0 | 0 | 0.0% | 0% | -5 |
| 44 | Synology | 43 | 12 |
1 CRITICAL
5 HIGH
6 MEDIUM
|
0 | 0 | 0.1% | 25% | +6 |
| 45 | Amd | 41 | 16 |
8 HIGH
6 MEDIUM
|
0 | 0 | 0.0% | 31% | -25 |
| 46 | Jenkins | 40 | 15 |
10 HIGH
5 MEDIUM
|
0 | 0 | 0.0% | 100% | -31 |
| 47 | Sonicwall | 35 | 8 |
1 CRITICAL
1 MEDIUM
2 LOW
|
0 | 0 | 0.1% | 0% | +8 |
| 48 | Atlassian | 34 | 8 |
1 CRITICAL
6 HIGH
1 MEDIUM
|
0 | 0 | 0.2% | 50% | -12 |
| 49 | Lenovo | 32 | 10 |
3 HIGH
7 MEDIUM
|
0 | 0 | 0.0% | 10% | -2 |
| 50 | Paloalto | 29 | 10 |
1 HIGH
2 MEDIUM
3 LOW
|
0 | 0 | 0.0% | 0% | -17 |
| 51 | Hp | 18 | 8 |
3 HIGH
5 MEDIUM
|
0 | 0 | 0.0% | 38% | -12 |
| 52 | Ubiquiti | 18 | 3 |
1 CRITICAL
2 HIGH
|
0 | 0 | 0.0% | 0% | -4 |
| 53 | Hikvision | 12 | 3 |
3 HIGH
|
0 | 0 | 0.0% | 0% | -1 |
| 54 | Nokia | 8 | 3 |
2 HIGH
1 MEDIUM
|
0 | 0 | 0.1% | 0% | +3 |
| 55 | Ericsson | 8 | 3 |
2 HIGH
1 MEDIUM
|
0 | 0 | 0.0% | 0% | -5 |
| 56 | Mediatek | 4 | 5 |
1 HIGH
|
0 | 0 | 0.0% | 100% | -6 |
| 57 | Qualcomm | 0 | 3 |
1 MEDIUM
|
0 | 0 | 0.0% | 33% | -3 |
How to read this table
Risk Score – composite metric: KEV ×50, Critical ×10, High ×4, PoC ×8, EPSS weight, patch rate penalty. Higher = riskier vendor.
Severity – bar + counts: C=Critical, H=High, M=Medium, L=Low.
KEV – CISA Known Exploited Vulnerabilities – confirmed actively exploited in the wild.
PoC – CVEs with public Proof of Concept exploit code available.
Avg EPSS – average Exploit Prediction Scoring System probability across vendor CVEs.
Patch Rate – % of CVEs where vendor has released a patch. Green ≥80%, Yellow ≥50%, Red <50%.
Trend – CVE count change vs previous period of same length. +N = more new CVEs, −N = fewer.