Vendor Intelligence
Security scorecards – CVE volume, patch rates, exploit exposure, and composite risk for 37 vendors
| # | Vendor | Risk Score | CVEs | Severity | KEV | PoC | Avg EPSS | Patch Rate | Trend |
|---|---|---|---|---|---|---|---|---|---|
| 1 | 816 | 211 |
13 CRITICAL
86 HIGH
53 MEDIUM
19 LOW
|
3 | 24 | 0.0% | 76% | +36 | |
| 2 | WordPress | 704 | 459 |
18 CRITICAL
89 HIGH
260 MEDIUM
2 LOW
|
0 | 18 | 0.0% | 3% | -18 |
| 3 | Tenda | 686 | 70 |
1 CRITICAL
55 HIGH
14 MEDIUM
|
0 | 54 | 0.2% | 1% | +53 |
| 4 | D-Link | 582 | 79 |
3 CRITICAL
60 HIGH
16 MEDIUM
|
0 | 36 | 0.1% | 1% | +18 |
| 5 | Microsoft | 562 | 169 |
24 CRITICAL
76 HIGH
60 MEDIUM
6 LOW
|
0 | 2 | 0.1% | 47% | +72 |
| 6 | Redhat | 462 | 151 |
7 CRITICAL
88 HIGH
53 MEDIUM
1 LOW
|
0 | 5 | 0.0% | 89% | -305 |
| 7 | Mozilla | 388 | 59 |
26 CRITICAL
30 HIGH
3 MEDIUM
|
0 | 1 | 0.0% | 86% | +42 |
| 8 | Debian | 366 | 252 |
5 CRITICAL
73 HIGH
23 MEDIUM
4 LOW
|
0 | 3 | 0.1% | 100% | +246 |
| 9 | Suse | 364 | 230 |
6 CRITICAL
60 HIGH
45 MEDIUM
1 LOW
|
0 | 8 | 0.0% | 98% | -275 |
| 10 | Apple | 308 | 152 |
12 CRITICAL
43 HIGH
90 MEDIUM
5 LOW
|
0 | 0 | 0.1% | 18% | +58 |
| 11 | Apache | 174 | 55 |
5 CRITICAL
27 HIGH
22 MEDIUM
1 LOW
|
0 | 2 | 0.1% | 74% | +23 |
| 12 | Linux | 164 | 249 |
39 HIGH
2 MEDIUM
|
0 | 1 | 0.0% | 67% | +38 |
| 13 | TOTOLINK | 146 | 10 |
10 HIGH
|
0 | 10 | 0.8% | 0% | +6 |
| 14 | Nginx | 138 | 31 |
7 CRITICAL
17 HIGH
6 MEDIUM
1 LOW
|
0 | 0 | 0.1% | 61% | +25 |
| 15 | Gitlab | 124 | 23 |
7 HIGH
14 MEDIUM
2 LOW
|
0 | 10 | 0.0% | 17% | -1 |
| 16 | Juniper | 117 | 27 |
2 CRITICAL
18 HIGH
7 MEDIUM
|
0 | 0 | 0.0% | 0% | +26 |
| 17 | Canonical | 116 | 23 |
6 CRITICAL
12 HIGH
5 MEDIUM
|
0 | 1 | 0.0% | 96% | +22 |
| 18 | Nvidia | 111 | 26 |
1 CRITICAL
20 HIGH
5 MEDIUM
|
0 | 0 | 0.1% | 8% | +26 |
| 19 | Samsung | 107 | 14 |
5 CRITICAL
8 HIGH
1 MEDIUM
|
0 | 0 | 0.0% | 0% | +6 |
| 20 | Cisco | 85 | 29 |
2 CRITICAL
8 HIGH
19 MEDIUM
|
0 | 1 | 0.1% | 0% | -41 |
| 21 | Oracle | 70 | 16 |
3 CRITICAL
6 HIGH
7 MEDIUM
|
0 | 2 | 0.0% | 69% | +15 |
| 22 | TP-Link | 60 | 18 |
15 HIGH
2 MEDIUM
|
0 | 0 | 0.1% | 94% | +15 |
| 23 | IBM | 54 | 73 |
1 CRITICAL
11 HIGH
55 MEDIUM
6 LOW
|
0 | 0 | 0.0% | 99% | +19 |
| 24 | Wazuh | 53 | 5 |
2 CRITICAL
3 MEDIUM
|
0 | 1 | 0.1% | 0% | +5 |
| 25 | Hashicorp | 48 | 8 |
1 CRITICAL
6 HIGH
1 MEDIUM
|
0 | 1 | 0.0% | 38% | +8 |
| 26 | Dell | 37 | 12 |
5 HIGH
5 MEDIUM
1 LOW
|
0 | 0 | 0.0% | 17% | -8 |
| 27 | Elastic | 36 | 12 |
4 HIGH
8 MEDIUM
|
0 | 1 | 0.0% | 25% | +11 |
| 28 | Sonicwall | 25 | 7 |
1 MEDIUM
2 LOW
|
0 | 0 | 0.1% | 0% | +7 |
| 29 | Ubiquiti | 18 | 3 |
1 CRITICAL
2 HIGH
|
0 | 0 | 0.0% | 0% | +3 |
| 30 | Atlassian | 12 | 3 |
3 HIGH
|
0 | 0 | 0.2% | 33% | +1 |
| 31 | Jenkins | 12 | 5 |
3 HIGH
2 MEDIUM
|
0 | 0 | 0.0% | 100% | +3 |
| 32 | Amd | 12 | 3 |
3 HIGH
|
0 | 0 | 0.0% | 33% | – |
| 33 | Nokia | 8 | 3 |
2 HIGH
1 MEDIUM
|
0 | 0 | 0.1% | 0% | +3 |
| 34 | Intel | 8 | 4 |
2 HIGH
2 MEDIUM
|
0 | 0 | 0.0% | 25% | +3 |
| 35 | Ericsson | 8 | 3 |
2 HIGH
1 MEDIUM
|
0 | 0 | 0.0% | 0% | +3 |
| 36 | Synology | 4 | 3 |
1 HIGH
2 MEDIUM
|
0 | 0 | 0.0% | 100% | +2 |
| 37 | Mediatek | 0 | 4 |
|
0 | 0 | 0.0% | 100% | +4 |
How to read this table
Risk Score – composite metric: KEV ×50, Critical ×10, High ×4, PoC ×8, EPSS weight, patch rate penalty. Higher = riskier vendor.
Severity – bar + counts: C=Critical, H=High, M=Medium, L=Low.
KEV – CISA Known Exploited Vulnerabilities – confirmed actively exploited in the wild.
PoC – CVEs with public Proof of Concept exploit code available.
Avg EPSS – average Exploit Prediction Scoring System probability across vendor CVEs.
Patch Rate – % of CVEs where vendor has released a patch. Green ≥80%, Yellow ≥50%, Red <50%.
Trend – CVE count change vs previous period of same length. +N = more new CVEs, −N = fewer.