Vendor Intelligence
Security scorecards – CVE volume, patch rates, exploit exposure, and composite risk for 64 vendors
| # | Vendor | Risk Score | CVEs | Severity | KEV | PoC | Avg EPSS | Patch Rate | Trend |
|---|---|---|---|---|---|---|---|---|---|
| 1 | Suse | 15678 | 5803 |
352 CRITICAL
2041 HIGH
3408 MEDIUM
|
9 | 443 | 0.1% | 98% | +2253 |
| 2 | Red Hat | 11512 | 4920 |
189 CRITICAL
1675 HIGH
3055 MEDIUM
|
9 | 309 | 0.1% | 97% | +1627 |
| 3 | Microsoft | 11222 | 2735 |
227 CRITICAL
1630 HIGH
799 MEDIUM
71 LOW
|
24 | 154 | 0.4% | 73% | +1001 |
| 4 | WordPress | 9463 | 4273 |
288 CRITICAL
994 HIGH
2947 MEDIUM
37 LOW
|
0 | 323 | 0.2% | 5% | -471 |
| 5 | 9040 | 2880 |
236 CRITICAL
1321 HIGH
1154 MEDIUM
151 LOW
|
10 | 112 | 0.1% | 78% | +2057 | |
| 6 | Linux | 7358 | 4433 |
138 CRITICAL
1372 HIGH
2325 MEDIUM
20 LOW
|
1 | 55 | 0.0% | 94% | -15 |
| 7 | Tenda | 3717 | 414 |
28 CRITICAL
303 HIGH
52 MEDIUM
31 LOW
|
0 | 275 | 0.3% | 0% | +46 |
| 8 | D-Link | 3087 | 336 |
43 CRITICAL
166 HIGH
48 MEDIUM
79 LOW
|
0 | 246 | 1.0% | 2% | +16 |
| 9 | Apple | 2924 | 1051 |
65 CRITICAL
354 HIGH
569 MEDIUM
62 LOW
|
9 | 51 | 0.1% | 54% | +84 |
| 10 | Oracle | 2523 | 544 |
148 CRITICAL
188 HIGH
179 MEDIUM
28 LOW
|
3 | 16 | 0.2% | 24% | +232 |
| 11 | Apache | 2490 | 595 |
110 CRITICAL
249 HIGH
206 MEDIUM
22 LOW
|
1 | 43 | 0.3% | 76% | +357 |
| 12 | Mozilla | 2038 | 408 |
129 CRITICAL
173 HIGH
103 MEDIUM
2 LOW
|
0 | 7 | 0.1% | 92% | +220 |
| 13 | Cisco | 1341 | 288 |
18 CRITICAL
92 HIGH
178 MEDIUM
|
13 | 15 | 0.4% | 5% | -19 |
| 14 | Debian | 1212 | 503 |
16 CRITICAL
165 HIGH
224 MEDIUM
11 LOW
|
0 | 49 | 0.1% | 98% | -200 |
| 15 | Adobe | 855 | 289 |
22 CRITICAL
81 HIGH
178 MEDIUM
8 LOW
|
4 | 11 | 0.7% | 6% | -264 |
| 16 | Nginx | 818 | 160 |
33 CRITICAL
78 HIGH
45 MEDIUM
3 LOW
|
0 | 22 | 0.2% | 73% | +120 |
| 17 | IBM | 814 | 489 |
41 CRITICAL
100 HIGH
319 MEDIUM
25 LOW
|
0 | 0 | 0.1% | 42% | -42 |
| 18 | Nvidia | 738 | 231 |
14 CRITICAL
141 HIGH
60 MEDIUM
16 LOW
|
0 | 2 | 0.1% | 14% | +150 |
| 19 | Fortinet | 709 | 134 |
15 CRITICAL
38 HIGH
72 MEDIUM
9 LOW
|
6 | 10 | 1.8% | 0% | -8 |
| 20 | Linksys | 685 | 62 |
1 CRITICAL
44 HIGH
5 MEDIUM
12 LOW
|
0 | 59 | 1.9% | 0% | +26 |
| 21 | Dell | 654 | 263 |
12 CRITICAL
115 HIGH
121 MEDIUM
12 LOW
|
1 | 3 | 0.5% | 54% | +26 |
| 22 | Gitlab | 586 | 225 |
7 CRITICAL
59 HIGH
125 MEDIUM
33 LOW
|
0 | 35 | 0.1% | 52% | +46 |
| 23 | Canonical | 514 | 142 |
19 CRITICAL
55 HIGH
60 MEDIUM
5 LOW
|
0 | 13 | 0.1% | 92% | +92 |
| 24 | Ubiquiti | 496 | 49 |
21 CRITICAL
26 HIGH
2 MEDIUM
|
3 | 4 | 0.2% | 86% | +34 |
| 25 | Ivanti | 484 | 47 |
5 CRITICAL
27 HIGH
15 MEDIUM
|
5 | 6 | 4.3% | 2% | -127 |
| 26 | TOTOLINK | 442 | 35 |
11 CRITICAL
16 HIGH
8 MEDIUM
|
0 | 30 | 3.0% | 0% | -175 |
| 27 | Hashicorp | 408 | 85 |
15 CRITICAL
32 HIGH
27 MEDIUM
8 LOW
|
1 | 10 | 0.1% | 76% | +46 |
| 28 | SAP | 317 | 163 |
22 CRITICAL
19 HIGH
107 MEDIUM
15 LOW
|
0 | 0 | 0.1% | 8% | +6 |
| 29 | TP-Link | 290 | 76 |
58 HIGH
17 MEDIUM
|
1 | 1 | 0.4% | 50% | -21 |
| 30 | Samsung | 259 | 162 |
7 CRITICAL
42 HIGH
108 MEDIUM
3 LOW
|
0 | 0 | 0.0% | 7% | +3 |
| 31 | Intel | 255 | 194 |
3 CRITICAL
53 HIGH
116 MEDIUM
17 LOW
|
0 | 0 | 0.0% | 24% | -166 |
| 32 | Juniper | 214 | 77 |
5 CRITICAL
41 HIGH
31 MEDIUM
|
0 | 0 | 0.1% | 62% | -6 |
| 33 | VMware | 195 | 28 |
1 CRITICAL
16 HIGH
9 MEDIUM
1 LOW
|
2 | 1 | 0.3% | 25% | -27 |
| 34 | Citrix | 193 | 15 |
2 CRITICAL
10 HIGH
3 MEDIUM
|
2 | 4 | 0.8% | 60% | -2 |
| 35 | Atlassian | 182 | 42 |
9 CRITICAL
17 HIGH
14 MEDIUM
2 LOW
|
0 | 3 | 0.4% | 81% | +21 |
| 36 | Amd | 182 | 119 |
1 CRITICAL
43 HIGH
65 MEDIUM
4 LOW
|
0 | 0 | 0.0% | 56% | -77 |
| 37 | Paloalto | 162 | 59 |
1 CRITICAL
9 HIGH
32 MEDIUM
13 LOW
|
2 | 2 | 0.4% | 70% | -16 |
| 38 | Broadcom | 136 | 22 |
2 CRITICAL
13 HIGH
5 MEDIUM
|
1 | 0 | 0.4% | 23% | +18 |
| 39 | Jenkins | 130 | 84 |
1 CRITICAL
24 HIGH
57 MEDIUM
2 LOW
|
0 | 3 | 0.1% | 54% | +4 |
| 40 | HP | 124 | 32 |
3 CRITICAL
14 HIGH
14 MEDIUM
|
0 | 4 | 0.1% | 38% | -11 |
| 41 | Elastic | 108 | 59 |
3 CRITICAL
14 HIGH
40 MEDIUM
2 LOW
|
0 | 2 | 0.1% | 37% | +22 |
| 42 | Wazuh | 100 | 20 |
4 CRITICAL
3 HIGH
12 MEDIUM
1 LOW
|
0 | 6 | 0.1% | 70% | +16 |
| 43 | Netgear | 96 | 34 |
1 CRITICAL
10 HIGH
22 MEDIUM
1 LOW
|
0 | 5 | 5.5% | 62% | -77 |
| 44 | Drupal | 86 | 36 |
1 CRITICAL
9 HIGH
24 MEDIUM
2 LOW
|
0 | 5 | 0.1% | 83% | -133 |
| 45 | Abb | 83 | 17 |
1 CRITICAL
12 HIGH
4 MEDIUM
|
0 | 0 | 0.1% | 0% | -13 |
| 46 | Lenovo | 80 | 37 |
18 HIGH
18 MEDIUM
|
0 | 1 | 0.0% | 57% | -6 |
| 47 | Zte | 69 | 15 |
5 HIGH
9 MEDIUM
1 LOW
|
0 | 3 | 0.0% | 0% | +5 |
| 48 | Zyxel | 67 | 21 |
1 CRITICAL
8 HIGH
12 MEDIUM
|
0 | 0 | 0.2% | 0% | -14 |
| 49 | Mikrotik | 65 | 6 |
4 HIGH
2 MEDIUM
|
0 | 3 | 0.1% | 0% | +1 |
| 50 | Joomla | 65 | 13 |
2 CRITICAL
5 HIGH
5 MEDIUM
|
0 | 0 | 0.0% | 0% | -19 |
| 51 | Qnap | 65 | 82 |
1 CRITICAL
13 HIGH
65 MEDIUM
3 LOW
|
0 | 0 | 0.1% | 45% | +29 |
| 52 | Synology | 64 | 38 |
2 CRITICAL
11 HIGH
22 MEDIUM
3 LOW
|
0 | 0 | 0.0% | 95% | +12 |
| 53 | Rockwell | 59 | 7 |
1 CRITICAL
6 HIGH
|
0 | 0 | 0.2% | 0% | -40 |
| 54 | Aruba | 53 | 10 |
7 HIGH
3 MEDIUM
|
0 | 0 | 0.1% | 0% | -14 |
| 55 | Dahua | 49 | 6 |
2 CRITICAL
1 HIGH
1 MEDIUM
2 LOW
|
0 | 0 | 0.3% | 0% | -2 |
| 56 | Sonicwall | 47 | 8 |
1 CRITICAL
3 HIGH
2 MEDIUM
2 LOW
|
0 | 0 | 0.1% | 0% | -6 |
| 57 | Ericsson | 40 | 14 |
10 HIGH
4 MEDIUM
|
0 | 0 | 0.0% | 57% | +10 |
| 58 | Mediatek | 32 | 21 |
8 HIGH
13 MEDIUM
|
0 | 0 | 0.0% | 95% | -10 |
| 59 | Nokia | 27 | 9 |
4 HIGH
5 MEDIUM
|
0 | 1 | 0.2% | 44% | +8 |
| 60 | Qualcomm | 22 | 13 |
1 CRITICAL
3 HIGH
6 MEDIUM
|
0 | 0 | 0.0% | 77% | – |
| 61 | Huawei | 16 | 6 |
2 HIGH
4 MEDIUM
|
0 | 1 | 0.0% | 83% | -4 |
| 62 | Hikvision | 16 | 4 |
4 HIGH
|
0 | 0 | 0.0% | 0% | – |
| 63 | Siemens | 4 | 4 |
1 HIGH
1 MEDIUM
2 LOW
|
0 | 0 | 0.0% | 50% | -38 |
| 64 | Fortigate | 4 | 3 |
1 HIGH
1 MEDIUM
1 LOW
|
0 | 0 | 0.0% | 0% | +2 |
How to read this table
Risk Score – composite metric: KEV ×50, Critical ×10, High ×4, PoC ×8, EPSS weight, patch rate penalty. Higher = riskier vendor.
Severity – bar + counts: C=Critical, H=High, M=Medium, L=Low.
KEV – CISA Known Exploited Vulnerabilities – confirmed actively exploited in the wild.
PoC – CVEs with public Proof of Concept exploit code available.
Avg EPSS – average Exploit Prediction Scoring System probability across vendor CVEs.
Patch Rate – % of CVEs where vendor has released a patch. Green ≥80%, Yellow ≥50%, Red <50%.
Trend – CVE count change vs previous period of same length. +N = more new CVEs, −N = fewer.