Vendor Intelligence
Security scorecards – CVE volume, patch rates, exploit exposure, and composite risk for 53 vendors
| # | Vendor | Risk Score | CVEs | Severity | KEV | PoC | Avg EPSS | Patch Rate | Trend |
|---|---|---|---|---|---|---|---|---|---|
| 1 | Suse | 5938 | 2635 |
162 CRITICAL
999 HIGH
1474 MEDIUM
|
1 | 34 | 0.1% | 98% | +1327 |
| 2 | Microsoft | 5842 | 1524 |
134 CRITICAL
918 HIGH
430 MEDIUM
36 LOW
|
7 | 60 | 0.3% | 92% | +1009 |
| 3 | 5186 | 1780 |
170 CRITICAL
811 HIGH
730 MEDIUM
66 LOW
|
1 | 24 | 0.1% | 94% | +1304 | |
| 4 | Red Hat | 4534 | 2123 |
96 CRITICAL
801 HIGH
1225 MEDIUM
|
1 | 40 | 0.1% | 96% | +1045 |
| 5 | WordPress | 4319 | 1378 |
97 CRITICAL
394 HIGH
874 MEDIUM
13 LOW
|
0 | 219 | 0.2% | 9% | +152 |
| 6 | Linux | 4174 | 1884 |
106 CRITICAL
744 HIGH
921 MEDIUM
9 LOW
|
1 | 11 | 0.1% | 98% | +1145 |
| 7 | Oracle | 2303 | 445 |
143 CRITICAL
157 HIGH
122 MEDIUM
22 LOW
|
3 | 10 | 0.3% | 21% | +359 |
| 8 | Apache | 1544 | 384 |
84 CRITICAL
150 HIGH
129 MEDIUM
15 LOW
|
0 | 13 | 0.2% | 77% | +263 |
| 9 | Tenda | 1129 | 141 |
16 CRITICAL
108 HIGH
9 MEDIUM
8 LOW
|
0 | 64 | 0.3% | 0% | +29 |
| 10 | Apple | 930 | 395 |
19 CRITICAL
163 HIGH
199 MEDIUM
13 LOW
|
0 | 11 | 0.1% | 91% | +126 |
| 11 | Mozilla | 610 | 176 |
25 CRITICAL
84 HIGH
65 MEDIUM
1 LOW
|
0 | 3 | 0.1% | 90% | +57 |
| 12 | IBM | 520 | 160 |
34 CRITICAL
45 HIGH
78 MEDIUM
1 LOW
|
0 | 0 | 0.2% | 63% | -30 |
| 13 | Nginx | 474 | 94 |
19 CRITICAL
47 HIGH
27 MEDIUM
1 LOW
|
0 | 12 | 0.2% | 71% | +44 |
| 14 | Cisco | 430 | 57 |
3 CRITICAL
35 HIGH
19 MEDIUM
|
4 | 6 | 0.4% | 26% | -67 |
| 15 | Ubiquiti | 384 | 34 |
13 CRITICAL
20 HIGH
1 MEDIUM
|
3 | 3 | 0.3% | 100% | +24 |
| 16 | Adobe | 373 | 140 |
14 CRITICAL
34 HIGH
88 MEDIUM
4 LOW
|
1 | 3 | 0.7% | 6% | +41 |
| 17 | D-Link | 365 | 44 |
5 CRITICAL
21 HIGH
6 MEDIUM
12 LOW
|
0 | 26 | 0.2% | 4% | -134 |
| 18 | Nvidia | 350 | 94 |
8 CRITICAL
60 HIGH
26 MEDIUM
|
0 | 2 | 0.1% | 21% | +66 |
| 19 | Canonical | 340 | 88 |
12 CRITICAL
37 HIGH
34 MEDIUM
5 LOW
|
0 | 9 | 0.1% | 90% | +59 |
| 20 | Gitlab | 318 | 95 |
5 CRITICAL
21 HIGH
56 MEDIUM
13 LOW
|
0 | 23 | 0.1% | 94% | +26 |
| 21 | Hashicorp | 290 | 56 |
12 CRITICAL
20 HIGH
18 MEDIUM
3 LOW
|
1 | 5 | 0.1% | 75% | +45 |
| 22 | Dell | 266 | 134 |
5 CRITICAL
54 HIGH
70 MEDIUM
5 LOW
|
0 | 0 | 0.2% | 83% | +91 |
| 23 | Ivanti | 232 | 19 |
3 CRITICAL
13 HIGH
3 MEDIUM
|
2 | 3 | 0.5% | 0% | +12 |
| 24 | Paloalto | 155 | 39 |
1 CRITICAL
7 HIGH
23 MEDIUM
8 LOW
|
2 | 2 | 0.6% | 100% | +33 |
| 25 | Debian | 140 | 39 |
4 CRITICAL
17 HIGH
15 MEDIUM
1 LOW
|
0 | 4 | 0.2% | 100% | -55 |
| 26 | Amd | 126 | 73 |
1 CRITICAL
29 HIGH
38 MEDIUM
1 LOW
|
0 | 0 | 0.1% | 59% | +63 |
| 27 | SAP | 116 | 41 |
8 CRITICAL
4 HIGH
25 MEDIUM
4 LOW
|
0 | 0 | 0.1% | 10% | -12 |
| 28 | Fortinet | 93 | 26 |
4 CRITICAL
5 HIGH
16 MEDIUM
1 LOW
|
0 | 1 | 0.2% | 0% | -35 |
| 29 | Intel | 85 | 41 |
2 CRITICAL
16 HIGH
23 MEDIUM
|
0 | 0 | 0.0% | 49% | +26 |
| 30 | Atlassian | 76 | 16 |
4 CRITICAL
7 HIGH
5 MEDIUM
|
0 | 1 | 0.2% | 88% | +10 |
| 31 | Jenkins | 76 | 62 |
1 CRITICAL
13 HIGH
46 MEDIUM
2 LOW
|
0 | 1 | 0.1% | 39% | +55 |
| 32 | VMware | 62 | 11 |
1 CRITICAL
8 HIGH
2 MEDIUM
|
0 | 0 | 0.0% | 9% | +4 |
| 33 | Juniper | 62 | 25 |
1 CRITICAL
13 HIGH
11 MEDIUM
|
0 | 0 | 0.3% | 88% | -4 |
| 34 | Mikrotik | 53 | 5 |
3 HIGH
2 MEDIUM
|
0 | 2 | 0.1% | 0% | +5 |
| 35 | Elastic | 52 | 37 |
2 CRITICAL
7 HIGH
28 MEDIUM
|
0 | 0 | 0.1% | 43% | +24 |
| 36 | Zte | 49 | 9 |
2 HIGH
7 MEDIUM
|
0 | 2 | 0.0% | 0% | +7 |
| 37 | Samsung | 46 | 51 |
7 HIGH
44 MEDIUM
|
0 | 0 | 0.0% | 14% | +5 |
| 38 | Citrix | 44 | 9 |
7 HIGH
2 MEDIUM
|
0 | 2 | 0.3% | 89% | +7 |
| 39 | HP | 44 | 11 |
2 CRITICAL
6 HIGH
2 MEDIUM
|
0 | 0 | 0.1% | 64% | +6 |
| 40 | Zyxel | 41 | 11 |
4 HIGH
7 MEDIUM
|
0 | 0 | 0.2% | 0% | +3 |
| 41 | Abb | 41 | 6 |
4 HIGH
2 MEDIUM
|
0 | 0 | 0.0% | 0% | +3 |
| 42 | Lenovo | 36 | 12 |
7 HIGH
4 MEDIUM
|
0 | 1 | 0.1% | 100% | +4 |
| 43 | TP-Link | 36 | 12 |
7 HIGH
5 MEDIUM
|
0 | 1 | 0.1% | 92% | -40 |
| 44 | Wazuh | 32 | 7 |
2 CRITICAL
1 HIGH
4 MEDIUM
|
0 | 1 | 0.1% | 100% | -2 |
| 45 | Synology | 30 | 23 |
1 CRITICAL
5 HIGH
14 MEDIUM
3 LOW
|
0 | 0 | 0.0% | 100% | +17 |
| 46 | Qualcomm | 18 | 5 |
1 CRITICAL
2 HIGH
1 MEDIUM
|
0 | 0 | 0.1% | 100% | +4 |
| 47 | Nokia | 16 | 6 |
2 HIGH
4 MEDIUM
|
0 | 1 | 0.3% | 67% | +3 |
| 48 | Ericsson | 16 | 4 |
4 HIGH
|
0 | 0 | 0.0% | 100% | – |
| 49 | Qnap | 12 | 11 |
3 HIGH
6 MEDIUM
2 LOW
|
0 | 0 | 0.3% | 91% | +4 |
| 50 | Huawei | 12 | 3 |
1 HIGH
2 MEDIUM
|
0 | 1 | 0.1% | 67% | +3 |
| 51 | Mediatek | 12 | 7 |
3 HIGH
4 MEDIUM
|
0 | 0 | 0.0% | 86% | +7 |
| 52 | Dahua | 4 | 3 |
1 HIGH
1 MEDIUM
1 LOW
|
0 | 0 | 0.1% | 0% | +2 |
| 53 | Netgear | 0 | 18 |
18 MEDIUM
|
0 | 0 | 0.1% | 83% | +15 |
How to read this table
Risk Score – composite metric: KEV ×50, Critical ×10, High ×4, PoC ×8, EPSS weight, patch rate penalty. Higher = riskier vendor.
Severity – bar + counts: C=Critical, H=High, M=Medium, L=Low.
KEV – CISA Known Exploited Vulnerabilities – confirmed actively exploited in the wild.
PoC – CVEs with public Proof of Concept exploit code available.
Avg EPSS – average Exploit Prediction Scoring System probability across vendor CVEs.
Patch Rate – % of CVEs where vendor has released a patch. Green ≥80%, Yellow ≥50%, Red <50%.
Trend – CVE count change vs previous period of same length. +N = more new CVEs, −N = fewer.