Special Edition: ActiveState’s 2025 State of Vulnerability Management & Remediation Report—Another Year, Another Pile of Unpatched CVEs

Date: March 10, 2025

We interrupt your regularly scheduled weekly newsletter programming to bring you this special edition report! (Dun, dun, dun...)

Software supply chain security continues to be everyone’s problem—and yet, it’s somehow still nobody’s responsibility. Last week, ActiveState released their 2025 State of Vulnerability Management & Remediation Report, where over 317 DevOps, Security, and Product professionals reveal just how bad things really are.

Spoiler alert: it’s not great.

Despite years of warnings, high-profile breaches, and more security tooling than anyone knows what to do with, most organizations are still drowning in vulnerabilities, playing hot potato with remediation, and hoping attackers take the day off. (News flash: they won’t.)

Key Findings That Will Keep Security Teams Up at Night

?? Open Source Components: The Gift That Keeps on Giving (Attackers a Way In)

Over 96% of enterprise applications rely on open source libraries, yet 53% of organizations still believe it’s someone else’s problem to fix vulnerabilities. Hope is not a strategy, folks.

?? Hotfixes and Hope: The Default Security Posture

When a vulnerability is discovered, 45% of organizations scramble to apply a hotfix—which sounds great until you realize that 24% just dump it in the backlog and forget about it. Guess which group gets breached first?

?? Speed vs. Security: Why Choose When You Can Have Neither?

A full 34% of organizations admit they can’t balance deployment speed with security controls. Translation: they’re moving fast AND breaking things—just not in the cool, disruptive way.

?? MTTR: The Number Everyone Tracks, But No One Understands

41% of organizations proudly measure Mean Time to Resolution (MTTR), despite the inconvenient fact that most attackers weaponize new vulnerabilities within 7 days—and most companies take 270 days to patch them. The math is not in their favor.

?? Remediation Ownership: A Game of “Not It”

When asked who actually owns remediation, responses included:

? Ops, Dev & Product (25.81%) – Because why not spread the responsibility so thin that no one actually does it?

? Dev (21.61%) & Product (19.35%) – Sure, let’s add security to their already overloaded backlog.

? No One (9%) – At least they’re honest.

ActiveState’s Take: Fix It or Get Breached

Here’s the thing: vulnerability management isn’t just a security problem—it’s a DevSecOps problem, a Dev problem, a Product problem, and ultimately, a Business problem. And ignoring it isn’t going to make attackers lose interest.

Some companies get this and are investing in Vulnerability Blast Radius analysis, Breaking Change impact assessments, and automated remediation pipelines. Others? Well, they’re still manually tracking vulnerabilities in spreadsheets and wondering why they can’t get ahead of attackers.

Want the Full Breakdown? Download the Report.

ActiveState’s latest report details:

? The top 10 vulnerabilities putting organizations at risk

? Why remediation is still a mess in most companies

? What teams can do to fix vulnerabilities faster and more intelligently

? How automation and AI-powered risk prioritization can eliminate the endless backlog

?? Link to the full report in the comments of this post - Get your copy today

Because let’s be real—hope isn’t a security strategy, and attackers aren’t waiting for you to catch up.