Cyber Resilience

Vulnerabilities in Security Software

Last updated: 09 Jun 2026 04:44 UTC

Security software runs with privilege, on the perimeter, and on every endpoint. When it has a bug, that bug inherits the privilege, the perimeter, and the endpoint. In a companion piece we examined CVEs in AI software; this article examines the much larger corpus of CVEs in security software itself — firewalls, EDR, SIEM, IAM, vuln scanners, ZTNA gateways — and asks whether the products meant to defend hold up better, worse, or about the same as the systems they are meant to protect.

Scope and data

We split the question into two parallel tracks. Track A covers pure-play security vendors — companies whose primary business is security tooling. Track B covers the security sub-products inside generalist vendors: Microsoft Defender / Entra / Sentinel, Google Chronicle and Safe Browsing, Apple XProtect, AWS GuardDuty and Macie. The non-security baseline is everything else.

Security categoryTrack A examples (pure-play) Track B examples (generalist sub-product)
Firewall / VPN / NGFW Cisco, Palo Alto, Fortinet, Juniper, F5, Citrix, SonicWall, Barracuda, Ivanti
EDR / AV / endpoint protection CrowdStrike, SentinelOne, Sophos, Trellix, Trend Micro, Symantec, Bitdefender, Kaspersky Microsoft Defender, Apple XProtect
SIEM / SOAR / log mgmt Splunk, Elastic, Graylog Google Chronicle, IBM QRadar, Microsoft Sentinel
Vulnerability management Tenable, Qualys, Rapid7, Greenbone
IAM / PAM / SSO Okta, Ping, Auth0, Yubico, Duo, CyberArk, BeyondTrust, Delinea Microsoft Entra, Azure Active Directory
WAF / CDN / DDoS Akamai, Cloudflare, Imperva, Fastly AWS WAF / Shield
ZTNA / secure gateway Zscaler, Netskope, Tailscale, Twingate Google BeyondCorp
Cloud security AWS GuardDuty / Macie / Security Hub / Inspector

Data: NVD (National Vulnerability Database) for CVE records, EPSS for near-term exploitation probability, CISA KEV for confirmed in-the-wild exploitation. Window: CVEs published between 1 January 2025 and the last complete month of 2026. Open-source security tooling (Suricata, Zeek, Snort) and ICS-specific security products (Siemens automation, Rockwell PSIRT advisories) are out of scope for this analysis.

Summary findings

The security-software attack surface is large

Pure-play security vendors are responsible for a meaningful share of the modern CVE corpus. Track A produced 997 CVEs in 2025 and already 364 through the last complete month of 2026 — a year that is on pace to substantially exceed the prior year on volume alone. Track B, the security sub-products inside generalist vendors, is an order of magnitude smaller: 87 CVEs in 2025 and 40 so far in 2026.

The gap between the two tracks is mostly a reporting artefact: Microsoft, Google and Apple publish security sub-product CVEs into their broader vendor stream rather than tagging them as Defender-specific or Chronicle-specific. The pure-play stream is more visible because the whole vendor exists to make security tooling. Both streams matter; they surface in different operational contexts.

Figure 1
Figure 1. Monthly CVE volume for pure-play security vendors (Track A) and security sub-products inside generalist vendors (Track B), 2025 through the last complete month of 2026. The bar pair on the right shows year-over-year totals.

Severity

By raw CVSS the two security tracks look ordinary. Average base score is 6.65 for pure-play, 6.18 for generalist sub-products, 6.62 for the non-security baseline. Roughly 45.1% of Track A CVEs and 31.0% of Track B CVEs are High or Critical, versus 44.6% for the baseline.

This is the first counter-intuitive finding of the article: by the single-number CVSS yardstick, vulnerabilities in security software do not look more severe than vulnerabilities in everything else. The damage they cause depends on which CVSS components are elevated, not on the headline number.

Figure 2
Figure 2. Severity distribution and CVSS base-score spread (2025) for pure-play security vendors, generalist security sub-products, and the non-security baseline.

The CVSS fingerprint

Decomposing the CVSS vector shows where Track A leans. Pure-play security software is mildly more network-reachable (75.3% of CVEs vs. 73.5% for non-security software) and — the more interesting bias — carries higher confidentiality impact when exploited (45.0% high-C versus 38.4% for the baseline). Privilege requirements and attack complexity look broadly similar to the non-security corpus. A management web UI on a firewall, a SIEM ingest port, or an IAM admin endpoint is, almost by definition, an internet-reachable surface that brokers sensitive secrets when exploited; the data reflects that asymmetry.

Why this matters. A CVE that requires a local user with admin privileges to trigger a 9.8 CVSS bug is operationally a different animal from a CVE that lets an unauthenticated network attacker trigger a 7.5 CVSS bug on a public management interface. The headline scores are close. The exploitation paths are not.
Figure 3
Figure 3. Share of 2025 CVEs sitting at the high-risk value of each CVSS vector component. Both security tracks skew more network-reachable and lower-privilege than the non-security baseline.

Which categories are riskiest?

Splitting Track A into security-software categories reveals a clear hierarchy of operational risk:

Security categoryCVEs (24mo) Avg CVSS% in KEV
WAF / CDN / DDoS167.580.0%
EDR / AV / Endpoint Protection1687.292.38%
IAM / PAM / SSO257.244.0%
Firewall / VPN / NGFW1,0236.675.18%
Vulnerability Management236.570.0%
ZTNA / Secure Gateway / VPN-as-a-Service36.170.0%
SIEM / SOAR / Log Mgmt2305.990.0%

Note: the ZTNA / Secure Gateway row rests on only 3 CVEs and WAF / CDN / DDoS on 16, so their averages and KEV rates are unstable — a single CVE would move them materially. Read the small-denominator rows as directional, not precise.

The KEV-rate column is the column that matters. Average CVSS is broadly similar across categories, but the proportion that ends up on CISA KEV — i.e. that gets exploited in the wild — varies by an order of magnitude. Categories whose products sit on the network edge (Firewall/VPN, ZTNA, IAM gateways) get exploited far more often than categories whose products run on hardened endpoints or inside the security stack (EDR, SIEM, vuln management).

Figure 4
Figure 4. Average severity (left) and real-world exploitation rate (percentage of CVEs added to CISA KEV, right) by security-software category. ZTNA gateways, IAM/PAM, and edge firewalls land disproportionately on KEV.

Inside Track A, the per-vendor exploitation rate further sharpens the point. The pure-play vendors with the highest KEV-hit-per-CVE ratios in the window:

VendorCategory CVEs (24mo)KEV addsKEV %
SonicwallFirewall / VPN / NGFW3139.68%
IvantiFirewall / VPN / NGFW121119.09%
CiscoFirewall / VPN / NGFW211146.64%
FortinetFirewall / VPN / NGFW312103.21%
BroadcomEDR / AV / Endpoint Protection5811.72%
TrendmicroEDR / AV / Endpoint Protection6011.67%
F5Firewall / VPN / NGFW9211.09%
JuniperFirewall / VPN / NGFW13610.74%
ElasticSIEM / SOAR / Log Mgmt6500.0%
SplunkSIEM / SOAR / Log Mgmt5100.0%

Common weaknesses

The Track A weakness profile is dominated by classic management-plane bugs. Top of the list: CWE-79 (10.8%), CWE-78 (5.9%), CWE-22 (4.0%), CWE-89 (3.5%), CWE-787 (3.2%). These are the injection, authorization, and traversal classes that have plagued web-management interfaces for two decades. Memory-safety bugs (CWE-416, CWE-787) are present but not dominant.

Track B looks different. Microsoft Defender, Apple XProtect, and AWS-side security agents skew memory-safety: CWE-416 use-after-free and CWE-787 out-of-bounds write top the list. These are products built in large C/C++ codebases inside generalist OS or cloud platforms; the weakness profile mirrors the host platform's profile, not security software's.

Figure 5
Figure 5. Top 12 weaknesses in pure-play security software (2025), with the generalist sub-product cohort and non-security baseline shown for comparison.

Pure-play vs generalist: the parallel-track comparison

The two tracks differ in three structural ways:

Acquisitions: a question we cannot yet answer well

One of the questions a security-software analysis ought to ask: does a vendor acquisition trigger a measurable change in CVE publication rate? Two hypotheses come up in the wild:

The data does not support a strong claim on either. The 24-month window covers only one major security-vendor deal cleanly — the Broadcom acquisition of VMware (closed November 2023) — and even that case is one-sided: our per-vendor monthly series for VMware starts mid-2024, so we cannot see the pre-deal baseline. What we can see: a Q1 2026 spike of 37 CVEs in two months (March 11 + April 26), against a pre-2026 average of 2.91 CVEs/month. That is roughly a 6.4× surge, large but with no causal evidence behind it.

Figure 6
Figure 6. VMware monthly CVE volume since vendor_cve_stats coverage began (mid-2024). Broadcom closed its acquisition of VMware in November 2023; the Q1 2026 spike (March 11 + April 26 = 37 CVEs in two months) is the largest cluster in the post-acquisition window, but we lack pre-acquisition data to attribute the spike to due diligence vs. coincidence.

The deals we'd most want to examine if the data window were wider: Splunk → Cisco (announced March 2024, closed September 2024), Symantec → Broadcom (closed November 2019), Carbon Black → VMware (2019) → Broadcom (2023), FireEye/Mandiant → Google (closed September 2022), and the McAfee Enterprise → Trellix split (2022). All of these either predate the available window or involve CPE-vendor-string discontinuities (Symantec CVEs still publish under the symantec CPE vendor, not broadcom) that would have to be resolved before any pace claim could be made.

What we'd need. A longer historical CVE time series (back to at least 2018), explicit acquisition-event metadata mapped to CPE vendor transitions, and a matched-control design (non-acquired vendors of comparable size). That is a separate piece of work; we flag it as a follow-up rather than stretch the current data to claims it cannot bear.

Exploitability

By EPSS, pure-play security software carries materially higher near-term exploitation probability than the non-security baseline. Mean EPSS in Track A is 0.027 (vs. 0.0101 for non-security software), with 4.51% of Track A CVEs scoring above 0.1 vs. 1.6% for the baseline. Track B sits in between at 1.15%.

Note: FIRST.org’s EPSS v4 rollout in September 2025 recalibrated score scales — v4 assigns more conservative initial scores than v3 did — and this comparison spans the transition, so the absolute means should be read as indicative rather than precise.

Figure 7
Figure 7. Cumulative distribution of EPSS scores (log-log). Pure-play security software carries materially higher near-term exploitation probability than the non-security baseline.

Combined with the KEV-rate split by category, the operational picture is consistent: the security products attackers actually target are the ones on the network edge, and EPSS picks up on that pattern before CISA does.

About this analysis

Author disclosure. This analysis is published from inside a security vendor: Barracuda Networks. Barracuda is a Track A pure-play vendor in the dataset above, with roughly 46 all-time CVEs across the lifetime of the catalogue. We have been on CISA KEV ourselves — most notably the 2023 Email Security Gateway appliance chain (CVE-2023-2868 family) — and we have followed the playbook this article recommends in the aftermath: scope-narrowing, internal fuzz coverage, red-team rotation, and external assurance. We publish this analysis in full knowledge that our own products are in the dataset, because the question of how the security industry's own vulnerabilities behave matters and we'd rather the field have this read than not. Numbers are computed from the public NVD, EPSS and CISA KEV feeds; we have done no special handling of our own vendor row.

Year over year

Track A (2025)Track A (2026 to date) Track B (2025)Track B (2026 to date)
CVEs published 997 364 87 40
Average CVSS base score 6.65 6.75 6.18 6.84
High or Critical 45.1% 44.2% 31.0% 47.5%
KEV total 37 19 0 2

Recommendations

For security-software producers

Three priorities, in order of leverage. First, treat the management plane as the primary attack surface. The data is unambiguous: injection, authorization-bypass and path-traversal bugs in management interfaces dominate the Track A weakness profile, and categories whose products sit on the network edge dominate the KEV rate. Network-edge products should ship with the management interface disabled from public networks by default, and the vendor should be vocal about that posture.

Second, dogfood your own product against an internal red team with renewed mandate quarterly. The gap in product security maturity between, e.g., Cloudflare and Citrix is not a mystery — the maturity differential mostly reflects the maturity of the internal security programme, not the technology.

Third, fuzz-and-publish on a public cadence. Track B vendors (Microsoft, Apple, Google) publish detailed acknowledgement of internal-found vs. external-reported bugs every cycle. Pure-play vendors mostly don't. The same cadence at smaller scale is achievable and is the single best signal the field has of product-security maturity.

For enterprises consuming security software

Inventory the security software in your stack the way you would any other supply-chain risk. Rank vendors by KEV-hit-per-CVE, not by CVE volume. A vendor that publishes 30 CVEs of which 4 land on KEV (Citrix-like) is in operational terms a higher risk than a vendor that publishes 9,000 CVEs of which 11 land on KEV (Linux-like). Demand SBOMs and fuzz-coverage commitments from your network-edge vendors specifically; their bugs reach you fastest.


Author: Arve Kjoelen (Barracuda Networks). Data: NVD, EPSS, CISA KEV. Snapshot 09 Jun 2026 04:44 UTC. Pure-play / generalist taxonomy is curated and editable; the source-of-truth lives at security-vulns/_security_vendors.py. Feel free to share, adapt, or build on this work; attribution appreciated.