Hardware and Network Vulnerability Exploits Surge, Bugcrowd Report Says
Published
- Hardware vulnerabilities up: Bugcrowd's 2025 report reveals a significant 88% increase in hardware vulnerability exploits.
- Network flaws double: The analysis reveals a doubling of network vulnerabilities as attack surfaces expand.
- AI complexity: The report highlights that the proliferation of AI is adding complexity to the security landscape, creating new challenges for CISOs.
A significant shift in the threat landscape was seen, with notable increases in hardware and network vulnerabilities. The new report from crowdsourced cybersecurity leader Bugcrowd, which analyzed hundreds of thousands of vulnerabilities, highlights how foundational layers of technology are becoming prime targets for attackers in an era of rapid AI adoption.
Hardware and Network Vulnerabilities on the Rise
The Bugcrowd 2025 report "Inside the Mind of a CISO 2025" identifies an 88% increase in hardware vulnerability exploits. This surge is linked to the proliferation of Internet of Things (IoT) devices, expanding the physical attack surface for organizations.
The report underscores this trend by noting that 81% of security researchers encountered new hardware vulnerabilities over the past year.
Furthermore, the analysis indicates a doubling of network vulnerabilities, suggesting that as application ecosystems become increasingly complex, core infrastructure remains at high risk. Other critical findings include a 36% rise in broken access control flaws, making it the top critical vulnerability category, and a 42% increase in sensitive data exposure flaws.
In response, organizations are increasing their investment in offensive security, with payouts for critical vulnerabilities rising by 32%, demonstrating a growing reliance on ethical hackers to identify severe risks.
- 10% increase in API vulnerabilities
- 32% increase in average payouts for critical vulnerabilities
- 36% increase in broken access control critical vulnerabilities
- 40% increase in broken access control vulnerabilities
- 42% increase in sensitive data exposure critical vulnerabilities
- 88% increase in hardware vulnerabilities
AI's Role in Expanding Cybersecurity Challenges
The findings also reveal how the role of AI in cybersecurity is creating dual challenges. While AI-assisted coding accelerates development cycles, it also contributes to new attack vectors and overlooked exposures in APIs and other components.
The report stresses that attackers are exploiting this growing complexity while still targeting foundational security weaknesses. “The weakest link isn’t the employee, it’s the lack of layered security controls that can detect and stop unauthorized data access in real time,” said Randolph Barr, Chief Information Security Officer at Cequence Security.
The Importance of Offensive Security
The report emphasizes that a community-driven, collaborative approach is essential for building resilience against these multifaceted threats. Hackers contributed with advice as to what to consider watching out for:
- Server security misconfiguration vulnerabilities
- Broken access control vulnerabilities
- Broken authentication and session management vulnerabilities
- Sensitive data exposure
- Server-side injection
Casey Ellis, Founder at Bugcrowd, highlighted that older hardware and network systems are often neglected and left vulnerable, while AI tools are often focused on modern threats like cloud services and web apps.
“These legacy systems, which were never designed to handle today’s threat landscape and often overlooked from both an IT governance and cybersecurity solution standpoint, have accumulated years of technical debt and misconfigurations, which makes them easy targets,” Ellis told TechNadu.
“Rather than presenting CVE scores and vulnerability counts, successful CISOs translate findings into concrete business scenarios—demonstrating how a specific vulnerability could disrupt operations, damage brand reputation, or expose customer data,” Ellis added, stressing that the most effective approach combines adversarial testing results with narrative arcs that show progression over time.
“CISOs should leverage these higher payouts as proof points that the market values—and threat actors target—vulnerabilities that directly impact business continuity, making the case for security investments in terms leadership can immediately understand and act upon.”
Diana Kelley, Chief Information Security Officer at Noma Security, said that CISOs “should be inventorying all agents, MCP servers, and connected tools and datasets, integrating least-privilege design into agentic workflows, and monitoring agents for tool misuse.”
Moving forward, “CISOs will continue to push business leaders to embed breach readiness and cyber-defense practices in business functions, making businesses breach-ready by design,” stated Agnidipta Sarkar from ColorTokens.
However, Bruce Jenkins, Chief Information Security Officer at Black Duck, warns that public-facing “figurehead” obligations cannot interfere with the CISO’s primary responsibility, which is defending the business against cybersecurity-based threats in the most proactive manner possible.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular