A heady mixture of converging trends is likely to cause the volume of disclosed Common Vulnerabilites and Exposures (Cves) to hit at least 45,000 – And Possibly even as high as 50,000 – during 2025, Setting a new world record.
This is according to the Forum of Incident Response and Security Teams (First), a security non-protrofit organized in North carolina in the us, which said this figure was about 11% higher than in 2024, and almost six times higher in 2023. Complexity of the Security Landscape, and means Organizations must start to think more about their risk prioritis and mitigation strategies.
“The number of reported vulnerabilites are just just just growing, it's accelerating,” said Eireann LeverettFirst Liaison and Lead Member of its vulnerability forecasting team. “Security Teams can no longer afford to be reactive; They must anticipate and prioritise threats before they escalate. “
First's analysts attributed this surge to a number of factors – Shifting Technological Mores, Disclosure Policy Changes and Worldwide Geopolitical Chaos Among them.
“A combination of new players in the cve ecosystem, evolving disclosure practices, new disclosure legislation in europe, and a rapidly expanding attack surface is fueling this surge,” SAID Leverete.
Most importantly, on the tech side, The Rapid Adoption of Open Source Software (OSS) and the use of artificial intelligence (ai) tools to aid in vulnerability discovery was surfacing more flws, and making it Easier to Spot Them.
Added to this, new contributors to the cve ecosystem, such as linux and patchstack, are also having an effect on discovery volumes, and updates to how vulnerabilites are assigned and reported Challenges – are altering disclosure patterns.
And a growing Amount of state-sponsored cyber activity by government-run actors-often but not necessarily always Chinese, Iranian or Russian Ones – Is leading to more weightnesses being uncovered and exploited.
In terms of the types of cves being seen, first noted that memory safety vulnerability volumes are currently declining, While Convercely, Cross-Site Scripting (Xss) Vulnerabities Seem to Beeem to benay
Looking ahead, Leverett said heed he anticipated further growth in 2026, with an estimated minimum volume of just under 51,300 cves exposed to surface.
Vulnerability management a big challenge for cyber pros
He said this emphaged the long-term challenges Around Vulnerability Management Best Practice, and Advised Defenders to Try to Try to Think About Such Things More Strategically, Race more stare
What this means in practice is that Security Pros Should Prioritise Vulnerabilityes That Pose The Greatest Risk of Exploitation – Using Threat Intel and Predictive Insights – Rather Trying to Patch EVRING EVRING EVRIWSING All at Once. At the same time, teams and resources can and should be scled approves to optimise roll -out, and Attack Surface Management. Planning here is key, said Leverett, and Leaders Should Try to Find Ways of Predicting Patch “Effort” in Advance, Including Needed Downtime.
It may also be a good idea to prepare for changing disclosure trends, trying to anticipate surfaces in reports – this can be easily done Around Microsoft's Patch TuesdayAlthough it may prove more challenging in general – and allocating resources based on this.
It is far more important, said Leverett, to understand how a Sequence of Vulnerability Black swan vulnerability, like Citrix Bleed or Log4shell,
“Undrstanding the numbers is one thing, acting on them is what truly matters,” He said. “Organisations that use this data to guide their security plans can reduce exposure, mitigate risk and stay ahead of attackers.”