A mix of rising trends is pushing the number of disclosed common vulnerabilities and exposures (CVEs) toward a record 45,000 to 50,000 by 2025. The Forum of Incident Response and Security Teams (First), based in North Carolina, reports this figure reflects an 11% increase compared to 2024 and nearly six times the count from 2023. This surge highlights the growing complexity in security, prompting organizations to rethink how they approach risk and mitigation.
“The number of reported vulnerabilities isn’t just growing; it’s accelerating,” Eireann Leverett, with First, emphasized. He argues that security teams need to shift from a reactive posture to a proactive one, prioritizing threats before they escalate.
First’s analysts attribute this increase to several factors: changes in technology, disclosure policies, and geopolitical instability. Leverett pointed out that new players in the CVE ecosystem, evolving disclosure practices, and new legislation in Europe are all contributing to this boom. The rapid rise in open source software and the use of AI tools for vulnerability detection are also surfacing more flaws and making them easier to find.
Additionally, state-sponsored cyber activity, often linked to actors from China, Iran, or Russia, is unearthing and exploiting more vulnerabilities. First reports that while memory safety vulnerabilities are declining, cross-site scripting (XSS) vulnerabilities are on the rise.
Looking ahead, Leverett expects continued growth, projecting nearly 51,300 CVEs for 2026. This underscores ongoing challenges in vulnerability management. He advises security professionals to adopt a more strategic mindset rather than simply reacting to new disclosures. Prioritizing vulnerabilities based on potential exploitation risk—using threat intelligence and predictive insights—can be more effective than attempting an all-out patching effort.
Security teams should also scale resources wisely to enhance rollout and manage the attack surface effectively. Planning becomes crucial, particularly in predicting the effort required for patching and any necessary downtime.
Being prepared for shifts in disclosure trends is vital. Anticipating reporting surges, such as those around Microsoft’s Patch Tuesday, allows teams to allocate resources more efficiently. Leverett stresses the importance of understanding how vulnerabilities can affect the organization and its security operations, rather than fixating on rare “black swan” vulnerabilities like Citrix Bleed or Log4Shell.
“Understanding the numbers is one thing, but acting on them is what truly matters,” Leverett stated. Organizations that leverage this data for their security planning can better reduce exposure and mitigate risk while staying ahead of potential attackers.