Record-breaking number of vulnerabilities predicted for 2025

A new report predicts a record-breaking 41,000 to 50,000 new Common Vulnerabilities and Exposures (CVEs) this year, based on data from the National Vulnerability Database (NVD).

The forecast, from the Forum of Incident Response and Security Teams (FIRST), suggests an 11 percent increase compared to 2024, and a whopping 470 percent increase compared to 2023.

"The number of reported vulnerabilities isn't just growing, it's accelerating," says Eireann Leverett, FIRST liaison and lead member of FIRST's Vulnerability Forecasting Team. "A combination of new players in the CVE ecosystem, evolving disclosure practices, and a rapidly expanding attack surface is fueling this surge. Security teams can no longer afford to be reactive; they must anticipate and prioritize threats before they escalate."

New contributors to the CVE ecosystem, such as Linux and Patchstack, are influencing the volume of disclosed vulnerabilities. The report also shows that memory safety vulnerabilities are declining, while cross site scripting of vulnerabilities are increasing.

The forecast for 2026 anticipates further growth, with an estimated minimum of 51,299 CVEs, emphasizing the long-term challenge of vulnerability management.

To tackle all of this organizations are urged to take a more strategic approach to risk management, prioritizing vulnerabilities that are at greatest risk of exploitation, using threat intelligence and predictive insights to identify them. Incident response teams should also anticipate surges in vulnerability reports and allocate resources accordingly.

"Understanding the numbers is one thing, acting on them is what truly matters," adds Leveret. "Organizations that use this data to guide their security planning can reduce exposure, mitigate risk, and stay ahead of attackers."

You can read more on the FIRST blog.

Image credit: weerapat/depositphotos.com