FIRST predicts an estimated 45,505 vulnerabilities in 2025, resulting in a predicted 11% increase compared to 2024, and a staggering 470% increase compared to 2023
The Forum of Incident Response and Security Teams (FIRST), a leading global cybersecurity nonprofit, today released its 2025 Vulnerability Forecast, predicting a record-breaking 41,000 to 50,000 new Common Vulnerabilities and Exposures (CVEs) this year, based on data from the National Vulnerability Database (NVD). This sharp rise underscores the increasing complexity of the cyber threat landscape, requiring organizations to rethink how they prioritize and mitigate risk.
“The number of reported vulnerabilities isn’t just growing, it’s accelerating,” said Eireann Leverett, FIRST liaison and lead member of FIRST’s Vulnerability Forecasting Team. “A combination of new players in the CVE ecosystem, evolving disclosure practices, and a rapidly expanding attack surface is fueling this surge. Security teams can no longer afford to be reactive; they must anticipate and prioritize threats before they escalate.”
Key findings from FIRST’s Vulnerability Forecast for 2025 include:
- An estimated mean of 45,505 CVEs in 2025, resulting in a predicted 11% increase compared to 2024, and a whopping 470% increase compared to 2023.
- Quarterly fluctuations are expected to stabilize compared to 2024, though disclosure rates may still be influenced by threat actor activity and reporting trends.
- New contributors to the CVE ecosystem, such as Linux and Patchstack, are influencing the volume of disclosed vulnerabilities.
- Memory safety vulnerabilities are declining, while cross site scripting of vulnerabilities are increasing.
- 2026 forecast anticipates further growth, with an estimated minimum of 51,299 CVEs, emphasizing the long-term challenge of vulnerability management.
The rise in vulnerabilities stems from a mix of technological shifts, disclosure policy changes, and geopolitical tensions:
- More software, more vulnerabilities: The rapid adoption of open-source software and AI-driven vulnerability discovery has made it easier to identify and report flaws.
- State-sponsored cyber activity: Governments and nation-state actors are increasingly engaging in cyber operations, leading to more security weaknesses being exposed.
- CVE ecosystem changes: Updates in how vulnerabilities are assigned and reported, along with funding challenges, have altered disclosure patterns.
With a record number of vulnerabilities on the horizon, organizations must shift from reactive security to strategic risk management. They should:
- Patching: Prioritize vulnerabilities that pose the greatest risk of exploitation, rather than trying to patch everything at once. Scale your team and resources strategically to optimize deployment and monitoring of your attack surface. Find ways of predicting patch effort, and plan for realistic downtime to match your capabilities. Planned and predictive maintenance can be achieved.
- Refine risk assessment: Use threat intelligence and predictive insights to identify vulnerabilities that pose the greatest danger. Consider not just the immediate risk but also how it evolves over time—factoring in the rate of vulnerability discovery, exploit creation, and exploitation prevalence.
- Prepare for disclosure trends: Incident response teams should anticipate surges in vulnerability reports and allocate resources accordingly. It is more important to understand how a sequence of vulnerabilities leaves your team exhausted than looking for ‘the big one’. Combinations not catastrophes.
“Understanding the numbers is one thing, acting on them is what truly matters,” said Leverett, who is also a CTO at Killara Cyber. “Organizations that use this data to guide their security planning can reduce exposure, mitigate risk, and stay ahead of attackers.”
METHODOLOGY: The FIRST 2025 Vulnerability Forecast is based on historical data analysis, predictive time series modeling, and disclosure trends from the National Vulnerability Database (NVD). It focuses on publicly reported vulnerabilities rather than estimating the total number of security flaws worldwide. Data sources include:
- NVD records from previous years
- MITRE CVE records
- CVE production rates from both established and new CVE Numbering Authorities (CNAs)
- Observations on AI-driven discovery, open-source adoption, and cyber espionage
If you are interested in how these forecasts are produced and how to make them more usable in managing cyber risk, please consider attending the next Vulnerability Forecasting conference in Cambridge, England next September 18 and 19th.
