The 2025 Spike in Vulnerabilities Isn't the Full Story

2025 was another record-breaking year for vulnerabilities. CVE volume continued to climb, analyst backlogs grew, and attackers moved faster, often exploiting known flaws rather than chasing the latest headlines. A closer look at the 2025 data reveals several trends that challenge how vulnerability risk is commonly assessed and prioritized.

1. CVE growth continues to accelerate, but volume is not risk

‍The exponential growth in CVE disclosures shows no sign of slowing. In 2025, 46,407 CVEs were published, up from 40,009 in 2024 - a 16% year-over-year increase. This translates to an average of 127 new CVEs per day, further straining already overloaded vulnerability triage processes. Importantly, this growth does not necessarily indicate a proportional increase in real-world risk. Structural changes in disclosure practices play a significant role: for example, the Linux Kernel team’s decision to operate as an independent CVE Numbering Authority (CNA), combined with a policy of assigning CVEs to nearly all kernel bugs, has resulted in thousands of issues being tracked as CVEs that would previously have been handled as routine maintenance.

2. Fewer serious vulnerabilities, at least on paper

‍The share of high-severity vulnerabilities continues to decline. In 2025, critical vulnerabilities accounted for just 7.4% of all CVEs, down from 12.8% in 2024. High-severity vulnerabilities also dropped, from 35.2% to 30%.

One likely contributor to this trend is the gradual transition to CVSS 4.0 throughout 2025, which aimed to deflate scores. 

3. The NVD backlog crisis is worsening 

The NVD enrichment backlog reached new highs in 2025. Only 28% of newly disclosed CVEs were fully analyzed by NVD, down sharply from 46.2% in 2024.

As a result, there are now 54,914 CVEs disclosed in 2024–2025 still awaiting full NVD enrichment, undermining workflows that rely on timely CVSS scoring and metadata to drive remediation decisions.

4. AI vulnerability counts remain low, but are likely significantly underreported

‍For the full year of 2025, an estimated 1,418 AI-specific CVEs affecting AI frameworks, inference engines, or AI-integrated tools were disclosed, representing roughly 3% of all newly published CVEs. In addition, at east 13 AI-related vulnerabilities were added to CISA’s KEV catalog in 2025, a small portion of a total of 883 CVEs.

Notably, AI-related vulnerabilities skew heavily toward higher impact, with 57% rated high severity and 37% rated Critical, far exceeding severity distributions seen in other software categories.

That said, these figures likely underrepresent the true scale of AI risk. Only CVEs fully analyzed by NVD were consistently classified as AI-related, many AI vulnerabilities are never reported to NVD or assigned CVE IDs at all, and MITRE only formally introduced CWE-1434 (Insecure Setting of Generative AI Model Inference Parameters) late in 2025 limiting systematic classification earlier in the year.

‍5. Exploitation increasingly requires user interaction, but lower privileges

‍Exploitation patterns continue to shift. In 2025, 31% of newly disclosed CVEs required user interaction, up from 22% the previous year. At the same time, the proportion of vulnerabilities exploitable with low privileges jumped dramatically, from 23% to 39%.\

6. Missing Authorization flaws surge

‍While 2024 saw a focus on authentication failures (account compromise), 2025 marks a clear shift toward missing authorization vulnerabilities. These are flaws that allow attackers to exceed intended permissions once inside an account.
Missing Authorization (CWE-862) vulnerabilities now represent 5.2% of all CVEs disclosed in 2025, a 62% increase year over year, making it the fourth most common weakness, behind XSS, SQL injection, and CSRF. The growing prevalence of AI-generated code, which often omits robust permission checks, may be contributing to this trend.

7. CISA’s KEV catalog expanded rapidly but still lags reality

‍CISA added 245 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in 2025, bringing the total to 1,484 entries. Notably, one in six vulnerabilities ever added to the KEV list was included in 2025 alone, underscoring the accelerating pace of exploitation.

However, the KEV catalog continues to lag behind observed exploitation. While CISA added 245 CVEs in 2025, VulnCheck identified 883 newly exploited CVEs during the same period. The gap widened compared to 2024, when the figures were 185 and 717 respectively.

8. Attackers continue to exploit older vulnerabilities

‍Despite constant attention on newly disclosed flaws, attackers overwhelmingly favor known vulnerabilities. Based on VulnCheck KEV data, it seems that 81% of CVEs first exploited in 2025 were disclosed before 2025.

This reinforces a recurring lesson: prioritizing vulnerabilities based solely on recency is counterproductive.

9. Network edge devices remain prime targets

‍For the full year of 2025, network edge devices, including VPNs, firewalls, and routers, consistently ranked among the most valuable exploitation targets. These systems accounted for 18.3% of vulnerabilities first exploited in 2025, outperforming most other asset categories.

10. Zero-days and one-days are becoming more common

‍Exploitation speed continues to increase. VulnCheck KEV data shows that 32% of newly exploited vulnerabilities in 2025 were leveraged either before public disclosure or within 24 hours of it, up from 23.6% in 2024.

This trend further compresses defender response windows and challenges detection- and patch-first security models.

11. Ransomware Dominates Headlines Not Exploitation Volume

‍Despite its visibility, ransomware remains responsible for a relatively small fraction of newly exploited vulnerabilities. In 2025, only 40 out of 883 newly exploited CVEs (4.5%) were directly mapped to known ransomware groups. 

While attribution gaps may understate the true figure, ransomware activity alone does not explain broader exploitation trends.