Vulnerability reports set yet another record this year This article explores cve identified vulnerabilities. . According to data analyzed from the National Vulnerability Database (NVD), 48,177 issues were assigned a 2025 Common Vulnerabilities and Exposures (CVE) identifier, setting a new record for the ninth consecutive year.

Ongoing changes in the CVE-reporting ecosystem are more responsible for the surge than an increase in cybersecurity risk, even though the flood of security issues makes it difficult for businesses to prioritize their patching procedures. For the first time, MITRE, the government technology nonprofit that supports the CVE program, has dropped to fourth place and is no longer the top issuer of CVE identifiers.

Rather, the Linux Kernel and researcher-driven CVE-numbering authorities (CNAs), like VulDB, greatly increased their own submissions to the database and became the CNAs with the second and third-highest volumes of vulnerability reports, while three companies that assist in securing WordPress installations—Patchstack, Wordfence, and WPScan—account for 23% of all vulnerabilities found in 2025. Researcher-driven threat intelligence service number two on the list According to Marc Ruef, VulDB's vulnerability research lead, the company has concentrated on facilitating communications with Asian researchers, which has led to the issuance of 5,900 CVEs.

Related: How Agentic AI Can Strengthen Cyber Defense "Asian security researchers and their American or European counterparts have historically faced a language and cultural barrier," he notes, adding that the company has observed "an increase in submissions from researchers in China, Japan, and South Korea." Interestingly, these researchers frequently concentrate on goods that are less widely used in the West, offering information about various geographical areas and ecosystems.With 5,679 problems recorded in the NVD database, the Linux kernel CNA had the third-highest number of CVE-identified vulnerabilities.

Since I became a CNA in February 2024, the Linux kernel team has issued CVE identifiers in a very cautious manner, essentially designating every kernel bug as a potential vulnerability and frequently postponing the analysis of the security implications. According to an explainer on Kernel.org, "the CVE assignment team is overly cautious and assigns CVE numbers to any bugfix that they identify" because any kernel bug could jeopardize the kernel's security.

(Because the KEV Catalog is only five years old, there was a spike in additions during its first two years, 2021 and 2022, as sources revealed the exploitation of outdated vulnerabilities.) However, according to Martin of Flashpoint, some known-exploited vulnerabilities are far more serious than others, making that signal messy as well. He clarifies that the threat actors utilizing KEVs are more significant than their quantity.

According to him, "some of these KEVs will probably never be of a concern to any business because it might be in hobby software or a Discord plug-in."

"It all boils down to our initial question, which is: Does the organization know what software they run or not?" According to experts, businesses should prioritize keeping accurate records of their software assets, which are utilized by both their software development teams and enterprise operations. According to Alex Plaskett, a security and exploit researcher at NCC Group, a cybersecurity consultancy, a company's security team can more effectively prioritize vulnerabilities and make the software more resilient by using knowledge of the software it uses.