In 2025 we expect another record-breaking year of CVE production. This year we expect 45505 +/- 4,363 CVEs to be published in the calendar year (CY). There’s a 5% chance the actual number exceeds the maximum (49868) and a 5% chance is less than the minimum (41142). Rather than give you a false sense of precision, it’s probably far easier to say we expect between 41-50k of vulnerabilities in calendar year CY 2025.
date
mean
mean_se
mean_ci_lower
mean_ci_upper
2025-12-31
45505
2226
41142
49868
2026-12-31
51299
3051
45320
57279
Visualising that with the last few years here’s our prediction for 2025 (and if you need it a less certain projection into 2026).
So how will Q1-Q4 look?
Whenever you build a model, you have to make choices.
One regular choice to be made is how much weight you give to different periods of history. Getting specific, do we assume the quarterly seasonality of last year will be the same this year?
As we can see here the numbers of CVEs reached new records, but they also plummeted beck to their previous levels last year. The last four quarters have been very volatile, and we believe that is not a reflection of how things would normally be. So we have chosen this year to put very little weight on differences per quarter, and assume things will be more even like the previous years, than 2024. This may of course turn out to be wrong, but it captures why forecasting is hard.
date
mean
mean_se
mean_ci_lower
mean_ci_upper
2025-03-31 00:00:00+00:00
11420.823054015847
589.1522031932607
10266.105954344632
12575.540153687063
2025-06-30 00:00:00+00:00
12130.017565346516
658.0213828503942
10840.319353902501
13419.71577679053
2025-09-30 00:00:00+00:00
12113.847218258643
722.7553422327709
10697.272777848491
13530.421658668794
2025-12-31 00:00:00+00:00
12581.691283303486
819.4040083265978
10975.688938195595
14187.693628411376
Please note that the quarterly forecasts are produced with different algorithms than the yearly forecast. Thus the numbers of all 4 quarters won’t sum to the amount in the yearly forecast. This is deliberate as we like to use the most accurate algorithm and hyper parameters for each of the two types of forecasts, rather than falsely try to make them consistent with each other.
We’ll revisit these quarterly forecasts throughout the year and update them, as usual for those who plan on a quarter-by-quarter basis. Now that we’ve given you our predictions for 2025 in both yearly and quarterly formats, it’s worth saying a few things about using them and our quest for more usability.
We are still learning how to make and deliver forecasts, and we’re humble about it. We can use your feedback about what you use the forecasts for, and how we can make them more useful for you. We have much to learn about making forecasts usable and useful for incident responders and that’s why we review our previous year’s performance so we can improve the accuracy. However, it’s not really accuracy that we’re worried about, we know that smart risk managers can handle uncertainty bars. What we really want to know is how can we CHANGE forecasts or predictions to make them more relevant to your work?
If you’re new to all this then here’s a short list of ways we have discovered others use them:
If you work inside the CVE ecosystem, and you want to plan budgets, time, and people to accomplish tasks such as coordinating disclosures, writing vulnerability alerts, or publishing CVEs themselves. Many of our readers and conference attendees come from within the coordinated disclosure ecosystem globally.
If you work in a large organisation that has a very large amount of things to patch, then you need to think in advance about how you plan and execute that work. Adjusting the size of your team or other resources around how you will deploy and monitor your attack surface is our most commonly described use case. Probably the largest number of our readers and attendees know it costs them money to patch and want to optimise their spend to their risk reduction.
If you work in OT/ICS and you need to plan predictive maintenance that includes security patches. The planning of the maintenance windows can take the number of expected patches into account, even though there are usually many other more important concerns.
If you work in incident response and want to think about how many new detection signatures you might need to create or use.
If you are a policy maker trying to understand the burdens on users to evaluate CVEs for their cyber risk cost/benefit, then it helps to see the size of the problem.
If you are in the cyber risk industry and thinking about the dynamics of the risk over time then the rate of vulnerability discovery and the rate of exploit creation are highly relevant. Even with those two factors it is still useful to consider prevalence of a vulnerability and the rate of exploitation. While those factors are not part of these forecasts, we hope that they help you plan and discuss how those other factors affect your cyber risk in insurance, re-insurance, ILS or bond markets.
If you have other uses or requirements of these forecasts, then get in touch with us. We are listening to CERT teams and what we can do to be more prepared for the vulnerabilities of tomorrow, instead of simply responding after they are disclosed.
Eireann Leverett and the vulnerability forecasting team
FIRST runs a blog open to members and invited guest authors. It publishes contributions relevant to incident responders. Articles should focus on general topics interesting to members. It will not be used to promote individual organisations, products or services. If you are interested in contributing, please get in touch with first-blog@first.org.
Learn more about the Forum of Incident Response and Security Teams through regular blog posts about our organization, events and other programs. Questions or comments? Contact first-press@first.org.
