A New Analysis Predicts a Record Number of Reported Vulnerabilities in 2025

Analysis by FIRST

A new analysis by the Forum of Incident Response and Security Teams (FIRST) predicts that the number of reported vulnerabilities will reach record highs in 2025. The report forecasts almost 50,000 vulnerabilities, an 11% increase from 2024 and a 470% increase from 2023. The analysis suggests that organizations need to shift from reactive security measures to a more strategic approach that prioritizes vulnerabilities based on risk, plans patching efforts efficiently, and prepares for surges in disclosures rather than struggling to keep up after the fact.

Why Are Vulnerabilities Increasing?

1. AI-driven discovery and open-source expansion are accelerating CVE disclosures.

AI is making it easier to detect vulnerabilities in software, leading to more CVE (Common Vulnerabilities and Exposures) reports. AI allows security researchers to scan larger amounts of code to quickly identify flaws that would have gone unnoticed using traditional methods.

“More software, more vulnerabilities: The rapid adoption of open-source software and AI-driven vulnerability discovery has made it easier to identify and report flaws.”

2. Cyber Warfare and State-Sponsored Attacks

State-sponsored attacks are increasing, leading to more security weaknesses being exposed.

“State-sponsored cyber activity: Governments and nation-state actors are increasingly engaging in cyber operations, leading to more security weaknesses being exposed.”

3. Shifts in CVE Ecosystem

Patchstack, a WordPress security company, is identifying and patching vulnerabilities. Their work is adding to the number of vulnerabilities discovered every year. Patchstack offers vulnerability detection and virtual patches. Patchstack’s participation in this ecosystem is helping expose more vulnerabilities, particularly those affecting WordPress.

“New contributors to the CVE ecosystem, including Linux and Patchstack, are influencing disclosure patterns and increasing the number of reported vulnerabilities. Patchstack, which focuses on WordPress security, is playing a role in surfacing vulnerabilities that might have previously gone unnoticed. As the CVE ecosystem expands, organizations must adapt their risk assessment strategies to account for this evolving landscape.”

Looking Ahead to 2026 and Beyond

The FIRST forecast predicts that over 51,000 vulnerabilities will be disclosed in 2026, signaling that cybersecurity risks will continue to increase. This underscores the growing need for proactive risk management rather than relying on reactive security measures.

Main Takeaways

• Vulnerabilities are increasing – FIRST predicts up to 50,000 CVEs in 2025, an 11% rise from 2024 and 470% increase from 2023.
• AI and open-source adoption are driving more vulnerability disclosures.
• State-sponsored cyber activity is exposing more security weaknesses.
• Shifting from reactive to proactive security is essential for managing risks.

Read the 2025 Vulnerability Forecast:

Vulnerability Forecast for 2025

Featured Image by Shutterstock/Gorodenkoff