Vulnerabilities Surge, But Messy Reporting Blurs Picture

Vulnerabilities Surge, But Messy Reporting Blurs Picture

The number of reported vulnerabilities reached a new high in 2025 with 48,177 CVE identifiers assigned, but this surge is largely due to changes in the CVE reporting ecosystem rather than an increase in actual cyber risk. MITRE has lost its position as the top reporter of vulnerabilities to firms specializing in WordPress security, highlighting a shift in the landscape of vulnerability discovery and reporting.

Why This Matters

The ideal model for vulnerability management assumes complete and accurate data, enabling prioritized patching. However, inconsistent data quality – with only 90% of CVEs having CVSS scores and 60% having CPE entries in 2025 – undermines this ideal, increasing the cost and complexity of remediation. The NVD’s initial failure to renew its data enrichment contract in 2024 illustrates the fragility of the system and potential for significant data gaps.

Key Insights

• Record CVEs: 48,177 CVEs assigned in 2025, a new record.
• Shift in Reporting: Patchstack, Wordfence, and WPScan now account for 23% of all CVEs, driven by WordPress plugin vulnerabilities.
• CVE Farming: The rise of automated vulnerability discovery and LLM-assisted code review leads to duplicate CVE reports, impacting data accuracy.

Working Example

(No code exists in the context)

Practical Applications

• Use Case: WordPress ecosystem security firms (Patchstack, Wordfence, WPScan) proactively identify and report vulnerabilities in plugins, enhancing security for a large user base.
• Pitfall: Relying on raw CVE counts without considering data quality and context can lead to misprioritized patching efforts and wasted resources.

References:

• https://www.darkreading.com/cybersecurity-analytics/vulnerabilities-surge-messy-reporting-blurs-picture