A new analysis predicts that the number of reported vulnerabilities will reach record highs in 2025, continuing the trend of rising cybersecurity risks and increased vulnerability disclosures.
Analysis By FIRST
The analysis was published by the Forum of Incident Response and Security Teams (FIRST), a global organization that helps coordinate cybersecurity responses. It forecasts almost 50,000 vulnerabilities in 2025, an increase of 11% over 2024 and a 470% increase from 2023. The report suggest that organizations need to shift from reactive security measures to a more strategic approach that prioritizes vulnerabilities based on risk, planning patching efforts efficiently, and preparing for surges in disclosures rather than struggling to keep up after the fact.
Why Are Vulnerabilities Increasing?
There are three trends driving the increase in vulnerabilities.
1. AI-driven discovery and open-source expansion are accelerating CVE disclosures.
AI is vulnerability discovery, including machine learning and automated tools are making it easier to detect vulnerabilities in software which in turn leads to more CVE (Common Vulnerabilities and Exposures) reports. AI allows security researchers to scan larger amounts of code to quickly identify flaws that would have gone unnoticed using traditional methods.
The press release highlights the role of AI:
“More software, more vulnerabilities: The rapid adoption of open-source software and AI-driven vulnerability discovery has made it easier to identify and report flaws.”
2. Cyber Warfare And State-Sponsored Attacks
State-sponsored attacks are increasing which in turn leads to more of these kinds of vulnerabilities being discovered.
The press release explains:
“State-sponsored cyber activity: Governments and nation-state actors are increasingly engaging in cyber operations, leading to more security weaknesses being exposed.”
3. Shifts In CVE Ecosystem
Patchstack, a WordPress security company, identifies and patches vulnerabilities. Their work is adding to the number of vulnerabilities discovered every year. Patchstack offers vulnerability detection and virtual patches. Patchstack’s participation in this ecosystem is helping expose more vulnerabilities, particularly those affecting WordPress.
The press release provided to Search Engine Journal states:
“New contributors to the CVE ecosystem, including Linux and Patchstack, are influencing disclosure patterns and increasing the number of reported vulnerabilities. Patchstack, which focuses on WordPress security, is playing a role in surfacing vulnerabilities that might have previously gone unnoticed. As the CVE ecosystem expands, organizations must adapt their risk assessment strategies to account for this evolving landscape.”
Eireann Leverett, FIRST liaison and lead member of FIRST’s Vulnerability Forecasting Team, highlighted the accelerating growth of reported vulnerabilities and the need for proactive risk management, stating:
“For a small to medium-sized ecommerce site, patching vulnerabilities typically means hiring external partners under an SLA to manage patches and minimize downtime. These companies usually don’t analyze each CVE individually, but they should anticipate increased demands on their third-party IT suppliers for both planned and unplanned maintenance. While they might not conduct detailed risk assessments internally, they can inquire about the risk management processes their IT teams or external partners have in place. In cases where third parties, such as SOCs or MSSPs, are involved, reviewing SLAs in contracts becomes especially important.
For enterprise companies, the situation is similar, though many have in-house teams that perform more rigorous, quantitative risk assessments across a broad (and sometimes incomplete) asset register. These teams need to be equipped to carry out emergency assessments and triage individual vulnerabilities, often differentiating between mission-critical and non-critical systems. Tools like the SSVC (https://www.cisa.gov/ssvc-calculator) and EPSS (https://www.first.org/epss/) can be used to inform patch prioritization by factoring in bandwidth, file storage, and the human element in maintenance and downtime risks.
Our forecasts are designed to help organizations strategically plan resources a year or more in advance, while SSVC and EPSS provide a tactical view of what’s critical today. In this sense, vulnerability forecasting is like an almanac that helps you plan your garden months ahead, whereas a weather report (via EPSS and SSVC) guides your daily outfit choices. Ultimately, it comes down to how far ahead you want to plan your vulnerability management strategy.
We’ve found that Boards of Directors, in particular, appreciate understanding that the tide of vulnerabilities is rising. A clearly defined risk tolerance is essential to prevent costs from becoming unmanageable, and these forecasts help illustrate the workload and cost implications of setting various risk thresholds for the business.”
Looking Ahead to 2026 and Beyond
The FIRST forecast predicts that over 51,000 vulnerabilities will be disclosed in 2026, signaling that cybersecurity risks will continue to increase. This underscores the growing need for proactive risk management rather than relying on reactive security measures.
For users of software like WordPress, there are multiple ways to mitigate cybersecurity threats. Patchstack, Wordfence, and Sucuri each offer different approaches to strengthening security through proactive defense strategies.
The main takeaways are:
- Vulnerabilities are increasing – FIRST predicts up to 50,000 CVEs in 2025, an 11% rise from 2024 and 470% increase from 2023.
- AI and open-source adoption are driving more vulnerability disclosures.
- State-sponsored cyber activity is exposing more security weaknesses.
- Shifting from reactive to proactive security is essential for managing risks.
Read the 2025 Vulnerability Forecast:
Vulnerability Forecast for 2025
Featured Image by Shutterstock/Gorodenkoff
