CVE surge: Why the record rise in new vulnerabilities?

January 28, 2025

Record CVE surge - explaining the ongoing rise in new vulnerabilities

The number of new vulnerabilities discovered in 2024 jumped 38% year-on-year, reaching an all-time record of 40,009 new CVEs (Common Vulnerabilities and Exposures).

This compared to 28,818 CVE records published during 2023. To put this in perspective, this growth far outpaced even the rapid rate of increase since 2016, before which numbers had flatlined or fluctuated for many years (see the chart below). Most remarkably, the total number of CVEs published last year accounted for 15.32% of all CVEs that have ever been published.

Since 2016, we’ve now seen a 520% rise in the annual volume of new CVE records, which catalogue publicly known vulnerabilities in software or hardware.

These trends are helpfully documented on CVE.ICU, an open-source project managed by security researcher Jerry Gamblin.

CVE surge: Rise in new vulnerability records annually, 2005 to 2025

The digitisation of everything

So what changed around 2016-2017? And what drove the even sharper rise last year?

The most obvious factor driving the increase in vulnerabilities is the inexorable growth in the volume of code where vulnerabilities might lurk. Attack surfaces are ballooning amid growing adoption of cloud computing, IoT devices and edge computing, the persistence of legacy systems, and the ongoing digitisation of modern life generally. Software is also becoming more complex, broadening opportunities for finding security weaknesses.

And for all the praiseworthy efforts to make applications more secure-by-design (including security features such as SameSite cookies and wider adoption of DevSecOps development practices), hackers, both malicious and ethical, are getting more sophisticated at finding vulnerabilities. AI, specifically large-language models, has been a game-changing accelerant for innovations in vulnerability discovery and exploitation.

As well as more numerous, vulnerabilities are also potentially more impactful on account of the increased integration of third-party components. Log4Shell, the SolarWinds breach and the Codecov attack are just three of many examples where upstream bugs have caused havoc downstream by affecting hundreds or thousands of applications or organisations.

In this context it’s understandable that organisations and regulators have woken up to the importance of vulnerability and discovery and management. Within the EU, NIS 2, the Cyber Resilience Act and DORA are three notable recent examples of legislation that mandates vulnerability disclosure and/or puts offensive security best practices front and centre. Investments in security testing, from automated scans to pentests, red team exercises and Bug Bounty, are duly increasing.

Finally, vulnerability disclosure practices have become more standardised, streamlined and widely ingrained as best practice.

Open source, WordPress factors

But do any of these trends account for the record CVE rise witnessed last year? Not according to Jerry Gamblin, who documents CVE trends on CVE.IU and analyses them on his blog.

“This year's growth originated almost entirely from the top five CNAs [CVE Numbering Authorities],” he told YesWeHack. “These CNAs were specifically created to report CVEs for open-source projects like VulDB, Kernel.org, and GitHub, as well as for WordPress plugins such as Patchstack and Wordfence.

“Collectively, these five CNAs published 17,473 CVEs, making up 43.67% of all CVEs last year. Notably, the Kernel CNA is entirely new, having been founded in mid-February last year and publishing 4,325 CVEs, which is 10.81% of last year’s total CVEs.”

A 2024 report by Synopsys revealed that 84% of analyzed codebases contained at least one known open-source vulnerability, with 74% harboring high-risk vulnerabilities – up from 48% in the previous year. Similarly, Patchstack has discussed the rise in WordPress flaws on its State of WordPress Security In 2024 report.


FOR HUNTERS
Hacking for €10k rewards and a secure open source ecosystem: Bug Bounty opportunities from the Sovereign Tech Fund


Whatever weighting you assign to the variables driving the multiyear increase in CVE numbers, one thing seems pretty clear: it seems unlikely we’ll see anything other than further rises for the foreseeable future. Indeed, FIRST (Forum of Incident Response and Security Teams) has forecast “another record-breaking year of CVE production” in 2025.

For CISOs navigating complex regulatory and threat landscapes, it only heightens the importance of increasing the effectiveness of their security testing and vulnerability management regime within the constraints of stagnating or only modestly increasing budgets.

More CVE insights

Other notable stats about 2024 CVE trends to emerge from CVE.ICU:

  • An average of 108 CVE records were published daily, peaking in May, which accounted for 5,010 or 12.5% of the total, with 3 May the busiest single day with 824 new records
  • The average CVSS (Common Vulnerability Scoring System) score was 6.67, with 231 vulnerabilities achieving the highest-possible score of 10.0, and CVE-2024-2365 notching the lowest score of 1.6
  • CVE-2024-20433, a high severity buffer overflow issue in the Resource Reservation Protocol (RSVP) feature of Cisco IOS accounted for the highest number of unique vulnerable configurations at 2,434
  • The most common CWE was CWE-79, or XSS, with 6,227 assignments (15.56%) (incidentally, this was also the most common CWE among bugs reported on YesWeHack, as the chart below shows)
  • The most prolific five of all 433 CVE Numbering Authorities (CNAs) were: Patchstack (4,566 CWEs) Kernel.org (4,325), Wordfence (3,525), Vuldb (2,936) and Github (2,121) – all established to log CVEs for open-source projects or (in the case of Patchstack and Wordfence) focused on WordPress plugins
Top 5 CWEs on YesWeHack 2024

STRENGTHEN YOUR SECURITY POSTURE

Bug Bounty, which is inherently agile, continuous and scalable, is cost-effectively adding depth and breadth to the testing regimes of growing numbers of organisations. Combine a YesWeHack Bug Bounty Program with our Attack Surface Management (ASM) product and you can continuously track your proliferating online assets, strategise your testing initiatives and prioritise vulnerability remediation based on vulnerabilities from various security testing channels – also including ASM auto-scans, traditional pentesting and Vulnerability Disclosure Policy (VDP). CONTACT OUR SALES TEAM to book a demo or find out more.