I spend a significant amount of my time thinking about EPSS, CVSS, and the inherent gaps in how we prioritize vulnerabilities. We all know the drill: a 9.8 CRITICAL that remains unexploited shouldn’t jump the line ahead of a 7.5 HIGH that is being actively used in the wild. Closing that gap between theoretical severity and actual exploitability is why I started RogoLabs and why I built cve.icu.
Today, I’m releasing an update to my CVE Intelligence TA for Splunk on Splunkbase. It is a free, open-source Splunk add-on designed to help security teams move past “CVSS-only” thinking.
What’s New in v2.0
The initial release handled basic ingestion, but the feedback I received over the past week was clear: you needed more than just a list of CVEs. You needed context, probability, and speed.
In v2.0, I’ve added three critical enrichment sources to the 327,000+ vulnerabilities in the database:
EPSS (FIRST): Daily probability scores to help you forecast what will be exploited in the next 30 days.
CISA KEV: If it’s in this catalog, it’s being exploited now. This is refreshed every 6 hours.
CISA SSVC: Stakeholder-Specific Vulnerability Categorization data to align your priorities with CISA’s decision-making framework.
I’ve pre-joined these signals into a Risk Priority lookup. It loads instantly with no more waiting on expensive, complex searches to tell you what to patch first.
Dashboards for Practitioners
I’ve included four Dashboard Studio v2 views to help you visualize the landscape:
CVE Explorer: Filter the full database by vendor, CWE, or keyword.
Risk Priority: This is the core of the update. It ranks CVEs by actual risk, allowing you to filter by EPSS thresholds or KEV status immediately.
Vulnerability Landscape: An executive-level view of posture, severity distribution, and KEV growth trends.
Operational Health: A simple way to monitor the add-on’s baseline and incremental delta runs.
Zero Configuration (Really)
I heard you on the setup complexity of v1.x. For v2.0, I wanted a “drop-in” experience. There are no API keys to manage and no setup pages to click through. Once installed, the modular input pulls the baseline and starts hourly updates automatically.
Open Source and Building in Public
This update exists because of the bug reports and feature requests I received from the community over the last seven days. I’m a firm believer in building in public, and your feedback directly shaped the EPSS/KEV integration and the zero-config model.
CVE Intelligence for Splunk is available now on Splunkbase and is licensed under Apache 2.0.
2025 set a new baseline with 48,185 published CVEs. While the sheer volume is climbing, the median CVSS score remained surprisingly stable. We are seeing a distinct shift toward web application flaws (specifically in the CMS ecosystem) and a wider distribution of vendors, proving that vulnerabilities are spreading deeper into the supply chain.
This massive growth is exactly why I launched RogoLabs. I am building free tools like cve.icu (real-time tracking), cnascorecard.org (CNA performance), and cveforecast.org (predictive modeling) to ensure vulnerability data remains accessible and usable for the community.
The takeaway for engineers is simple: you can’t patch everything. With volume at this level, your only move is to ruthlessly prioritize based on exploitability and automate the rest.
TL;DR
In 2025, 48,185 CVEs were published, a 20.6% increase from 2024’s 39,962. The total number of CVEs since 1999 now stands at 308,920.
Note: All statistics in this report exclude rejected CVEs.
Key Statistics at a Glance
Metric
Value
Total CVEs in 2025
48,185
Year-over-Year Change
+20.6%
Critical Severity
3,984
High Severity
15,003
Average CVSS Score
6.60
CVSS Coverage
91.3%
CWE Coverage
92.3%
Active CNAs
365
Rejected CVEs (2025)
1,787
Historical CVE Growth
The volume of published CVEs increased again in 2025, continuing the established upward trend.
Year-over-year growth fluctuates, but 2025’s 21% growth is significant compared to the previous year. This indicates that despite better tooling, the rate of discovery is outpacing our ability to remediate.
The cumulative CVE count now exceeds 308,000.
2025 Monthly Distribution
The data shows a variable rate of CVE publications throughout 2025. December exhibited the highest volume, totaling 5,500 CVEs. While December is traditionally quieter, 2025 saw an anomalous spike, with over 11% of the year’s total vulnerabilities disclosed in the final month alone.
Publication Patterns by Day of Week
Analysis of CVE publication dates reveals distinct trends linked to vendor release cycles.
Tuesday remains the king of disclosure, with 11,754 CVEs, driven largely by the industry-standard “Patch Tuesday” release cadence. The drop-off is sharp: weekdays averaged 8,918 CVEs, while weekends averaged only 1,796. Security teams can generally expect the quietest period to be Sunday.
Busiest Days of 2025
The data shows significant clustering of CVE publications. The top day, February 26th, saw nearly 800 CVEs published in a single 24-hour window. These spikes create massive “risk windows” where security teams are flooded with data.
Top 5 Busiest Days
Rank
Date
CVE Count
1
2025-02-26
793
2
2025-12-09
660
3
2025-12-24
494
4
2025-06-10
485
5
2025-01-14
478
Most Vulnerable Products
Beyond vendors, specific products exhibiting the highest number of CVEs in 2025:
The data reveals that the Linux Kernel is the single product with the most vulnerabilities (3,649). However, context is vital here: this high number reflects the transparent, open-source nature of Kernel development where every fix is often assigned a CVE, unlike closed-source operating systems that may bundle fixes.
Top 5 Products
Rank
Product
CVE Count
1
Linux Kernel
3,649
2
Windows 10
623
3
Android
509
4
Adobe Experience Manager
377
5
macOS
362
CVSS Score Analysis
The distribution of CVEs across the CVSS range in 2025 reveals trends in vulnerability severity.
The average CVSS score for 2025 was 6.60, with a median of 6.50. This indicates a concentration of vulnerabilities in the medium severity range. We observed a substantial number of vulnerabilities scoring between 7.0 and 8.9, suggesting a significant attack surface requiring immediate attention.
Severity Breakdown
Severity
Count
Percentage
Critical
3,984
8.3%
High
15,003
31.1%
Medium
25,551
53.0%
Low
1,557
3.2%
CVSS Trends Over Time
Top Weakness Types (CWE)
I analyzed the prevalence of weakness types based on the Common Weakness Enumeration. The data from 2025 reveals the most frequently observed CWEs.
The Web Application Crisis: The dominance of CWE-79 (Cross-Site Scripting) with over 8,000 entries is alarming. Despite XSS being a known issue for decades, it remains the most common vulnerability class. Combined with CWE-74 (Injection), CWE-862 (Missing Authorization), and CWE-89 (SQL Injection), web vulnerabilities account for a massive portion of the 2025 landscape.
Top 5 CWEs in 2025
Rank
CWE
Name
CVE Count
1
CWE-79
XSS
8,207
2
CWE-74
Injection
2,564
3
CWE-862
Missing Authorization
2,224
4
CWE-352
CSRF
1,894
5
CWE-89
SQL Injection
1,706
CVE Numbering Authorities (CNAs)
The CVE Numbering Authority ecosystem has shifted dramatically. In previous years, major software vendors dominated this list. In 2025, we see the “WordPress Effect.”
Patchstack and Wordfence—organizations dedicated to WordPress plugin security—are now top drivers of CVE volume. Patchstack (#1) alone assigned 7,007 CVEs, vastly outnumbering traditional giants like Microsoft (#6) or Google. This reflects the intense scrutiny on the third-party plugin ecosystem.
Top 5 CNAs in 2025
Rank
CNA
CVE Count
1
Patchstack
7,007
2
VulDB
5,902
3
Linux
5,686
4
MITRE
5,208
5
Wordfence
3,451
In total, 365 unique CNAs assigned CVEs in 2025.
Top Vendors
Which vendors had the most CVEs assigned to their products in 2025?
The data shows Linux experienced the highest number of CVEs in 2025. This volume reflects its ubiquitous use and the rigorous reporting standards of the Kernel project. Microsoft and Adobe remain in the top 5, consistent with previous years, while Code-Projects (a platform for open-source code) and Apple round out the list.
Top 5 Vendors in 2025
Rank
Vendor
CVE Count
1
Linux
5,687
2
Microsoft
1,255
3
Adobe
829
4
Code-Projects
730
5
Apple
727
Data Quality
CVE records exhibit varying degrees of completeness. The 2025 data indicates trends in metadata availability.
While CVSS and CWE coverage remains high (>90%), the lag in CPE identifiers (57.6%) is a concern for automated matching tools that rely on accurate product identifiers to alert users.
2025 Data Quality Metrics
Metric
Coverage
CVSS Score
91.3%
CWE Classification
92.3%
CPE Identifiers
57.6%
Rejected CVEs
Not all CVE IDs remain active. Some are rejected due to duplicates, disputes, or invalid submissions.
The number of rejected CVEs in 2025 remained consistent with 2024 figures, hovering around 1,787. This represents a 3.58% rejection rate, suggesting a relatively stable signal-to-noise ratio in the ecosystem.
2025 Rejection Statistics
Metric
Value
Rejected CVEs in 2025
1,787
2025 Rejection Rate
3.58%
Total Rejected (All Time)
16,357
Conclusions
In 2025, the volume of reported vulnerabilities hit an all-time high, demanding continuous vigilance.
The “WordPress Effect” is the most significant trend of the year. With Patchstack and Wordfence accounting for over 10,000 combined CVEs, the sheer volume of vulnerabilities has shifted from “Core OS” issues to “Third-Party Plugin” issues. For security teams, this means your threat model must aggressively account for unvetted plugins and extensions.
Linux remains the most reported vendor, but this is a feature of open source transparency, not necessarily insecurity. Teams should focus on hardening Linux environments and ensuring they have visibility into the specific kernel modules they are running.
Finally, the dominance of CWE-79 (XSS) proves that secure coding practices are still not being effectively implemented at the development stage. Regular security assessments and aggressive input validation remain critical.
Key Takeaways from 2025
Volume continues to grow: With 48,185 CVEs, 2025 set a new record in vulnerability disclosures.
CNAs have shifted: WordPress security firms (Patchstack, Wordfence) now out-publish major tech giants like Microsoft and Google.
Severity remains concerning: 18,987 CVEs (39.4%) were rated Critical or High severity.
Old bugs die hard: XSS (CWE-79) and Injection (CWE-74) continue to dominate the weakness landscape.
Data quality challenges: While improving, a significant portion of CVEs still lack complete CPE data, complicating automated matching.
I’m incredibly excited to finally share something I’ve been pouring my heart into at RogoLabs. For those of you who caught my talk at BSidesLV, you got a sneak peek, but today it’s official: CNAScorecard.org is live!
For years, the CVE program has been our shared language for identifying vulnerabilities. But lately, we’ve all felt the growing pains. We’re seeing more CVEs with incomplete, vague, or missing data. This isn’t just a small problem; it’s a huge one that leads to alert fatigue, slow response times, and automated tools that simply can’t do their jobs.
The recent NVD backlog shined a spotlight on this issue. Thousands of CVEs were left unanalyzed, lacking critical CVSS scores and CPE data. The truth is, the responsibility for data enrichment has shifted back to the CVE Numbering Authorities (CNAs), and many simply haven’t been providing this level of detail for over a decade.
This is precisely the challenge RogoLabs was created to solve. Moving beyond just counting vulnerabilities and focusing on measuring the quality and completeness of that data. CNAScorecard.org is a core part of this mission, alongside my other projects like CVE.icu, a platform for exploring vulnerability data, and CVEForecast.org, an open-source tool that predicts annual CVE volume.
The Four Pillars of a Truly Useful CVE
A CVE needs more than a basic ID to be actionable. It needs solid information across four key pillars:
The Weakness (CWE): This identifies the root cause of the vulnerability (e.g., SQL Injection), helping us understand why it exists.
The Product (CPE): This is how we precisely identify affected software (e.g., cpe:/a:apache:http_server:2.4.54). Without a complete CPE, your scanners are flying blind. In 2024 alone, more than 14,000 CVEs were published without a CPE—more than the previous four years combined.
The Severity (CVSS): This gives you a score (0.0-10.0) to prioritize a vulnerability. Without it, you’re left guessing which issues to tackle first.
The Fix (Patch Info): The ultimate goal is to fix vulnerabilities. A CVE without a clear path to a solution—like a vendor advisory, patch link, or code commit—is just a problem statement, not a solution.
Introducing CNAScorecard.org
The old saying holds true: you can’t improve what you don’t measure. CNAScorecard.org is a public, data-driven scorecard for every CVE Numbering Authority. It gives us the objective measurement we need to demand better data across the board and helps you identify which sources you can truly trust.
The system is open-source, updates every six hours, and focuses on the last six months of CVE data to keep the information current. It scores CVE records against the four pillars, rolling those scores up into an overall quality grade for each CNA.
A Look at the Initial Data
The first results are eye-opening:
Foundational Completeness: 100.0%
Root Cause Analysis (CWE): 87.4%
Severity & Impact (CVSS): 88.4%
Software Identification (CPE): 2.0%
Patch Information: 4.8%
These low scores for CPE and patch links highlight a critical problem. They lead to impaired automation, endless manual research, and inaccurate reporting for security teams everywhere.
How This Helps You
CNAScorecard.org is designed to empower everyone in the security community.
For Defenders: Use these scores to quickly identify and act on complete CVEs. The CNA grades are a powerful trust metric for evaluating your vendors.
For CNAs: This is a clear benchmark to see how your disclosure processes stack up against your peers. It’s a roadmap for improvement, showing you exactly where you can enhance your data quality. High-quality disclosure is a key driver of customer trust.
For the Ecosystem: We’re providing a continuously updated, public metric for the health of the CVE program. This brings much-needed accountability to a federated system.
Get Involved
This project isn’t just about a website; it’s about building a better, more transparent future for vulnerability management. Every line of code, every data point, and every score on CNAScorecard.org is part of a larger mission to improve the CVE ecosystem for everyone. With the right tools and a collaborative community, we can solve the challenges facing our industry.
The entire codebase is available on GitHub, and we’d love for you to contribute, provide feedback, or use it to build your own solutions.
It’s that time of year again! The first week of August means my annual trip to the desert for “Security Summer Camp”—the whirlwind of BSides Las Vegas, Black Hat, and DEF CON. It’s always an exhausting but amazing week, and I can’t wait to dive in, catch up with everyone, and talk about what I’ve been working on.
This year, I’m excited to be giving two talks that dig into the weeds of the CVE ecosystem.
My Talks in Vegas
I’ll be on stage at both BSidesLV and the AppSec Village at DEF CON.
Event
Talk Title
The Gist
When & Where
BSides Las Vegas
“The Art of Concealment: CVE’s Challenge with Transparency”
A 20-minute dive into the “broken promise” of the CVE system. I’ll break down the four pillars of an actionable CVE (Weakness, Product, Severity, Fix) and show how incomplete data is breaking our automated tools. I’ll also introduce CNAScoreCard.org, a new RogoLabs project to bring transparency and accountability to the ecosystem by measuring data quality.
Tues, Aug 5 @ 2:30 PM at the Tuscany Suites & Casino
AppSec Village at DEF CON 33
“CVE Crisis: Navigating the Post-NVD Monolith Era”
A look at the bigger picture of our strained disclosure ecosystem now that the NVD is no longer the single source of truth. With the institutional power shifting to CISA, I’ll cover how to navigate this new fragmented landscape by integrating multiple intelligence sources (CISA KEV, open-source, commercial feeds) and moving to a true risk-based vulnerability management model.
The best part of this week is always the people. I’m genuinely looking forward to connecting, hearing what you’re working on, and trading stories from the trenches.
My passion project, RogoLabs, is all about bringing clarity to vulnerability intelligence through open-source tools like CVE.ICU. To celebrate that, I’ll have some of the very first-run RogoLabs stickerswith me.
If you see me, please say hello! I’d love to chat about CVEs, vulnerability management, or anything else. Find me after one of my talks or just flag me down in the hallway.
2024 brought unprecedented growth in CVE data, so I figured it would be appropriate to start the new year by exploring these statistics and highlighting some of the more intriguing data points.
CVEs By The Numbers
We ended 2024 with 40,009 published CVEs, up over 38% from the 28,818 CVEs published in 2023.
On average, 108 CVEs were published each day.
May had the highest number of CVEs released, totaling 5,010 or 12.5% of all CVEs for the year.
Tuesdays emerged as the leading publishing days, accounting for 9,706 CVEs, or 24.3% of published CVEs.
May 3rd recorded the most CVEs released in a single day, with 824.
CVEs By Month
Month
CVEs
Percentage
January
2593
6.5
February
2778
6.9
March
3310
8.3
April
3622
9.1
May
5010
12.5
June
3080
7.7
July
3124
7.8
August
2900
7.2
September
2522
6.3
October
3573
8.9
November
4058
10.1
December
3439
8.6
CVEs By Day Of The Week
Day
CVEs
Percentage
Monday
6449
16.1
Tuesday
9706
24.3
Wednesday
7143
17.9
Thursday
6321
15.8
Friday
7100
17.7
Saturday
1858
4.6
Sunday
1432
3.6
Top 10 CVE Publishing Days
Date
CVEs
5/3/24
845
5/14/24
824
7/9/24
471
5/21/24
436
10/21/24
436
11/22/24
385
4/9/24
384
11/19/24
383
12/12/24
341
11/12/24
333
CVE Growth
For the seventh consecutive year since 2017, we witnessed a record high of 40,009 CVEs published, marking a 38.83% increase from 2023. This means that 15.32% of all CVEs released occurred in the previous year.
CVE CVSS Scores
The Common Vulnerability Scoring System (CVSS) offers a way to capture the key characteristics of a vulnerability and generate a numerical score that ranges from 0.0 to 10.0, reflecting its severity. This year, the average CVSS score was 6.67.
CVE-2024-2365 recorded the lowest published CVSS score of 1.6.
CPE
Common Platform Enumeration (CPE) is a systematic naming convention for IT systems, software, and packages that facilitates identifying vulnerable software listed in a CVE.
This year, 19,807 distinct CPEs were recorded in CVEs, with the most prevalent being cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*, which was referenced 8,093 times.
CVE-2024-20433, related to a vulnerability in the Resource Reservation Protocol (RSVP) feature of Cisco IOS Software and Cisco IOS XE Software, has the highest number of CPEs at 2,434 unique, vulnerable configurations.
CNA
CVE Numbering Authorities (CNAs) consist of software vendors, open-source projects, coordination centers, bug bounty service providers, hosted services, and research groups that the CVE Program authorizes to assign CVE IDs to vulnerabilities and publish CVE Records within their designated scopes of coverage.
There are 433 CNAs, and 350 of them have published at least one CVE this year.
The top five CNAs this year were specifically established to report CVEs for open-source projects (VulDB, Kernel.org, and GitHub) or WordPress plugins (Patchstack and Wordfence). These five CNAs published 17,473 CVEs, accounting for 43.67% of all CVEs this year.
CWE
CWE is a community-developed list of software and hardware weakness types. It serves as a common language, a benchmark for security tools, and a foundation for identifying, mitigating, and preventing weaknesses.
There are 940 CWEs, and 237 were assigned to CVEs this year. CWE-79 was the most assigned CWE and was assigned 6,227 times, or 15.56% of all CVEs. NVD didn’t assign a CWE (NVD-CWE-noinfo or Missing_Data) 6,292 times or 15.73% of all CVEs.
Notes
695Rejected CVEs have been removed from the dataset this year.
This GitHub repository contains Jupyter notebooks with all the data and visualizations utilized in this blog.
CVE.ICU is an open-source project that I manage, tracking most of the aforementioned data points in real-time throughout the year, should you wish to stay updated with the data.
The Common Vulnerabilities and Exposures (CVE) program, launched in late October 1999, has not only marked its presence but has become a pivotal force in shaping how we perceive and manage cybersecurity threats.
A Journey Through Time
The CVE program emerged as a beacon, standardizing how vulnerabilities are identified, shared, and mitigated. From its inception with just 321 entries, it has ballooned to over 240,000 records, showcasing a remarkable evolution from simple bug tracking to a sophisticated vulnerability management system.
The Impact of CVE
Over these 25 years, CVE has revolutionized cybersecurity:
Global Collaboration: CVE’s framework has fostered an international community where vulnerabilities are reported and collaboratively addressed. This spirit of sharing knowledge has directly contributed to enhanced global cyber resilience.
Standardization: Before CVE, describing a vulnerability could vary wildly, leading to confusion and missed patches. Now, a CVE identifier provides a universal language, ensuring that everyone is on the same page when a vulnerability is mentioned.
Proactive Defense: By cataloging vulnerabilities, CVE allows for proactive patching and mitigation strategies, turning reactive cybersecurity into a more predictive and preventive practice.
Celebrating Milestones
This anniversary isn’t just about numbers; it’s about milestones:
Growth: From a nascent project to a mammoth database, CVE’s growth mirrors the expansion of the internet itself.
Community: Over 400 CVE Numbering Authorities (CNAs) across 40 countries now contribute, showcasing a vibrant, global effort in cybersecurity.
Innovation: The program has not just adapted but led with innovations like the integration with other standards bodies, enhancing its reach and effectiveness.
Looking Ahead
As we celebrate, we also look to the future. Cybersecurity is an ever-evolving battlefield, with new technologies like AI, IoT, and quantum computing on the horizon. CVE’s role will only grow, adapting to these changes and ensuring that as the digital landscape expands, so will our ability to secure it.
Conclusion
The 25th anniversary of the CVE program is more than a celebration; it reflects how far we’ve come in fortifying our digital lives. Here’s to the CVE program for identifying vulnerabilities and empowering us all to build, innovate, and connect with greater confidence in our digital future. Here’s to another 25 years of vigilance, innovation, and collaboration in cybersecurity.
The NVD posted the notice below on its webpage in mid-February. Since then, nearly 13,000 CVEs have not been enriched with CWE, CVSS, and CPE data.
The vulnerability management community was told that it would be addressed at Vulncon this year. At the conference, we were told the enrichment would restart “in the next couple of days” and that a “consortium was being founded” to help guide the NVD. I left hopeful about the NVD’s future and tried hard to present a positive outlook. I spent time defending NVD as the source of the truth at work and in the community, waiting for the enrichment to continue, and closely tracking the backlog as it grew.
I patiently waited for an announcement about the consortium and for the enrichment of CVEs to start again. Neither happened (The NVD did analyze 167 CVEs in April, but 120 CVEs per day were published). On April 25th, the NVD posted an update saying it was still committed to enriching CVEs.
At RSAC in May, CISA announced they would start a program called Vulnrichment and enrich all CVEs that a CNA did not. They have started publishing CVE data they produced in a GitHub Repository and will start publishing it directly to CVE records as an Authorized Data Publisher (ADP). A week ago, I sat through a CVE Automation Working Group meeting where they walked through the plan, and I was once again hopeful that this would help elevate the backlog of CVEs needing enrichment and make their ADP the new source of truth for enrichment data. I started sharing this information and consulting people they would need to update their products to use the new CVE 5.1 Schema to ingest this data.
Yesterday, the NVD posted an announcement on its website stating that it had awarded a contract for additional processing support. The additional support would allow them to return to the processing rates they maintained before February 2024 within the next few months. They will work with CISA to eliminate the backlog by September 30th.
So, Who Is Going To Enrich CVEs?
In the last 100 days, I have spent a lot of professional equity telling people:
We Will Know After Vulncon.
NVD Announced They Will Start Enriching CVEs In A Few Days.
I Don’t know What Is Going On With NVD.
CISA Announced They Are Doing Vulnrichment.
NVD Announced They Will Start Enriching CVEs In A Few Months.
At this point, I don’t know who will enrich CVE data in the future, how they will do it, or whether the data will be correct or useful. This is a terrible place to be.
Every year, I get asked, “How many CVEs do you think will be published this year?“
I am always willing to take a guess, but last year, I read Time Series Forecasting in Python. As I started to read more about the Kalman Filter, I figured it would work great for predicting CVE growth, so I built a simple model to test it out.
2024 Prediction
My 2024 CVE model using the Kalman Filter is predicting 32,600 published CVEs.
Here is the monthly breakdown:
2023 Review
The model for 2023 underestimated the number of CVEs by 1,670, which I felt was really good for the first attempt.
What is the Kalman Filter?
The Kalman Filter algorithm uses a series of measurements observed over time to produce estimates that tend to be more accurate than those based on a single measurement alone. In essence, it helps predict the future state of a system based on its current state and past trends.
What Python Library Did You Use?
I have been using Darts by Unit8 as it is fully featured and easy to implement.
Code
All the code for this blog post is in this Github Repository, and I plan on automating and updating it as I get more time.
2023 marked another year of record growth in CVE data, and I thought it fitting to kick off the new year by delving into these statistics and showcasing some of the more interesting data points.
CVEs By The Numbers
We ended 2023 with 28,902 published CVEs, up over 15% from the 25,081 CVEs published in 2022.
On average, there were 79.18 CVEs published per day. October was the month with the most CVEs published, with 2,690 or 9.3% of all CVEs for the year. Tuesdays were the top publishing days, with 6,438 CVEs or 22.3% of all CVEs published. January 26th had the most CVEs published in a single day, with 348.
CVEs By Month
Month
CVEs
Percentage
January
2337
8.1
February
2123
7.3
March
2517
8.7
April
2330
8.1
May
2418
8.4
June
2391
8.3
July
2307
8.0
August
2478
8.6
September
2152
7.4
October
2690
9.3
November
2483
8.6
December
2676
9.3
CVEs By Day Of The Week
Day
CVEs
Percentage
Monday
5005
17.3
Tuesday
6438
22.3
Wednesday
5895
20.4
Thursday
5064
17.5
Friday
4597
15.9
Saturday
1006
3.5
Sunday
897
3.1
Top 10 CVE Publishing Days
Day
CVEs
2023-01-26
348
2023-11-14
330
2023-10-25
327
2023-09-27
310
2023-12-15
289
2023-07-11
275
2023-10-10
254
2023-08-08
253
2023-05-09
251
2023-04-11
236
CVE Growth
Like every year since 2017, we saw a record-breaking number of CVEs published, with 28,902. a 15.23% increase over 2022. It also means that 13.18% of all CVEs published were published in the last year.
CVSS
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score from 0.0 to 10.0, reflecting its severity. The average CVSS score this year was 7.12.
CVE-2023-21928 had the lowest published CVSS score of 1.8.
CPE
Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages to help identify vulnerable software identified in a CVE.
This year, 3,119 unique CPEs were identified in CVEs. The most common was cpe:2.3:o:google:android:12.0:*:*:*:*:*:*:* that was applied to 547 CVEs.
CVE-2023-44183, a Juniper Networks Junos OS vulnerability, is the CVE with the most CPEs with 240 unique, vulnerable configurations.
CNA
CVE Numbering Authorities (CNAs) are software vendors, open source projects, coordination centers, bug bounty service providers, hosted services, and research groups authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their specific scopes of coverage.
Today, there are 346 CNAs. This year, 250 of those CNAs published at least one CVE.
Four of the top five CNAs this year, excluding Microsoft, were purpose-built to report CVEs for open-source projects (VulDB & Github) or WordPress Plugins (Patchstack & WPScan). Those four CNAs published 6,778, or 24.12% of all CVES this year.
CWE
CWE is a community-developed list of software and hardware weakness types. It is a common language, a measuring stick for security tools, and a baseline for weakness identification, mitigation, and prevention efforts.
There are 1,332 CWEs, and 237 were assigned to CVEs this year. CWE-79 was the most assigned CWE and was assigned 4,474 times or 15.48% of all CVEs. NVD didn’t assign a CWE 4,113 times or 14.23% of all CVEs.
Notes
2,112Rejected CVEs have been removed from the dataset because some CNAs publish and reject any unused reserved CVE IDs, causing an artificially inflated record count. On September 14th alone, 662 were published and then immediately rejected.
This GitHub repository has jupyter notebooks containing all the data and visualizations used in this blog.
CVE.ICU is an open-source project I run that tracks most of the above data points in real-time throughout the year if you are interested in keeping up with the data.
Hacker Summer Camp, as it is colloquially known, is three security conferences that are all next week in Las Vegas. The three conferences that makeup Security Summer Camp are:
DEF CON is probably the world’s most well-known hacker conference, and this year’s schedule looks impressive. Here is what I am going to attempt to see this year:
Along with these talks, they have these interest-specific villages where I will spend a lot of time. Here are the villages where I know I will be spending time.
While the talks above are the ones that I am looking forward to, my friends have built HackerTracker, which has a complete list of all the talks for the weekend and is worth checking out.
I am also really hoping someone hacks the new Sphere next week.
