Vulnerabilities Surge, But Messy Reporting Blurs Picture

The 2025 vulnerability surge reflects a structural shift in the CVE ecosystem. As the number of Certified Naming Authorities (CNAs) swells to nearly 500, niche players like Patchstack and VulDB now rival legacy organizations, driving a 21% year‑over‑year increase. AI‑assisted scanning and large‑language‑model code reviews have lowered the barrier for researchers worldwide, especially in Asia, turning what once were isolated disclosures into a continuous stream of identifiers. This democratization improves visibility but also inflates raw counts, making it harder for security teams to separate signal from noise.

Data quality has become the Achilles’ heel of the National Vulnerability Database. With roughly 10% of entries lacking CVSS scores and 40% missing CPE mappings, automated risk scoring tools struggle to prioritize patches accurately. The backlog created by the 2024 funding hiccup forced NVD staff to defer pre‑2018 entries, further eroding confidence in historical baselines. Duplicate CVEs—often the result of “CVE farming” where identical code bases generate multiple identifiers—exacerbate the problem, prompting firms like Flashpoint to de‑duplicate records, reducing the 2025 total to about 44,000 unique findings.

For enterprises, the practical takeaway is to move beyond raw CVE tallies and focus on asset inventory and vulnerability class mitigation. Knowing which software components are in use enables teams to apply threat‑intelligence filters, prioritize high‑impact CVEs, and adopt secure development practices such as memory‑safe languages and vetted libraries. Industry collaboration on CNA standards and international data‑cleaning initiatives will be essential to sustain the CVE program’s credibility, ensuring that the growing number of identifiers translates into actionable security improvements rather than administrative overload.