CVE Flood in 2025 to Risk-First Precision in 2026
Posted inYear 2025

CVE Flood in 2025 to Risk-First Precision in 2026

1

Introduction: When Volume Stopped Being the Problem

By December 29, 2025, nearly 49,209 CVEs had been published—43% more than 2024. That translates to ~135 new vulnerabilities every day. The surge was fueled by increased software complexity, open-source dependency growth, and the expansion of CVE Numbering Authorities (CNAs).

Yet despite record disclosures, breaches were not caused by tens of thousands of vulnerabilities. They were caused by a very small, highly targeted subset.

The lesson of 2025:
Vulnerability management failed not because of scale—but because of prioritization.

The 2025 CVE Reality in Brief

  • Total CVEs (2025): 49,209
  • H1 2025: 23,667 CVEs (+16% YoY)
  • H2 2025: 25,542 CVEs (+30% YoY)
  • High & Critical: ~38% (CVSS ≥7.0)

Severity Breakdown

  • Critical: 6,675 (14%)
  • High: 16,743 (34%)
  • Medium: 21,367 (43%)
  • Low / Unrated: Remainder

While severity appeared alarming, it proved to be a poor predictor of exploitation.

Exploitation: Where Risk Actually Materialized

In H1 2025, 400+ CVEs were actively exploited in the wild and in H2 equals or more numbers expected.

  • 42% had public Proof-of-Concept (PoC) code
  • 30% enabled Remote Code Execution (RCE)
  • Microsoft platforms and edge devices dominated targets
  • State-sponsored actors drove over half of exploitation
  • Ransomware and zero-day usage increased sharply

Attackers exploited speed, exposure, and critical assets—not raw severity.

Why CVSS Failed Alone

CVSS measures technical impact, not:

  • Likelihood of exploitation
  • Asset exposure
  • Business consequence

Security teams triaged 135+ CVEs per day, yet attackers focused on 1–3% of them.

This disconnect made one thing clear:

Severity without context creates noise, not security.

The New Prioritization Model: EPSS + Asset Criticality

EPSS: Likelihood Over Theory

The Exploit Prediction Scoring System (EPSS) consistently identified:

  • Vulnerabilities likely to be exploited
  • CVEs that later appeared in CISA’s KEV catalog
  • Risks with public PoCs and active attacker interest

A high-EPSS vulnerability often proved more dangerous than a CVSS-critical one.

Asset Criticality: Where Vulnerabilities Actually Matter

In 2025, exploitation clustered around specific asset classes:

  • Identity systems (AD, Entra, Okta, IAM APIs)
  • Edge and perimeter devices (VPNs, firewalls)
  • Cloud control planes
  • Management and monitoring tools

A medium-severity vulnerability on a Tier-1 asset posed greater risk than a critical vulnerability on a non-critical internal system.

Risk is contextual. Assets matter as much as vulnerabilities.

A Practical 2026 Prioritization Framework

Risk = EPSS × Asset Criticality × Exposure

Priority TierCriteriaAction
Tier 1KEV OR EPSS ≥0.9 on Tier-1 assetImmediate remediation / isolation
Tier 2EPSS ≥0.7 + internet-facingPatch ≤7 days
Tier 3Critical CVSS, low EPSS, non-critical assetNormal cycle
Tier 4Medium/Low, internal, low-criticalityAccept / defer

Key Rule for 2026:
High likelihood on critical assets beats high severity everywhere else.

Response Must Change: KEV as an Incident

The CISA Known Exploited Vulnerabilities (KEV) list proved to be the most reliable indicator of real risk.

In 2026:

  • KEV additions must trigger incident-level response
  • Internet-facing KEVs require 24–72 hour remediation
  • No exception-based deferrals without executive risk acceptance

KEVs are not patching tasks—they are active threats.

Mitigation Is Not Failure

When patching cannot meet SLA:

  • WAF / IPS virtual patching
  • Network segmentation
  • Privilege reduction
  • Identity hardening

Under NIST risk principles, reducing exposure is a valid and often necessary response.

When Fixing Is Not Possible: Risk Acceptance with Governance

In a 49K-CVE year, not every vulnerability can be fixed within SLA.
However, unpatched risk must never be implicit or invisible.

Unpatched vulnerabilities are a business risk—not a technical oversight.

When Risk Acceptance Is Permitted

Risk acceptance is allowed only when all of the following apply:

  • A fix is technically unavailable or infeasible
  • Patching would cause material business disruption
  • The asset is non-internet-facing or has low exposure
  • Compensating controls materially reduce exploitability

Risk acceptance must never automatically apply to:

  • CISA KEV vulnerabilities
  • High-EPSS vulnerabilities on Tier-1 assets
  • Internet-facing identity or edge systems

Mandatory Conditions Before Acceptance

If a fix cannot be applied, the following are non-negotiable:

  • Compensating controls in place (WAF, IPS, isolation, privilege reduction)
  • Asset exposure minimized and verified
  • EPSS score and KEV status documented
  • Residual risk explicitly assessed and owned

Risk acceptance without mitigation is risk neglect.

Measure What Matters

Stop Reporting

  • Total CVEs patched
  • Patch backlog size

Start Reporting

  • % KEVs remediated within SLA
  • Mean time to remediate high-EPSS vulnerabilities
  • Open exploitable risks on Tier-1 assets
  • Exposure-weighted risk reduction

Boards should ask:

“Which exploitable risks remain open on critical assets today?”

Conclusion: The Shift Is Permanent

2025 exposed the limits of volume-driven vulnerability management.
In 2026, success depends on:

  • EPSS-driven prediction
  • Asset-aware prioritization
  • KEV-led response
  • Business-aligned risk decisions

You cannot patch everything.
But you can patch what attackers exploit—where it matters most.

Tags:

1 Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.