Blog

This blog will contain a host of informations about various vulnerabilities and thoughts related to vulnerability management.

To view older blog posts, please visit the archives section.

CVE - A Monthly Review: January 2025

2025-02-01

Welcome to the first edition of CVE - A Monthly Review! Each month, we will highlight key statistics about all CVEs published during the previous month. The numbers presented below are generated using a CVE exploration framework developed by Vulnarium.

General Information

A total of 4,415 CVEs were published in January. Of those, 128 were rejected leaving us with 4287 new CVEs. The table on the left shows the distribution of base CVSS scores, per versions, for all CVEs reporting this metric. It is important to note that some CVEs have multiple scores across multiple CVSS versions. Hence, some CVE are represented multiple times in this table.

The graphics below show base score distribution for CVSS v3.1 and 4.0.

Top 10 CWE

CWEs are commonly used to describe vulnerabilities at a high level. The table below shows the number of instances of the top 10 CWEs for CVEs published in January. The graphic on the right provides a visual representation of this distribution.

We observe a disproportionate representation of CWE-79 (Cross-Site Scripting) with 40.9% of the top 10 CWEs and . Further investigation into the presence of CWE-79 in various CVEs revealed that 263 CVEs reporting CWE-79 are, in one way or another, related to WordPress.

WordPress-related CVEs account for 25.4% of all CVEs reporting CWE-79 (Cross-Site Scripting). By extension, they represent approximately 6% of all reported, non rejected, CVEs during the month of January 2025.

Attack vector representation

As shown in the graphic on the left, 81.9% of CVEs were network enabled.

NOTE: The attack vector representation makes uses of CVSS v3.1 since this version has the largest adoption at this point in time.

CVSS 4.0 adoption status

As shown below, only 11.6% of all CVSS scores published were calculated using the latest CVSS version. Also, 11.56% of all CVEs published contained CVSS v4.0 data.

As shown below, CVSS v3.1 is still very much the most widely used version at this moment. The number below being higher than the number of published and not rejected CVEs indicates that multiple CVEs have multiple CVSS v3.1 evaluations from various sources.

CVSS 4.0 exploit maturity

One of the many improvements in CVSS 4.0 are the modification to the the exploit maturity field. The table on the left shows the exploit maturity data for all CVEs with CVSS 4.0 metric information published during the month. While the presence of this field is notably relevant, it is unfortunately underused, with the vast majority of CVSS 4.0 evaluations not taking it into account.

Page updated

Report abuse