Blog

This blog will contain a host of informations about various vulnerabilities and thoughts related to vulnerability management.

CVE - A Monthly Review: February 2025

2025-03-01

Each month, we will highlight key statistics about all CVEs published during the previous month. The numbers presented below are generated using cve_investigator a framework developed by Vulnarium.

To view older blog posts, please visit the archives section.

General Information

A total of 3,831 CVEs were published in February. Of those, 144 were rejected leaving us with 3,687 new CVEs. The table on the left shows the distribution of base CVSS scores, per versions, for all CVEs reporting this metric. It is important to note that some CVEs have multiple scores across multiple CVSS versions. Hence, some CVE are represented multiple times in this table.

The graphics below show base score distribution for CVSS v3.1 and 4.0.

Top 10 CWE

CWEs are commonly used to describe vulnerabilities at a high level. The table below shows the number of instances of the top 10 CWEs for CVEs published in January. The graphic on the right provides a visual representation of this distribution.

Once again, we observe a disproportionate representation of CWE-79 (Cross-Site Scripting) with 36.5% (down from 40.9% last month) of the top 10 CWEs and . Further investigation into the presence of CWE-79 in various CVEs revealed that 160 CVEs reporting CWE-79 are, in one way or another, related to WordPress.

WordPress-related CVEs account for 28.26% of all CVEs reporting CWE-79 (Cross-Site Scripting). By extension, they represent approximately 4.3% of all reported, non rejected, CVEs during the month of February 2025.

Attack vector representation

As shown in the graphic on the left, 76.9% (down from 81.9% last month) of CVEs were network enabled.

NOTE: The attack vector representation makes uses of CVSS v3.1 since this version has the largest adoption at this point in time.

CVSS 4.0 adoption status

As shown below, only 14.3% (increase from 11.6% last month) of all CVSS scores published were calculated using the latest CVSS version.

As shown below, CVSS v3.1 is still very much the most widely used version at this moment.

CVSS 4.0 exploit maturity

One of the many improvements in CVSS 4.0 are the modification to the the exploit maturity field. The table on the left shows the exploit maturity data for all CVEs with CVSS 4.0 metric information published during the month. While the presence of this field is notably relevant, it is unfortunately underused, with the vast majority of CVSS 4.0 evaluations not taking it into account.

Page updated

Report abuse