Blog

This blog will contain a host of informations about various vulnerabilities and thoughts related to vulnerability management.

CVE - A Monthly Review: March 2025

2025-04-01

Each month, we will highlight key statistics about all CVEs published during the previous month. The numbers presented below are generated using cve_investigator a framework developed by Vulnarium.

To view older blog posts, please visit the archives section.

General Information

A total of 4,166 CVEs were published in March. Of those, 118 were rejected leaving us with 4,048 new CVEs. The table on the left shows the distribution of base CVSS scores, per versions, for all CVEs reporting this metric. It is important to note that some CVEs have multiple scores across multiple CVSS versions. Hence, some CVE are represented multiple times in this table.

The graphics below show base score distribution for CVSS v3.1 and 4.0.

Top 10 CWE

CWEs are commonly used to describe vulnerabilities at a high level. The table below shows the number of instances of the top 10 CWEs for CVEs published in March. The graphic on the right provides a visual representation of this distribution.

WordPress related vulnerabilities don't appear to be as over-represented as it was the case since the beginning of the year. Only 12.39% of all CWE-79 are related to WordPress. Additionally, a total of 413 CVEs relating to Wordpress were published.

WordPress-related CVEs account for 12.39% (down from 28.26% last month) of all CVEs reporting CWE-79 (Cross-Site Scripting). This is the lowest WordPress CWE-79 monthly representation so far this year!

Attack vector representation

As shown in the graphic on the left, 80.3% (up from 76.9% last month) of CVEs were network enabled.

NOTE: The attack vector representation makes uses of CVSS v3.1 since this version has the largest adoption at this point in time.

CVSS 4.0 adoption status

As shown below, only 16.8% (increase from 14.3% last month) of all CVSS scores published were calculated using the latest CVSS version.

As shown below, CVSS v3.1 is still very much the most widely used version at this moment but adoption for CVSS v4.0 seems to be on the rise.

CVSS 4.0 exploit maturity

One of the many improvements in CVSS 4.0 are the modification to the the exploit maturity field. The table on the left shows the exploit maturity data for all CVEs with CVSS 4.0 metric information published during the month. While the presence of this field is notably relevant, it is unfortunately underused, with the vast majority of CVSS 4.0 evaluations not taking it into account.

Page updated

Report abuse