Blog

This blog will contain a host of informations about various vulnerabilities and thoughts related to vulnerability management.

CVE - A Monthly Review: April 2025

2025-05-01

Each month, we will highlight key statistics about all CVEs published during the previous month. The numbers presented below are generated using cve_investigator a framework developed by Vulnarium.

To view older blog posts, please visit the archives section.

General Information

A total of 4,142 CVEs were published in March. Of those, 104 were rejected leaving us with 4,038 new CVEs. The table on the left shows the distribution of base CVSS scores, per versions, for all CVEs reporting this metric. It is important to note that some CVEs have multiple scores across multiple CVSS versions. Hence, some CVE are represented multiple times in this table.

The graphics below show base score distribution for CVSS v3.1 and 4.0.

Top 10 CWE

CWEs are commonly used to describe vulnerabilities at a high level. The table below shows the number of instances of the top 10 CWEs for CVEs published in April. The graphic on the right provides a visual representation of this distribution.

Memory related vulnérabilities are still surprisingly present for this being 2025! 8th and 9th place both relate to memory issues!

OWASP Top 10

Novelty this month! The stats report will now be including a representation of all CVEs matched to the 2021 OWASP top 10. From now on, this monthly article will be including this information as it appears to be of interest to some of you!

Attack vector representation

As shown in the graphic on the left, 83.9% (up from 80.3% last month, that is two months in a row) of CVEs were network enabled.

NOTE: The attack vector representation makes uses of CVSS v3.1 since this version has the largest adoption at this point in time.

CVSS 4.0 adoption status

As shown below, only 16.9% (stable since 16.8% last month) of all CVSS scores published were calculated using the latest CVSS version.

As shown below, CVSS v3.1 is still very much the most widely used version at this moment but adoption for CVSS v4.0 has been on the rise since January.

CVSS 4.0 exploit maturity

One of the many improvements in CVSS 4.0 are the modification to the the exploit maturity field. The table on the left shows the exploit maturity data for all CVEs with CVSS 4.0 metric information published during the month. While the presence of this field is notably relevant, it is unfortunately underused, with the vast majority of CVSS 4.0 evaluations not taking it into account.

Page updated

Report abuse