Blog

This blog will contain a host of informations about various vulnerabilities and thoughts related to vulnerability management.

CVE - A Monthly Review: May 2025

2025-06-01

Each month, we will highlight key statistics about all CVEs published during the previous month. The numbers presented below are generated using cve_investigator a framework developed by Vulnarium.

To view older blog posts, please visit the archives section.

General Information

A total of 4,264 CVEs were published in May. Of those, 278 were rejected leaving us with 3,986 new CVEs. The table on the left shows the distribution of base CVSS scores, per versions, for all CVEs reporting this metric. It is important to note that some CVEs have multiple scores across multiple CVSS versions. Hence, some CVE are represented multiple times in this table.

The graphics below show base score distribution for CVSS v3.1 and 4.0.

Top 10 CWE

CWEs are commonly used to describe vulnerabilities at a high level. The table below shows the number of instances of the top 10 CWEs for CVEs published in April. The graphic on the right provides a visual representation of this distribution.

May 2025 saw a sharp decline in the number of reported CSRF vulnerabilities (130 in May vs. 248 in April)

OWASP Top 10

A07:2021 saw a slight increase in its representation. Surprisingly, one CVE was declared in relation to a vulnerable and outdated component(A06:2021) - Effectively a CVE probably referencing another CVE.

Attack vector representation

Once again, without surprise, remote enabled vulnerabilities represent the vast majority of newly published CVEs.

NOTE: The attack vector representation makes uses of CVSS v3.1 since this version has the largest adoption at this point in time.

CVSS 4.0 adoption status

Nice surprise this month with a nice uptick in CVSS 4.0 adoption with 23.9% of all published CVSS scores using CVSS 4.0 (up from 16.9% last month). It should be said, this number does not correlate with the number of vulnerabilities: some vulnerabilities have multiple scores, sometimes for the same version.

As shown below, CVSS v3.1 is still very much the most widely used version at this moment but adoption for CVSS v4.0 has been on the rise since January.

CVSS 4.0 exploit maturity

One of the many improvements in CVSS 4.0 are the modification to the the exploit maturity field. The table on the left shows the exploit maturity data for all CVEs with CVSS 4.0 metric information published during the month. While the presence of this field is notably relevant, it is unfortunately underused, with the vast majority of CVSS 4.0 evaluations not taking it into account.

Page updated

Report abuse