The year 2025 has unfolded in an environment marked by eroding trust in vulnerability databases, an explosive growth in cyberattacks, and digital overload for businesses.
Data breaches have become routine, the number of CVEs continues to break records, and traditional defense approaches no longer work.
Cybersecurity expert Ilia Dubov, Head of Information Security and Compliance at Kaspersky published an industry overview and a strategy for vulnerability management in The Top Voices magazine.
Here are the most important facts and trends defining the industry landscape this year.
1. Growth of CVEs
2024 set a record for CVEs. According to The Forum of Incident Response and Security Teams (FIRST), more than 45,000 vulnerabilities were registered over twelve months, and in 2025 this figure is expected to rise by another 11%.
For security professionals, this means not only an ever-increasing workload but also shrinking response time. Most concerning is that the gap between disclosure and exploitation has narrowed to just a few hours.
Attackers are leveraging automation and machine learning to weaponize CVEs into working exploits faster than organizations can prepare and deploy patches.
2. Infrastructure Challenges
Amid the rapid growth of new vulnerabilities, the community faces unprecedented infrastructure challenges. The most telling example is the crisis at the National Vulnerability Database (NVD).
For years, developers and security teams worldwide relied on NVD, but in 2024, it became overloaded and unable to keep pace with incoming data.
By November, the database had accumulated more than 20,000 unprocessed vulnerabilities. Of these, 93% were new, and nearly half were already being actively exploited.
In other words, the very threats the community most needed visibility into remained unanalyzed and uncategorized.
As highlighted by Dubov, this situation undermined trust in centralized sources and opened additional opportunities for attackers.
The breakdown of NVD triggered a domino effect: some companies were forced to turn to commercial platforms, others to local initiatives, further fragmenting the data landscape and increasing risks of duplication or loss of critical information.
The crisis didn’t go unnoticed at the political level either: the European Union officially tasked ENISA with developing a European vulnerability database — the first time a regional regulator has publicly questioned the effectiveness of the global source.
3. Digital Transformation Accelerates
Meanwhile, business is not slowing down. Cloud, IoT, SaaS, and AI-driven services are being adopted at an ever-faster pace, adding new points of risk.
In large and distributed infrastructures, vulnerabilities are emerging faster than they can be fixed. Dubov stresses that organizations lack a single reliable source of threat data, updates are delayed, and recommendations are often inconsistent.
Under these conditions, classical strategies appear increasingly rigid. Scheduled scans and patch cycles no longer allow organizations to stay ahead of attackers.
Companies are reacting after the fact, while the attack surface continues to expand. Instead of steadily reducing threats, organizations are accumulating a “security debt” — growing numbers of unaddressed vulnerabilities that attackers can easily exploit.
4. Outdated Methods Are Losing Effectiveness
Traditional vulnerability management was built on scheduled scanning, CVSS-based prioritization, and routine patching.
This model worked when the volume of vulnerabilities was lower and exploits took weeks to develop. Today, it has largely become a formality.
Scanners fail to adequately cover hybrid environments such as containers, cloud, and SaaS. CVSS scores don’t reflect the real likelihood of exploitation or the business criticality of assets.
As a result, organizations receive reports with hundreds of “red” vulnerabilities but lack clarity on which ones pose immediate threats. The process exists on paper, but it no longer reduces real-world risks.
Even more importantly, the old model has major blind spots. It focuses exclusively on registered vulnerabilities (CVEs) and largely ignores:
- misconfigurations (e.g., exposed S3 buckets, misconfigured VPN gateways);
- forgotten or weak accounts, including service accounts without MFA;
- hardcoded tokens and keys in source code;
- shadow IT assets and SaaS services outside the security team’s visibility.
These issues are not tracked in the NVD and don’t receive CVSS scores, yet in practice they are often the initial entry points for attackers.
In other words, the classical process only covers the “tip of the iceberg,” leaving organizations exposed to a broad spectrum of risks that scanners simply cannot see.
5. Shift Toward Exposure Management
The way forward is a transition to exposure management. This new model looks beyond CVEs to encompass the entire spectrum of risk points: exposed configurations, forgotten accounts, hardcoded tokens, and weak links in supply chains.
At its core is a comprehensive, up-to-date asset inventory, from on-premises systems to cloud services, IoT, and OT.
Data aggregation across multiple sources — NVD, CISA KEV, VulnCheck, threat intelligence feeds, and vendor bulletins — provides a more accurate picture of which threats truly matter.
Prioritization is driven by business context: how critical the asset is, the likelihood of exploitation, and the potential impact.
Automation and AI play a central role, enabling faster reaction and sharper focus on what matters most.
Effectiveness is measured with new metrics that Dubov emphasizes in his article:
- Mean Time to Detect/Respond (MTTD/MTTR) — speed of detection and response;
- Patch Ratio — compliance with patching SLAs;
- Vulnerability Recurrence Rate — how often issues reappear, e.g., in container images or new releases;
Threat Exposure Index — a holistic view of organizational risk for executive leadership.
What’s Next
2025 is becoming a turning point. Outdated methods can no longer keep up with the pace and scale of attacks.
The new model — exposure management — requires automation, integrated data, and cross-functional collaboration between security, DevOps, and business teams. Organizations that adapt will be able to maintain real risk control.
Those who continue relying on patch-and-pray will remain on the defensive and face more frequent attacks they are unprepared for.
For the market and individual organizations, this translates into three key actions:
- shifting from reactive vulnerability patching to systematic exposure management;
- deploying automation and AI at scale in detection and patching processes;
- adopting new metrics of effectiveness that reflect not the number of closed CVEs but real risk reduction.
For detailed strategy and practical recommendations, see Ilia Dubov’s article — Implementation Strategy for Vulnerability Management in the 2025 Cybersecurity Landscape.
Source link
