CVE disclosures are projected to hit a record-breaking 46,886 by the end of 2025, according to a new open-source machine learning tool called CVEForecast.CVEForecast leverages historical and current CVE data from the CVE Project Official Repository and more than two dozen time series models to make its predictions. Overall, the models are trained on a dataset of more than 285,000 published CVEs from 1999 to 2025.The tool was created by RogoLabs Founder Jerry Gamblin as a “passion project” and officially published on Monday, with a visual web dashboard and open-source GitHub repository publicly available.“My main hope is that it simply brings awareness to the sheer, exponential growth of CVEs. Those of us in the vulnerability intelligence field have felt the pace accelerating for years, and I wanted to create a very clear, data-driven visual to confirm that feeling,” Gamblin, who is also a principal engineer at Cisco, Threat Detection & Response, told SC Media. The current CVEForecast estimate of 46,886 CVE disclosures by the end of 2025 would represent a more than 17% increase from 2024, when just over 40,000 CVEs were disclosed. This would also be the highest number of CVEs published in one year, with CVE volumes increasing every year since 2017.The CVEForecast dashboard retrieves updated data from the CVE Project Official Repository daily and feeds this data into multiple ML, deep learning and statistical models to make predictions for the rest of the year.The accuracy of each model’s predictions is validated based on actual data available for the last six months, and the models’ performance is ranked based on metrics including mean absolute error (MAE) and mean absolute percentage error (MAPE). Currently, the most accurate ranked model is XGBoost, which has an MAE of 196 CVEs per month and MAPE of 4.80%.Gamblin told SC Media that ML tools like CVEForecast could potentially be further developed to estimate CVE volumes by severity (CVSS score) or CWE, but acknowledged it could be challenging due to inconsistent availability of these metrics in available datasets.“A key reason for this is that the CVE program doesn’t currently require CVE Numbering Authorities, or CNAs, to include severity or CWE data when they publish a CVE. As a result, a significant portion of CVEs are published without this critical information, making a reliable forecast for those specific fields a complex problem to solve,” Gamblin said.CVEForecast is the latest project of RogoLabs, which publishes open-source tools designed to help security professionals analyze and understand vulnerability data.Gamblin’s previous open-source projects include CVE.ICU, which analyzes CVE data from the National Vulnerability Database, and PatchThis.app, which integrates data from the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog and Rapid7 Metasploit, and uses the Forum of Incident Response and Security Teams’ (FIRST) Exploit Prediction Scoring System (EPSS) to help prioritize patching.FIRST’s work, including its vuln4cast event, served as an inspiration for CVEForecast, said Gamblin, and feedback from the security community on the new forecasting tool has been “fantastic” and “encouraging.”“That’s one of the real advantages — and disadvantages — of building in public. You get this immediate, valuable stream of ideas and critiques, and the project evolves live for everyone to see. This kind of input is exactly what I was hoping for, and it’s what will shape the future of the project,” Gamblin said.
Vulnerability Management, Patch/Configuration Management, AI/ML, Threat Intelligence
AI tool predicts 17% increase in CVE disclosures in 2025
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds