Usually, we begin a blog post with a review of last quarter, but our volunteer team couldn’t get a forecast out last quarter. We had several pressing matters between multiple team members, and we apologise. So, we’ll move swiftly on to this quarter’s predictions.
This quarter we are expecting 12972 +/- 1156 new CVEs to be published by NVD. In the following quarter we expect an increase, so prepare for the new year early.
date
mean
mean_se
mean_ci_lower
mean_ci_upper
2025-12-31
12972.710121
590.089648
11816.155663
14129.264578
2026-12-31
14032.929276
662.119281
12735.199331
15330.659221
As we all know, the majority of those will be not serious vulnerabilities that are likely to be exploited. Your teams will need to triage these according to your asset registers, asset value, availability of patches, mitigating detections, threat intelligence, and likelihood of exploitation.
This forecast has changed slightly, and you’ll see we publish multiple prediction intervals where we used to print only one. We hope this helps the reader understand the middle range is more likely, but there is always a 10% chance that the real value falls outside our prediction. Often, that will be higher than we predicted, rather than lower. So wise risk managers can think about resources they can set aside for the 10% chance that we see more than 14129 vulnerabilities this quarter, and if their teams and patch cadences can handle such a scenario.
We held a wonderful conference this year in Cambridge, England, and many useful things were discussed. There are several students, taking up forecasting as an endeavour, and we believe that will help patching teams move decision support left of publication.
One important thing discussed is that volume is not enough, just like temperature is only one part of a weather forecast. We need forecasts to expand into other aspects such as product, vendor, CVSS vector, CWE, and CNA. Ultimately, we need to narrow down these forecasts to how many vulnerabilities are likely to be exploited, and maybe even get to predicting which products and vendors they will be.
In short: If a forecast doesn’t change how you will allocate your resources this quarter, then forecasts still have a long way to go. I personally believe those innovations are underway, and you’ll be seeing them over the next few years. What could we tell you as part of vulnerability management decision support, that would matter to your vulnerability or attack surface management programmes?
Eireann Leverett and the vulnerability forecasting team
FIRST runs a blog open to members and invited guest authors. It publishes contributions relevant to incident responders. Articles should focus on general topics interesting to members. It will not be used to promote individual organisations, products or services. If you are interested in contributing, please get in touch with first-blog@first.org.
Learn more about the Forum of Incident Response and Security Teams through regular blog posts about our organization, events and other programs. Questions or comments? Contact first-press@first.org.
