Software Vulnerability Statistics And Trends In 2025

Software vulnerabilities are weak points or security gaps in software applications or systems. These vulnerabilities, if exploited, can open the door to unauthorized access, leading to compromised data and disrupted operations. This can, in turn, result in substantial losses of time, money and reputation.

When identified, software developers will release ‘patches’ to patch up any loopholes. It is essential that organizations implement these as soon as they can, otherwise, it is like leaving the door open to an attacker. By doing this, organizations can not only reduce security risks, but also protect sensitive information, and ensure compliance with cybersecurity regulations, ultimately strengthening their overall security posture.

At Expert Insights, we’ve gathered useful statistics that cover the most common vulnerabilities, the market, and recent trends, which should help to inform organization of the current state of the vulnerability landscape so they can plan accordingly, optimizing efficiency and accuracy.

Recent Trends From 2024

• 40,009 new CVEs were published during the year 2024. This comes out to around 108 new vulnerabilities being disclosed each day on average. 
• This figure is a 38% increase from 2023, which had 28,818 CVEs published. 
• The average Common Vulnerability Scoring System (CVSS) score for vulnerabilities found in 2024 was 6.67, which indicates medium-high risk.
• CVSS scores range from 0 to 10, where 0 is a minor issue and 10 is critical severity.
• According to analysis from VulnCheck, 768 CVEs were publicly reported as exploited in the wild in 2024, a 20%increase from the previous year. These CVEs were initially reported by 112 unique sources. 
• Sources of these initial reports include cybersecurity vendors, government agencies, and nonprofit organizations. 
• In 2024, 23.6% of Known Exploited Vulnerabilities (KEVs) were known to be exploited on or before the day their CVEs were publicly disclosed. This is a decrease from 27% in 2023. 
• 50% of known exploited vulnerabilities happen within 192 days of the corresponding CVE being disclosed.

Software Vulnerability Management Market Statistics In 2025

• In 2025, the global security and vulnerability management market size is estimated at $17.63 billion USD.
• This is projected to grow to 24.47 billion by 2030 at a CAGR of 6.8%.
• The region with the largest market share is North America at 37%. Additionally, the Asia Pacific region is expected to have the fastest CAGR by 2030.
• The industry with the largest market revenue share is defense / government. The BFSI (Banking, Financial Services, and Insurance) segment is expected to have the fastest CAGR by 2030.

Most Common Vulnerabilities 

OWASP Top 10 

The OWASP Top 10 is a standard document that outlines some of the most widespread application security risks that developers need to be aware of. Risks on the list currently include:

1. Broken Access Control 
2. Cryptographic Failures 
3. Injection 
4. Insecure Design 
5. Security Misconfiguration 
6. Vulnerable and Outdated Components 
7. Identification and Authentication Failures 
8. Software and Data Integrity Failures 
9. Security Logging and Monitoring Failures 
10. Server-Side Request Forgery (SSRF) 

MITRE’s 2024 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses

This annual list published by MITRE identifies the most critical and common software weaknesses linked to over 31,770 Common Vulnerabilities and Exposures (CVE) records. This resource serves as a guide for developers, security professionals, and organizations.

• According to MITRE, the purpose of this list is to highlight critical weaknesses behind the most common CVEs of the year. Out of the full list of vulnerabilities, these are the top five:
• Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 
• Out-of-bounds Write 
• Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 
• Cross-Site Request Forgery (CSRF) 
• Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 

What can be learned by comparing this year’s list with 2024’s?

New entries in the Top 25: 

• CWE-400: Uncontrolled Resource Consumption, up 13 from #37 to #24 
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, up 13 from #30 to #17

Entries that have fallen from the Top 25: 

• CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’), down 13 from #21 to #34 
• CWE-276: Incorrect Default Permissions, down 11 from #25 to #36 

Vulnerabilities that moved highest up the list: 

• CWE-352: Cross-Site Request Forgery (CSRF), up 5 from #9 to #4 
• CWE-94: Improper Control of Generation of Code (‘Code Injection’), up 12 from #23 to #11 
• CWE-269: Improper Privilege Management, up 7 from #22 to #15 
• CWE-863: Incorrect Authorization, up 6 from #24 to #18 

Vulnerabilities that fell furthest down the list: 

• CWE-20: Improper Input Validation, down 6 from #6 to #12 
• CWE-476: NULL Pointer Dereference, down 9 from #12 to #21 
• CWE-190: Integer Overflow or Wraparound, down 9 from #14 to #23 
• CWE-306: Missing Authentication for Critical Function, down 5 from #20 to #25

You might want to read some articles relating the topic of vulnerability management: 

• The Top Vulnerability Management Solutions 
• Vulnerability Management Buyers’ Guide 2025 
• The Top Vulnerability Assessment Solutions 
• The Top Vulnerability Scanning Software Solutions