Threat Source newsletter
Welcome to this week's edition of the Threat Source newsletter.
It's time to look back at a year that pushed the vulnerability landscape to new heights. I must admit this retrospective is arriving later than planned. With 48,196 CVEs in 2025 (a staggering 132 vulnerabilities per day), the analysis takes time — especially when you're operating one-handed after an encounter with black ice breaks your dominant arm. But better thorough than rushed, right?
What concerns me more than the sheer volume is what's inside these CVEs. XSS, SQL injection, and deserialization vulnerabilities continue to dominate, accounting for roughly 10,000 CVEs. Despite decades of awareness, these fundamental software security weaknesses persist.
The Known Exploited Vulnerabilities (KEV) Catalog tells an even more sobering story. With 241 KEVs in 2025 compared to 186 in 2024, we saw a 30% increase in confirmed active exploitation.
94 KEVs (39%) added in 2025 originated from CVE-2024 and earlier. We saw actively exploited vulnerabilities from as far back as 2007 — yes, vulnerabilities old enough to vote in some countries are still causing problems today. Patch management must address legacy systems. It starts with visibility: maintaining accurate asset inventories and understanding what’s actually running in your environment. For those systems that truly can't be patched, whether due to operational constraints or vendor abandonment, compensating controls become essential. Microsegmentation, network isolation, and enhanced monitoring can reduce the radius of damage when (not if) something goes wrong.
With 54 KEVs targeting firewalls, VPNs, and other network appliances, we saw network infrastructure take a disproportionate hit. And the vendor landscape in KEVs expanded to 99 vendors in 2025, up from 79 when I last checked in October. Connect that with supply chain complexity and the patch management visibility challenges I mentioned earlier, and you'll quickly realize why security teams are spending more time — not less — on vulnerability management. Every additional vendor in your environment is another patch cycle to track, another advisory to monitor, another potential weak link in the chain.
This is the first time I’ve attempted to systematically track AI-related vulnerabilities in the CVE data, and the methodology is still evolving. Defining what constitutes an 'AI vulnerability' isn't straightforward. For this initial pass, I searched for CVEs containing specific keywords across several categories:
Category Keywords
AI Platforms AutoGPT, OpenWebUI, Ollama, vLLM, llama.cpp, LLaMA-Factory, MaxKB, Dify, LangChain
ML Frameworks PyTorch, TensorFlow, scikit-learn, XGBoost, Hugging Face, MLflow
LLM Products ChatGPT, GPT-3, GPT-4, OpenAI, Anthropic, Claude Code
AI Concepts prompt injection, large language model, Model Context Protocol
Using this approach, AI-related CVEs nearly doubled year-over-year, jumping from 168 to 330. Notably, 'Model Context Protocol (MCP)' and 'Claude' didn't appear in 2024 data at all.
A word of caution: While CVE data provides valuable insight into disclosed vulnerabilities in AI tools and frameworks, it doesn't capture emergent risks such as jailbreaking, hallucination-based misinformation, training data extraction, or model inversion attacks. See https://genai.owasp.org/llm-top-10/ and https://atlas.mitre.org/ if you want to learn more.
Keep tracking, keep patching, and stay tuned for the 2025 Year in Review for more trend analysis.