FIRST’s 2025 vulnerability publication forecasts performed and reports that both the annual and quarterly estimates landed within their pre-defined confidence intervals. With two days left in 2025, the author notes 49,183 CVEs published, which fits inside the February forecast range of 41,142 to 49,868 (based on a central estimate of 45,505 ± 4,363). The article highlights that while the “average” estimate was somewhat low, the real-world total tracked very close to the upper bound, which the author frames as a practical win for defenders who plan capacity using the higher end of forecast ranges.

It also validates the Q4 forecast as operationally useful: the Q4 prediction range was 11,815 to 14,129 CVEs, and the actual count of 12,359 stayed well within that band, with error under 5%—the kind of accuracy that can influence patching sprints, analyst workload planning, and tooling budgets. Beyond the numbers, the piece stresses that vulnerability forecasting is becoming a broader, more resilient community effort: FIRST open-sourced its Vuln4Cast work, others are developing alternative forecasting approaches (including machine-learning models), and CIRCL continues to expand vulnerability data services. The author argues the next step is moving past “how many CVEs” toward forecasts that better reflect risk—such as vendor patterns, CVSS characteristics, CWE trends, and likelihood of exploitation—and invites interested practitioners to engage through upcoming community events.

Source: https://www.first.org/blog/20251229-Vulnerability-Forecast-Review