November CVEs Fell 25% YoY, Driven by Slowdowns at Major CNAs

In 2025, the volume of Common Vulnerabilities and Exposures (CVEs) remains higher than in 2024, despite a notable 25% decline in November compared to the previous year. Jerry Gamblin, a cybersecurity expert, highlights that this fluctuation underscores the fragility of using global CVE counts as a risk metric, as they are often influenced by the administrative activities of a few key publishers like Patchstack, MITRE, and the Linux kernel ecosystem. Patchstack's temporary slowdown, attributed to an internal migration, exemplifies how workflow changes at major sources can impact CVE issuance. The discussion emphasizes that while CVE counts can indicate publishing health, they should not be equated with risk levels, as exploitation trends operate on different timelines. VulnCheck's analysis shows that vulnerabilities can become exploitable soon after disclosure, with some being exploited on or before the CVE issuance date. Gamblin and other experts advise focusing on exploitation indicators and remediation options rather than month-to-month CVE disclosures for operational prioritization, questioning whether November's downturn reflects a temporary dip or a shift in publisher throughput.