We wrote a blog post 6 months ago titled “the Curious Case of the 10.0 CVSS Score”, and the industry was in shock: 2024 had produced an unprecedented 231 vulnerabilities rated a perfect 10.0. It seemed like an anomaly, a statistical outlier in the Common Vulnerability Scoring System’s twenty-year history.
Fast‑forward to today this year has already made 2024’s spike look modest. As of October, over 38,000 new CVEs have been published globally, marking a 21% year‑over‑year increase. The more sobering statistic? We’ve already passed 300 mark for CVSS 10.0 vulnerabilities, with several months still left in the year.[1][2][3][4]
If 2024 was the year the curve spiked, 2025 is the year it bent sideways. “Critical” has stopped being exceptional, it’s becoming the norm.
| Metric | 2024 | 2025 (as of Oct) |
| Total CVEs | 40,303 | 38,140 |
| CVSS 10.0 Vulnerabilities | 231 | 300+ |
| Avg. Daily CVEs | 110.1 | 127.1 |
So far this year, we have seen 300 rated CVSS10. At the current pace, that is roughly 1 a day!
Why the Explosion Continued
Automation and AI in Discovery
The integration of AI tools into vulnerability research has multiplied scan depth and frequency. Autonomous fuzzers and ML‑driven detection platforms now uncover issues across massive supply‑chain surfaces faster than humans could manually triage them.[5][1]
Expanded Attack Surfaces
Critical flaws like CVE‑2025‑49844 (“RediShell”), a zero‑day in Redis assigned a CVSS 10.0, show how cloud‑native platforms have become single points of systemic risk. Redis’s ubiquity across microservices amplified its impact exponentially.[3][4]
Compressed Response Windows
Exploit‑to‑disclosure timeframes have collapsed. Security vendors estimate that 30% of vulnerabilities see active exploitation within 24 hours of public disclosure. The speed now outpaces traditional corporate patch cycles.[2]
Dependency Cascades
With 97% of modern applications consuming open-source components, each 10.0 vulnerability can instantly propagate across thousands of dependent systems, creating herd‑level exposure.[2][5]
The “Criticality Collapse” Problem
At the start of 2025 we warned that the rise of 10.0 CVEs would strain remediation capacity. That prediction materialized (much) faster than expected.
Security teams that once fast‑tracked every 9.8 or higher now face hundreds of simultaneous emergencies each quarter. The “rush‑patch” model no longer works; it has an opportunity cost. Every patch sprint delays dozens of other fixes, widening the organizational patch gap and accumulating technical debt.[1][5]
The result isn’t just alert fatigue it’s what some CISOs are calling criticality collapse: when the scale of high‑severity vulnerabilities erodes our ability to meaningfully prioritize.
If 2024 was the year of the “10.0 anomaly,” then 2025 has proven it’s no anomaly at all. The perfect score has become the new baseline, and the industry’s ability to adapt will define what “critical” means in 2026 and beyond.
1.https://deepstrike.io/blog/vulnerability-statistics-2025
2. https://securelist.com/vulnerabilities-and-exploits-in-q2-2025/117333/
3. https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844
4. https://thehackernews.com/2025/10/13-year-redis-flaw-exposed-cvss-100.html
5. https://hivepro.com/blog/the-cve-deluge-of-2025-why-its-more-than-just-a-number-problem/
