Download Now!
Customer Portal
Support

Innoculator

The curious case of the 10.0 CVSS- The 2025 edition

CVSS10 and above- criticality collapse

As we look back at the cybersecurity landscape over the past year, 2025 didn’t give us another eye‑watering spike in CVSS 10.0 scores, it did something a bit more insidious. Instead of a single outlier, it cemented a new normal in a deluge of vulnerability volume, thousands of “criticals”, and a patching problem that simply does not scale with human teams.[1][2][3]

In 2024, the number of CVEs with a perfect CVSS score of 10.0 hit an all‑time high, more than the previous five years combined. Your odds of seeing one in your environment went from “rare, but possible” to “reasonably likely.” In 2025, the story shifted: 10.0s blended into a much bigger wave of high‑impact vulnerabilities, and the real headline became the crushing volume of everything else.[4][3]

To understand what changed, it is useful to zoom out from just the 10.0s and look at what happened to CVEs overall.

From spike to baseline: CVEs by the numbers

A special thanks to Gerry Gamblin, who runs an excellent blog and analysis on his site. Between 2017 and 2023, CVE growth was steady but at least vaguely manageable. In 2024, things accelerated sharply with 40,009 published CVEs, a 38% increase over 2023 and an average of 108 new entries every day. That already marked the seventh consecutive record‑breaking year.[1][4]

Then 2025 arrived and broke that record again.

  • Total CVEs in 2025: 48,185, up about 20–21% from 2024.[5][2][6][3]
  • That works out to roughly 131 new vulnerabilities every single day.[7][6][3]
  • The cumulative total since the start of the CVE program now exceeds 308,000.[2][3][5]

If 2024 felt like a flood, 2025 quietly raised the waterline. For many organizations, “keeping up” now mathematically implies leaving a lot of vulnerabilities—some of them high severity—unpatched at any given moment.[8][3][2]

What about those perfect 10s?

In last year’s post, the 231 CVSS 10.0 vulnerabilities in 2024 stood out like a sore thumb compared to the historical average of around 40 per year between 2017 and 2023 when they were the exception you could point at in a board deck and say, “this is new, this is different.”

In 2025, CVSS 10.0 didn’t disappear; it just stopped being special.[9][10][11][8]

We continued to see “perfect score” bugs with all the classic hallmarks:

  • Unauthenticated remote code execution.
  • Straightforward exploitation paths, often with public proof‑of‑concept code.
  • Active exploitation in the wild soon after disclosure.[10][11][12][8][9]

Late‑year threat reporting highlighted multiple 10.0‑class issues in widely deployed products being exploited during what should have been change‑freeze season. December 2025 alone saw around 5,500 CVEs published, over 11% of the year’s total, with several criticals under active exploitation.[3][11][2]

So yes, 10.0 is still here. The difference is that it now competes for attention with 3,984 critical and 15,003 high‑severity CVEs overall, in a year where the average CVSS score was 6.60 and the median was 6.50. The statistical “center” of vulnerability severity is now firmly in the medium–high range.[13][8][2][3]

In other words: 10.0 is no longer the outlier that drives your strategy. It is just the sharpest point on a very wide spear.

Why volume matters more than score

In the original post, I made a simple assumption: it would not be uncommon to hear a CISO say, “we rush any patch with a CVSS score of 9.8 or above.” That’s a perfectly reasonable policy when you see around 40 of those a year, and the odds of having more than one or two in your environment at the same time are small.

However, the math looks very different now!

In 2025 alone:

  • 3,984 vulnerabilities were rated critical.[13][3]
  • 15,003 were rated high, bringing the total “high or critical” pool to 18,987, roughly 39–40% of all CVEs that year.[8][2][3]

Let us be generous and say your environment is directly exposed to just 5–10% of those issues in software and services you actually run. That still leaves you with hundreds of “rush this” candidates per year, layered on top of your standard day to day vulnerability management operations.

Every time you hit the big red button for a 9.8+ “emergency change,” you are not just fixing a bug—you are spending finite engineering, testing, and outage capital. When the pool of possible emergencies grows 5x, and then total CVE volume grows another 20% year‑over‑year, your traditional emergency model becomes a denial‑of‑service attack on your own operations.[3][8][1]

The result is exactly what we worried about last year: a structurally widening patch gap. Not because teams are lazy or careless, but because the workload has outgrown any reasonable human‑scale process.[2][8][3]

How risk‑based patching actually evolved in 2025

Most organizations have already moved beyond naive “CVSS ≥ 9.8 = drop everything” policies, at least on paper. In 2025, the most mature teams started to operationalize a more nuanced stack of signals:[9][10][8][3]

  • Exploitability: Is there a reliable exploit, a Metasploit module, or a proof‑of‑concept? Is it on CISA KEV or equivalent “exploited in the wild” lists?[12][10][8][9]
  • Exposure: Is the affected asset internet‑facing, reachable from a low‑trust zone, or sitting in front of a critical business process?
  • Blast radius: If this asset is compromised, what can you pivot to? Data stores, identity providers, OT environments?
  • Business context: Does this sit on a revenue‑generating service, regulated data, or safety‑critical function?

CVSS is still there, but as one input rather than the final word. The practical definition of “rush patch” has quietly shifted from “score ≥ X” to “highly exploitable, highly exposed, high blast radius on a critical asset.”[10][8][3][9]

Threat‑intel reports through 2025 consistently showed attackers concentrating on a relatively small subset of vulnerabilities—even while overall CVE counts exploded. That subset tends to have a few common traits: remote code execution, authentication bypass, privilege escalation, and widely deployed platforms or libraries.[12][8][13][9][10]

This is where most organizations are converging:

  • Track everything.
  • Patch a prioritized subset fast (exploited + exposed + high‑impact).
  • Accept that a long tail of high‑severity issues will remain open longer, mitigated by configuration, segmentation, or monitoring rather than immediate patching.[8][2][3][9]

It is not neat. It is not comfortable. But it is honest.

What criticality collapse looks like

In 2024, the question was: “Why are there suddenly so many CVSS 10.0 vulnerabilities, and what does that mean for our patching strategy?”

By the end of 2025, we are staring at something bigger: criticality collapse—the point where “critical” is so common it stops being actionable. When almost 4,000 vulnerabilities in a single year wear the “critical” label and nearly 19,000 are high or critical, the designation no longer narrows the field, it floods it.

In practical terms, criticality collapse looks like this: your dashboards are full of red, your SLAs are permanently breached on paper, and your teams quietly accept that a large chunk of “critical” findings will never be patched on time. Not because they do not care, but because the label no longer meaningfully differentiates risk or workload. “Critical” has become the background noise of modern vulnerability management.

The curious case of the 10.0 CVSS score was an early symptom. Criticality collapse is the diagnosis. The path forward is not to wish for fewer vulnerabilities, but to build processes, metrics, and conversations that assume the overload is permanent—and still deliver meaningful, defensible risk reduction in spite of it.