A common topic that’s been brought to my attention on several occasions is the perceived increase in vulnerabilities deemed “Critical” by their CVSS severity. According to FIRST, CVSS severity ratings are intended to help organizations assess and prioritize vulnerability management efforts. With this in mind, I set out to explore CVSS severity trends over time, which ultimately led me to examine the impact and adoption of CVSS v4.
For this research, I used public data aggregated by VulnCheck from sources including NIST NVD, CISA, CVE Numbering Authorities, and vendor security advisories. I selected a single CVSS score for each published CVE, choosing the score associated with the most recent CVSS version available at the time.
First, I examined CVSS severity by year to better understand how vulnerability volume is distributed across severity levels, using the most recent CVSS version available for each CVE. It is also worth noting that, at the time of this research, 2025 still had approximately three weeks remaining for CVE issuance.
At a glance, the volume of CVEs classified as Critical has remained relatively consistent over the past four years, with a slight dip observed in 2024 and 2025. In contrast, the number of Medium and Low severity CVEs has increased substantially. While this trend could still change as more CVEs are published, the proportion of Critical CVEs relative to the total number of vulnerabilities has clearly declined. In other words, there are significantly more CVEs overall, but proportionally fewer Critical and High severity issues.
With CVSS v4 having been publicly available for roughly two years, I wanted to explore whether it may be contributing to the slight decline in Critical CVEs.
To do this, I mapped CVSS severity by scoring version to identify any meaningful differences in severity distribution. The data shows a notable reduction in the percentage of CVEs scored as Critical or High under CVSS v4 compared to earlier versions.
To better understand the cause of this apparent shift, I took a deeper look at the CVEs scored using CVSS v4. What quickly became apparent is that 49% of CVEs with a CVSS v4 score were published by VulDB, which disproportionately influences the overall CVSS v4 dataset.
When CVEs published by vulDB are excluded, the resulting severity distribution aligns much more closely with CVSS v3 and v3.1. This raised the question: what is unique about VulDB’s use of CVSS v4?
The primary difference appears to be the consistent use of Subsequent System Impact Metrics set to None (N). This choice, which could be for good reason such as limited visibility into SSI or limitations in the ability to automate this, results in lower overall CVSS v4 severity scores for nearly all affected CVEs.
More than two years after the publication of the CVSS v4 specification, only 25.9% of the 43,002 CVEs published in 2025 have been enriched with a CVSS v4 score.
Next, I examined who is contributing CVSS v4 scores. In total, 232 distinct sources have published or enriched CVEs with CVSS v4 data. While this represents a reasonable foundation after two years, a larger issue remains: historically dominant enrichment sources including NIST NVD and CISA ADP, are rarely publishing CVSS v4 scores.
This led me to examine which major CVSS contributors have not adopted CVSS v4 in 2025. I analyzed CVSS sources by volume to identify organizations that scored large numbers of CVEs without providing a CVSS v4 score. The table below highlights the top 15 such sources.
| CVSS Source | # of CVEs Scored w/o CVSS v4 |
|---|---|
| CISA-ADP | 7269 |
| NIST | 7254 |
| Patchstack | 5309 |
| Wordfence | 2521 |
| Redhat | 1757 |
| Microsoft Corporation | 1071 |
| GitHub, Inc. | 933* |
| Adobe Systems Incorporated | 637 |
| MITRE | 413 |
| ZDI | 316 |
| IBM Corporation | 313 |
| Oracle | 312 |
| Qualcomm, Inc. | 212 |
| Cisco Systems, Inc. | 189 |
| SAP SE | 185 |
- GitHub has started adopting CVSS v4 in 2025 w/ 1153 CVEs scored with CVSS v4
What this ultimately suggests is that CVSS v4 adoption is constrained not by lack of availability, but by limited participation from some of the largest and most influential CVE publishers and enrichers. Commonly cited reasons include resource constraints, required tooling changes, and a perception that CVSS v4 provides limited additional value while increasing scoring complexity and operational overhead.
As a result, perceived changes in severity trends, particularly around “Critical” CVEs, are more likely influenced by partial adoption and subjective scoring practices than by inherent changes introduced by the CVSS v4 specification itself. That said, the relatively limited volume of CVSS v4 scoring still makes it difficult to fully assess the true impact of CVSS v4 on severity distribution.
VulnCheck is helping organizations not just to solve the vulnerability prioritization challenge – we’re working to help equip any product manager, CSIRT/PSIRT or SecOps team and Threat Hunting team to get faster and more accurate with infinite efficiency using VulnCheck solutions.
We knew that we needed better data, faster across the board, in our industry. So that’s what we deliver to the market. We’re going to continue to deliver key insights on vulnerability management, exploitation and major trends we can extrapolate from our dataset to continuously support practitioners.
Are you interested in learning more? If so, VulnCheck’s Exploit & Vulnerability Intelligence has broad threat actor coverage. Register and demo our data today.
