CVE Surge and AI Risks Shake Cybersecurity

Vanessa

Alright folks, welcome back to “It’s All About Vulnerabilities!” I’m Vanessa, and I’m here with Alex and Daniel. Glad to have you both! Look, 2025 was wild for CVEs. We blew past 48,000 disclosures! It’s not just a big number, like, something’s really shifting in our space. Alex, do you wanna kick us off? What stood out for you in the 2025 trends?

Alex

Yeah, that number honestly still blows my mind—48,000 CVEs, that’s beyond what I ever expected even just a couple years ago. What really stood out to me, though, was the Linux Kernel CNA’s activity. They’re reserving CVEs at lightning speed for pretty much any bug fix that could be security-relevant. Good for transparency, but I mean, it’s also led to a lot of false positives and some of those CVEs getting revoked later. They’re also digging into their backlog, assigning CVEs retroactively to old bugs—almost 5,700 CVEs just from the Linux Kernel folks last year. They’re the third most active CNA overall now, which is, whew, quite the leap.

Daniel

I remember the days when tracking vulnerabilities was almost leisurely by comparison. And now, the pace and sheer volume really seem to reflect deeper changes—both how complex tech is getting, and a surge in global security research. New researcher-driven CNAs have also come to the fore, establishing more discipline and speeding up the process. Of course, with speed sometimes comes the risk of errors. But it does mean issues are being identified and assigned with an urgency we’ve not seen before.

Vanessa

It’s funny, because it’s not just about traditional software flaws anymore. There’s a massive uptick in vulnerabilities tied to AI components, especially those Model Control Panel—MCP—bits that bridge big language models to the real world. A heap of those projects are built by, like, university students or tiny dev teams, and... honestly, the security mindset isn’t there yet. It kinda reminds me of the olden days of PHP backdoors, or people just pasting code off Stack Overflow, hoping it’d work. You just know CVE volumes for MCPs are gonna pop off this year. It’s the start of a whole new trend.

Vanessa

So, let’s dig into those MCP and AI-related vulnerabilities, because Alex, I get the feeling this is your jam. What’s going on with MCPs that’s making them such a hotspot?

Alex

Oh, absolutely, Vanessa. MCPs are where AI meets the outside world, right? And because a lot of the code is written by hobbyists or small teams—sometimes even as side projects for research—they’re not following any formal security lifecycle. No code audits, minimal threat modeling, that kind of thing. The result is an ecosystem that’s growing so quickly, but it’s honestly repeating a lot of mistakes we saw when web apps or mobile apps first started getting popular. That means lots of basic bugs, lots of fresh CVEs. You’ve got insecure defaults all over the place—and attackers absolutely notice.

Daniel

It’s a fascinating moment of déjà vu, isn’t it? The early web had precisely that mix of innovation and naivety. What’s different this time is perhaps the pace—AI components are being adopted at scale incredibly rapidly, and the attacker adapts just as fast. And then, you have regions, like Asia, where local researchers tend to focus on products hardly known in the West. That’s changing quickly too—Vanessa, I believe you’ve seen this first hand with VulDB’s outreach?

Vanessa

Yeah, totally. VulDB’s been working hard to connect with researchers in China, Japan, South Korea…but it’s not only about new submissions, it’s like opening a window into a whole different threat landscape. Some of the vulnerabilities just aren’t on Western radars until, like, months later, if ever. More diverse insight is always good, I reckon. But it also makes tracking and prioritizing so much more, well, fun. Or chaotic, depending on your mood.

Alex

The upside is, with greater cross-region contribution, we get a better view of the global ecosystem. But it does mean you’re tracking vulnerabilities for software nobody here’s even heard of! There’s just no escaping the sprawl.

Daniel

So, the big question—what’s actually fueling this relentless growth in CVE disclosures? I’m old enough to remember when tech was, let’s say, slightly less “embedded” in every aspect of life. But today, nearly every device is a computer, and every piece of software is somehow connected to everything else. That naturally means a bigger attack surface, and thus, more vulnerabilities to find.

Vanessa

Yeah, and you can really see the tipping point with how many researchers are now in this space. I mean, anyone with a laptop and the right bug bounty platform can get started. The tools get better every year, more automated. Vulnerability research is almost mainstream, like—there’s this steady, never-ending conveyor belt of bugs coming from everywhere.

Alex

And automation cuts both ways. Tools for identifying flaws have improved, but there’s this other side now—AI-generated CVE submissions. Loads of them are incomplete or inaccurate, and I dare say some are just plain malicious. Actually, Vanessa, didn’t your team get stuck with a backlog of those recently?

Vanessa

Oh my gosh, *yes*. We lost basically a week to sorting through low-quality, auto-generated submissions. So many were, like, total hallucinations or just copy-pasting details from other CVEs. We had to manually dig in—validate, reject, flag stuff as duplicates. The trickle-down is real; it chews up time we could’ve spent on legit new findings. It’s more work, more noise, and it doesn’t look like it’ll slow down soon.

Daniel

It’s an efficiency paradox. More eyes on the code and better tooling discover more vulnerabilities, yet filtering signal from noise has grown proportionally harder. Frankly, unless something massive changes in how we build or scan software, there’s no end in sight. I think we’re looking at a new long-term normal, not a blip.

Alex

And this also ups the pressure on CNAs and vendors—the whole process just gets slower and more complex as the volume keeps rising. Prioritizing real risks has never mattered more.

Vanessa

Let’s pivot into a real-world example—Fortinet and that nasty CVE-2025-64155 vulnerability in FortiSIEM. For anyone not following, this one’s a command injection bug—super critical, 9.4 CVSS—and now there’s public exploit code circling around. Patch now, basically!

Daniel

Command injection—always one of the worst classes. Not only is it remotely exploitable by unauthenticated attackers, but history tells us Fortinet’s products have been favored targets for years. There are, what, 23 Fortinet CVEs on CISA’s Known Exploited list right now? It’s a recurring theme: path traversal, command injection, authentication bypass. They just keep coming.

Alex

Absolutely, Daniel, and you know—this brings back memories from a few years ago, when my red team was running an assessment against a simulated enterprise using Fortinet gear. We found a very similar vuln and, I kid you not, went from outside user to full domain compromise in, like, minutes. It wasn’t anything fancy; just leveraged the bug, chained a couple of misconfigs, and poof—domain admin. It’s almost frightening how quickly these flaws can escalate in the wild.

Vanessa

Yeah, it’s a perfect storm for attackers. The Fortinet advisory’s pretty clear: patch fast, but if you can’t, make sure you lock down access to the phMonitor port, 7900. But real talk, with public exploit code out, mitigation alone isn’t gonna be enough for most orgs.

Alex

And, just to clarify, the affected versions run across multiple FortiSIEM releases—so it’s not like you can assume you’re safe if you’ve been keeping up “most” of the time. Patch, check your asset inventories, and—where possible—move faster than the attackers do. It’s the only way.

Daniel

So, if there’s a lesson here, it’s that a solid vulnerability management program is non-negotiable. It’s not just about patching anymore—it’s about structured, ongoing resilience. That underpins patching, hardening, release management—basically, it’s the center holding our digital world together. With this kind of relentless discovery, it’s the only way to keep up.

Vanessa

Couldn’t agree more. Look at January’s Patch Tuesday—113 new Microsoft CVEs, including two actives exploited zero-days. And this one, CVE-2026-20805 in Desktop Window Manager? Exploited in the wild, even though the CVSS score is not that flashy. Goes to show: vendor severity isn’t always the whole story—context really matters.

Alex

And let’s not forget, Secure Boot featured this month too—critical bypass vulnerability, and Microsoft’s running out the clock on those old root certificates. Plus, they’re finally removing those legacy modem drivers after, what, decades? I always get a kick out of seeing bugs from the nineties and early 2000s resurface as exploitable vulnerabilities.

Daniel

There’s a lesson tucked in there—legacy risk never truly goes away; it just gets rebranded. I remember similar debates about driver bloat and system exposure back in the eighties. Funny how history loops round, isn’t it?

Vanessa

Totally. So, whether it’s brand new AI gear or crusty old modem code, structured management and rapid patch cycles are more important than ever. If you think you’re on top of it—double-check. And, uh, that’s probably a good place to pause for today’s episode.

Daniel

Well said, Vanessa. Thanks to all our listeners. I suspect with AI and retro vulnerabilities both keeping us busy, there’ll be plenty to discuss next time.

Alex

Yeah, cheers, everyone. Good chat, you two. See you on the next one.

Vanessa

Thanks Alex, thanks Daniel! And thanks to everyone tuning in—catch you next episode on “It’s All About Vulnerabilities.” Stay patched—and be kind to your security team! Bye!