Welcome to your daily cybersecurity podcast.

We open this edition with an analysis published by FIRST dot org on December 29, 2025, presenting the annual review of vulnerability forecasts for the year 2025. The article, written by Éireann Leverett, confirms the validation of Vuln4Cast project forecasts with 49,183 CVEs published as of December 29, falling within the confidence interval of 41,142 to 49,868 CVEs established in February 2025. The MAPE of 1 point 39 percent against the upper bound demonstrates excellent accuracy of the forecast models.

The quarterly forecasts for Q4 2025 are also validated with 12,359 CVEs published, within the confidence interval of 11,815 to 14,129 CVEs. This accuracy below 5% demonstrates that quarterly forecasts are sufficiently reliable for operational planning by patch management teams, SOCs, and CERTs.

The article highlights the expansion of the vulnerability forecasting ecosystem with CVEForecast dot org developed by Jerry Gamblin at Cisco using XGBoost, and CIRCL Luxembourg's Vulnerability-Lookup platform which adds sightings tracking and comprehensive statistics. Future developments will focus on forecasting vendor distributions, CVSS vectors, CWEs, and vulnerability exploitability. Improvements are underway in six areas: CWE root cause analysis, exploit prediction, exploitation prediction, CNA forecasting, CVSS vector forecasting, and CVSS score prediction.

FIRST announces the VulnOptiCon 2026 conference in Luxembourg, hosted by CIRCL, to enable the community to share methodologies and collectively advance exposure science and predictive security.

Source

FIRST – 2025 Vulnerability Forecast Annual Review: https://www.first.org/blog/20251229-Vulnerability-Forecast-Review

Don’t think, patch!

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/