A record 48,185 CVEs were published in 2025, according to analysis by Cisco's Jerry Gamblin1analysis by Cisco's Jerry Gamblin. FIRST's 2026 Vulnerability Forecast predicts a median of approximately 59,427 new CVEs this year, which would make 2026 the first year to exceed 50,000 published CVEs2make 2026 the first year to exceed 50,000 published CVEs - a milestone in vulnerability disclosure history. But behind these headline figures lies a less-examined question: where are these vulnerabilities coming from?
Mapping CVEs by the country of origin of the affected vendor or reporting organization reveals structural patterns in the global cybersecurity landscape - patterns shaped as much by industrial footprint and disclosure culture as by the quality of code being written.
The Numbers: Who Produces the Most CVEs?
One mid-2025 analysis found the United States was associated with roughly 32% of all CVEs (over 9,300), while China accounted for 14.6% (approximately 4,200), according to DeepStrike vulnerability research3DeepStrike vulnerability research. Other countries - Germany, India, Japan, and South Korea - each accounted for between 5% and 7% of total CVEs.
These figures are best understood in context. The U.S. dominance reflects the sheer scale of its software industry: companies like Microsoft, Apple, Google, Cisco, and Adobe collectively maintain enormous codebases. Similarly, China's growing share tracks its expanding technology sector and increasing participation in open-source ecosystems.
The CNA Ecosystem Shift: A "WordPress Effect"
The distribution of CVEs by origin is further complicated by the evolving role of CVE Numbering Authorities (CNAs) - the organizations authorized to assign CVE identifiers. In 2025, 484 CNAs operated globally, up from a much smaller group in earlier years, according to CNA tracking data4CNA tracking data.
What stands out is the shift in which CNAs drive the most volume. As Cisco's Gamblin noted, in previous years, major software vendors dominated CVE assignment. In 2025, WordPress-focused security firms Patchstack and Wordfence became top drivers of CVE volume, with Patchstack alone assigning 7,007 CVEs - vastly outnumbering traditional giants like Microsoft or Google1analysis by Cisco's Jerry Gamblin. This "WordPress Effect" means that a significant portion of global CVE output now originates not from the core products of U.S. tech giants, but from third-party plugin ecosystems - many of which are developed by small teams distributed across dozens of countries.
This trend has practical implications for country-of-origin analysis. A vulnerability in a WordPress plugin developed by a solo developer in Eastern Europe is counted alongside a flaw in a Microsoft enterprise product, even though the risk profiles, user bases, and remediation pathways differ dramatically.
State-Sponsored Exploitation: The Geopolitical Dimension
While CVE origin tracks where software is made, active exploitation patterns reveal who is weaponizing it. Recent threat intelligence underscores persistent state-sponsored activity tied to specific nations:
- Russia: APT28, a Russian state-sponsored group, exploited a Microsoft Office zero-day (CVE-2026-21509) in January 2026, delivering multiple malware implants via weaponized RTF files5multiple malware implants via weaponized RTF files. The group also leveraged an MSHTML flaw in February.
- China: Suspected China-nexus groups including Lotus Blossom and UNC6201 exploited vulnerabilities in Notepad++ and Dell RecoverPoint in early 2026, according to Recorded Future's February CVE landscape report6Recorded Future's February CVE landscape report. The increasing targeting of supply chain pathways - such as the Axios npm compromise attributed to North Korea - adds another layer to the geopolitical picture.
- Legacy exploitation: A Hikvision vulnerability from approximately nine years ago (CVE-2017-7921) was among 31 actively exploited flaws identified in March 2026, reinforcing that attackers continue to target long-known weaknesses7reinforcing that attackers continue to target long-known weaknesses.
These patterns highlight that the geography of vulnerability creation and the geography of vulnerability exploitation are two distinct maps. Defenders must read both.
Regulatory Divergence: How Regions Are Responding
The global CVE surge has triggered divergent regulatory responses that will reshape vulnerability management across borders.
The European Union
The EU has moved aggressively to build sovereign vulnerability infrastructure. ENISA launched the European Vulnerability Database (EUVD) under the NIS2 Directive, which provides aggregated information including exploitation status and mitigation guidance8provides aggregated information including exploitation status and mitigation guidance. Critically, the Cyber Resilience Act will require manufacturers to notify authorities of actively exploited vulnerabilities within 24 hours, with reporting obligations taking effect in September 2026.
An early empirical study of the EUVD9early empirical study of the EUVD found that Spain's national CSIRT has been particularly active in coordinating vulnerability disclosures, while participation from other EU member states remains uneven.
The United States
The U.S. CVE infrastructure faced uncertainty in April 2025 when MITRE's contract to operate the CVE program was briefly at risk of lapsing. While CISA resolved the funding issue, the episode accelerated the formation of the CVE Foundation, a nonprofit aiming to move the program toward a diversified governance model. The NVD continued to face challenges in 2025, with CVEdetails.com noting that NVD is "no longer a reliable source of CVE information" due to enrichment backlogs and data gaps10enrichment backlogs and data gaps.
The Asia-Pacific Region
Countries like Singapore have taken formal steps by designating their national CSIRTs as CNAs. Japan and South Korea, both significant sources of CVEs due to their large electronics and semiconductor industries, maintain national vulnerability databases that complement the global CVE system.
What This Means for Security Teams
The accelerating pace of disclosure - now averaging 131 new CVEs per day11averaging 131 new CVEs per day with a median time-to-exploit under five days - makes geographic context an increasingly valuable signal for prioritization. Security teams should consider the following:
- Factor vendor geography into risk assessments. Understanding where a vendor is headquartered helps anticipate regulatory requirements, disclosure timelines, and potential geopolitical exposure. Products from vendors in jurisdictions with mandatory disclosure laws may surface vulnerabilities faster.
- Monitor multiple vulnerability databases. The emergence of the EUVD alongside the NVD and CISA KEV means that critical exploitation data may appear first in region-specific sources. The shrinking patch window demands that defenders cast a wide net.
- Distinguish volume from risk. Vulnerability exploitation was involved in 20% of breaches in 2025 according to the Verizon DBIR, up from previous years, surpassing some social engineering vectors3DeepStrike vulnerability research. But not every CVE poses equal danger. Exploitation tends to cluster around dependable weakness types - authentication bypasses, deserialization flaws, and memory corruption - rather than following raw volume.
- Watch for the long tail. State-sponsored and criminal actors routinely exploit vulnerabilities that are years old. Asset visibility and compensating controls for legacy systems remain as important as rapid patching of new disclosures.
The global CVE landscape is not just a technical inventory - it is a map of industrial capacity, regulatory ambition, and geopolitical intent. Reading it accurately is becoming a core competency for defenders.
