Extra Bytes, Information Security

Budget Cuts at the NVD Cause Unanalyzed Vulnerabilities to Skyrocket

Nearly 12,000 submissions remain unexamined.

Ryan Uliss

Contributing Writer

Save

The National Vulnerability Database (NVD), a vital resource for the cybersecurity industry, is experiencing a significant backlog in processing and enriching new vulnerabilities due to recent funding cuts. Since February 12, over 90% of the submissions to the NVD have not been analyzed, posing a substantial risk to cybersecurity defenses across various sectors. The slowdown in the NVD’s operations has left many vulnerabilities unanalyzed, providing an upper hand to malicious actors and increasing supply chain risks.

A recent analysis has revealed that out of 12,720 new vulnerabilities added since the funding cut announcement in February, 11,885 have not been enriched with critical data. This lack of analysis is particularly alarming for vulnerabilities that are known to be exploited or have public proof-of-concept exploits. Industry experts emphasize the urgent need for cybersecurity companies and CVE Numbering Authorities (CNAs) to step up and address this critical gap.

Why it matters: The NVD has long been a cornerstone of cybersecurity, offering essential data that helps security professionals protect systems and software. The current backlog not only hampers the ability to defend against threats but also emboldens threat actors who exploit these vulnerabilities. As nation-state hackers and ransomware gangs continue to target organizations, the compromised state of the NVD poses a severe risk to global cybersecurity infrastructure.

Known Exploited Vulnerabilities: Nearly 51% of Known Exploited Vulnerabilities (KEVs), which are security weaknesses that cybercriminals have recently exploited in attacks, have not been analyzed by the NVD since February. This includes significant vulnerabilities impacting technologies from major vendors such as Microsoft and Adobe.

Weaponized and Proof-of-Concept Vulnerabilities: Approximately 56% of weaponized vulnerabilities, which can deliver substantial payloads, and 82% of CVEs with proof-of-concept exploits remain unanalyzed, leaving these high-risk vulnerabilities exposed and potentially exploitable by threat actors.

Proposed Solutions: To address the backlog, the CVE community and NVD are urged to enhance automation in CVE enrichment and reduce dependency on manual reviews. Third-party contributions to enrich CVE data and coordinated efforts by CVE Numbering Authorities (CNAs) are also recommended.

Go Deeper -> The Real Danger Lurking in the NVD Backlog – VulnCheck

Amid Funding Cuts, Backlog of Unanalyzed Vulnerabilities in Gov’t Database is Growing – The Record

Save

May 29, 2024

☀️ Subscribe to the Early Morning Byte! Begin your day informed, engaged, and ready to lead with the latest in technology news and thought leadership.

☀️ Your latest edition of the Early Morning Byte is here! Kickstart your day informed, engaged, and ready to lead with the latest in technology news and thought leadership.