Curated Content | Thought Leadership | Technology News

Budget Cuts at the NVD Cause Unanalyzed Vulnerabilities to Skyrocket

Nearly 12,000 submissions remain unexamined.
Ryan Uliss
Contributing Writer
A traffic jam with computer code superimposed over the picture, symbolizing a backlog of data traffic or activity.

The National Vulnerability Database (NVD), a vital resource for the cybersecurity industry, is experiencing a significant backlog in processing and enriching new vulnerabilities due to recent funding cuts. Since February 12, over 90% of the submissions to the NVD have not been analyzed, posing a substantial risk to cybersecurity defenses across various sectors. The slowdown in the NVD’s operations has left many vulnerabilities unanalyzed, providing an upper hand to malicious actors and increasing supply chain risks.

A recent analysis has revealed that out of 12,720 new vulnerabilities added since the funding cut announcement in February, 11,885 have not been enriched with critical data. This lack of analysis is particularly alarming for vulnerabilities that are known to be exploited or have public proof-of-concept exploits. Industry experts emphasize the urgent need for cybersecurity companies and CVE Numbering Authorities (CNAs) to step up and address this critical gap.

Why it matters: The NVD has long been a cornerstone of cybersecurity, offering essential data that helps security professionals protect systems and software. The current backlog not only hampers the ability to defend against threats but also emboldens threat actors who exploit these vulnerabilities. As nation-state hackers and ransomware gangs continue to target organizations, the compromised state of the NVD poses a severe risk to global cybersecurity infrastructure.

  • Known Exploited Vulnerabilities: Nearly 51% of Known Exploited Vulnerabilities (KEVs), which are security weaknesses that cybercriminals have recently exploited in attacks, have not been analyzed by the NVD since February. This includes significant vulnerabilities impacting technologies from major vendors such as Microsoft and Adobe.
  • Weaponized and Proof-of-Concept Vulnerabilities: Approximately 56% of weaponized vulnerabilities, which can deliver substantial payloads, and 82% of CVEs with proof-of-concept exploits remain unanalyzed, leaving these high-risk vulnerabilities exposed and potentially exploitable by threat actors.
  • Proposed Solutions: To address the backlog, the CVE community and NVD are urged to enhance automation in CVE enrichment and reduce dependency on manual reviews. Third-party contributions to enrich CVE data and coordinated efforts by CVE Numbering Authorities (CNAs) are also recommended.

Go Deeper -> The Real Danger Lurking in the NVD Backlog – VulnCheck

Amid Funding Cuts, Backlog of Unanalyzed Vulnerabilities in Gov’t Database is Growing – The Record

You have free article(s) left this month courtesy of CIO Partners.

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Would You Like To Save Articles?

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Save My Spot For TNCR LIVE!

Thursday April 18th

9 AM Pacific / 11 PM Central / 12 PM Eastern

Register for Unlimited Access

Already a member?

Digital Monthly

$12.00/ month

Billed Monthly

Digital Annual

$10.00/ month

Billed Annually

In the intersecting worlds of business and technology, 10 years can sometimes seem like an eternity. The smartphone industry hit its 10-year anniversary only recently,...

Would You Like To Save Books?

Enter your username and password to access premium features.

Don’t have an account? Join the community.

Log In To Access Premium Features

Sign Up For A Free Account

Please enable JavaScript in your browser to complete this form.