September 17, 2024 By Doug Bonderud 4 min read

Updated Sept. 24, 2024

In February, the number of vulnerabilities processed and enriched by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) started to slow. By May, 93.4% of new vulnerabilities and 50.8% of known exploited vulnerabilities were still waiting on analysis, according to research from VulnCheck.

Three months later, the problem persists. While NIST has a plan to get back on track, current analysis of the current state of common vulnerabilities and exposures (CVEs) isn’t keeping pace with new vulnerability detections. Here’s a look at what’s behind the backlog, why CVEs may no longer be the Holy Grail of IT defense and how security teams can stay ahead of attacker efforts.

What’s behind the backlog?

Budget cuts are partially responsible for CVE analysis issues. As noted by Security Magazine, NIST funding was cut by 12% this year, making it more difficult for the agency to enrich CVEs. In practice, the NVD is effectively a downstream consumer of CVE data — while the number of CVEs found and reported remains steady, NIST’s ability to assess and enrich these vulnerabilities has been significantly reduced.

The sheer number of reported vulnerabilities also poses a problem for analysis efforts; Flashpoint research found that NIST reported 33,137 vulnerabilities in 2023. In part, rising numbers are tied to improved detection capabilities. As companies expand security efforts with cloud-based technologies and AI-enabled tools, they’re better able to pinpoint potential threats. As a result, bigger numbers aren’t always indicative of increased risk, but they do speak to a growing number of potential attack paths.

NIST does have a plan to clear the backlog. According to USASpending.gov, the government has awarded an $860,000 contract to Analygence for cybersecurity analysis and email support. Analysis efforts were slated to start June 3, and NIST hopes to be back on track by September 2024. While the contract is slated to end as of December 2024, the agency has an option to extend services into July 2025.

The changing face of cyber threats

Concerns around the NVD backlog are understandable. The longer it takes NIST to analyze CVEs and suggest effective countermeasures, the greater the risk for enterprises.

As noted by Cybersecurity Dive, however, the cybersecurity landscape is changing. During the virtual Gartner Security and Risk Management summit, principal analyst Mitchell Schneider noted that while the total number of vulnerabilities continues to increase, critical CVEs aren’t outpacing their high, medium and low counterparts.

What’s more, attackers aren’t using CVE severity as the criteria for compromise. “There’s no inherent correlation between the vulnerability and if threat actors are exploiting them in terms of those severity ratings,” says Schneider. Instead, attackers are prioritizing the most exploitable vulnerabilities, which are often those ranked as medium or low severity.

In practice, this creates a forest-for-the-trees scenario: If companies are too focused on critical CVEs, they can miss middle-of-the-road exploits that allow attackers to gain network access and then move laterally into more critical systems.

The result? While the common vulnerability database remains a critical part of effective security, it’s not a silver bullet. Cyber threat tactics are changing, and security teams must be prepared to change in response.

How security teams can stay ahead of attackers

So what does this change look like in action?

Four considerations can help companies build better defenses in a world of delayed NVD additions.

1) Prioritize visibility

With attack methods and patterns diversifying, businesses need to prioritize IT visibility. Consider a company using on-premises storage for critical data, public clouds for testing and development and private clouds for easily scalable application resources.

In the new threat landscape, attacks can come from any source at any time. If undetected, attackers can bide their time gathering data and pinpointing ideal attack pathways. As a result, complete visibility is critical. The more companies know about what’s happening across their environments, the better prepared they are to detect, identify and mitigate attacks.

2) Focus on exploitability

As Gartner makes clear, exploitability is now the top priority for attackers. While more severe vulnerabilities may be more valuable targets in the short-term, exploitable medium- or low-severity weaknesses can set attackers up for ongoing success.

For example, suppose malicious actors can exploit a medium-severity vulnerability at the edge of business networks. In that case, they may be able to create and maintain backdoors that provide permanent access to enterprise systems. From there, they can carry out reconnaissance and bide their time until security teams are focused on other vulnerabilities.

By targeting the most exploitable rather than the most severe vulnerabilities, security teams can reduce the chance of successful attacks.

3) Share the burden

Security is no longer the exclusive burden of IT teams. Operations, finance, marketing, sales and customer service teams all have a role to play in keeping companies safe. While the ultimate responsibility for security still lies with technology professionals, sharing the burden across teams can both improve detection rates and reduce the time between identification and action.

4) Leverage available resources

With the NVD backlogged, it’s important for security teams to find and leverage alternative resources. Potential security sources include:

  • CISA Vulnrichment: CISA has taken on some of NIST’s CVE burden with their “Vulnrichment” program. A list of known vulnerabilities can be found on GitHub, and companies can contact CISA at [email protected] with any questions.
  • The CVE Program: The CVE Program (formerly the Mitre CVE repository) identifies, defines and catalogs publicly disclosed cybersecurity vulnerabilities. There are currently more than 240,000 CVE records that security teams can download or search.

What’s next for NIST?

NIST hopes to eliminate the NVD backlog by September 2024, but there’s no guarantee that its efforts will succeed. As noted by The Record, Senator Mark Warner (D-VA) and Thom Tillies (R-NC) have proposed legislation that would restore funding to NIST and increase its focus on new risks, such as AI-enabled threats, but the bill is in its infancy.

In other words, while the agency and Federal lawmakers recognize the critical impact of CVE analysis and enrichment, enterprises can’t rely on the NVD to deliver up-to-date vulnerability data.

Instead, businesses are better served changing their approach to align with evolving attacker efforts. By implementing tools that help improve visibility and identify exploitability, companies can prioritize high-risk threats. By sharing the security burden across departments and expanding their use of available security resources, meanwhile, enterprises can more effectively respond to shifting attack priorities.

Correction: This article has been updated to clarify the differences between NVD and CVE. The CVE Program catalogs publicly disclosed vulnerabilities through CVE Records, whereas NVD is a downstream consumer of the CVE Program’s data.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today