NIST Struggling To Clear the Growing Backlog of CVEs in the Official National Vulnerability Database
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
As of March 2025, the National Institute of Standards and Technology (NIST) continues to face mounting challenges in processing the ever-growing backlog of Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD).
Despite previous efforts to clear the accumulation, recent updates reveal that the vulnerability analysis crisis has only deepened.
According to NIST’s March 19 update, the agency is currently processing incoming CVEs at roughly the same rate achieved prior to the processing slowdown in spring 2024.
However, with CVE submissions having increased by 32 percent in 2024, this processing capacity has proven inadequate to manage the influx.
Most concerning is that the backlog continues to grow beyond previous projections, which had estimated up to 30,000 unanalyzed vulnerabilities by early 2025.
“We anticipate that the rate of submissions will continue to increase in 2025,” the agency acknowledged in its update.
“The fact that vulnerabilities are increasing means that the NVD is more important than ever in protecting our nation’s infrastructure. However, it also points to increasing challenges ahead.”
The ongoing backlog poses significant risks to organizations nationwide that rely on timely CVE analysis for vulnerability management.
Without proper enrichment of vulnerability data, including Common Platform Enumeration (CPE) identifiers, Common Vulnerability Scoring System (CVSS) scores, and Common Weakness Enumeration (CWE) classifications, security teams lack critical information needed for prioritization.
“The enrichment process is essential for organizations to understand which vulnerabilities pose the most immediate threat,” explained cybersecurity analyst Dr. Lauren Chen.
“When Known Exploited Vulnerabilities (KEVs) remain unanalyzed, it creates dangerous blind spots in defensive postures.”
Growing Backlog of CVEs
To address these challenges, NIST has intensified efforts to integrate machine learning capabilities into its vulnerability analysis workflow.
According to the agency’s update, “To address these challenges, we are working to increase efficiency by improving our internal processes, and we are exploring the use of machine learning to automate certain processing tasks”.
Previous research has demonstrated the potential for automated approaches, with one study achieving an F-measure of 0.86 when using Named Entity Recognition (NER) to automatically match CVE summaries with corresponding CPEs. Such automation could significantly accelerate the enrichment process.
The backlog crisis intensified after CISA discontinued approximately $3.7 million in annual interagency funding support to the NVD program in late 2023.
While NIST redirected existing funds and contracted with cybersecurity firm Analygence to provide additional analysis support, these measures have proven insufficient against the accelerating vulnerability discovery rate.
As the backlog continues to grow through 2025, NIST faces increased pressure to implement more efficient processing methods while maintaining the accuracy and reliability that make the NVD an essential resource for national cybersecurity infrastructure.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
NIST Struggling To Clear the Growing Backlog of CVEs in the Official National Vulnerability Database
Author: Guru BaranAs of March 2025, the National Institute of Standards and Technology (NIST) continues to face mounting challenges in processing the ever-growing backlog of Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD).
Despite previous efforts to clear the accumulation, recent updates reveal that the vulnerability analysis crisis has only deepened.
According to NIST’s March 19 update, the agency is currently processing incoming CVEs at roughly the same rate achieved prior to the processing slowdown in spring 2024.
However, with CVE submissions having increased by 32 percent in 2024, this processing capacity has proven inadequate to manage the influx.
Most concerning is that the backlog continues to grow beyond previous projections, which had estimated up to 30,000 unanalyzed vulnerabilities by early 2025.
“We anticipate that the rate of submissions will continue to increase in 2025,” the agency acknowledged in its update.
“The fact that vulnerabilities are increasing means that the NVD is more important than ever in protecting our nation’s infrastructure. However, it also points to increasing challenges ahead.”
The ongoing backlog poses significant risks to organizations nationwide that rely on timely CVE analysis for vulnerability management.
Without proper enrichment of vulnerability data, including Common Platform Enumeration (CPE) identifiers, Common Vulnerability Scoring System (CVSS) scores, and Common Weakness Enumeration (CWE) classifications, security teams lack critical information needed for prioritization.
“The enrichment process is essential for organizations to understand which vulnerabilities pose the most immediate threat,” explained cybersecurity analyst Dr. Lauren Chen.
“When Known Exploited Vulnerabilities (KEVs) remain unanalyzed, it creates dangerous blind spots in defensive postures.”
Growing Backlog of CVEs
To address these challenges, NIST has intensified efforts to integrate machine learning capabilities into its vulnerability analysis workflow.
According to the agency’s update, “To address these challenges, we are working to increase efficiency by improving our internal processes, and we are exploring the use of machine learning to automate certain processing tasks”.
Previous research has demonstrated the potential for automated approaches, with one study achieving an F-measure of 0.86 when using Named Entity Recognition (NER) to automatically match CVE summaries with corresponding CPEs. Such automation could significantly accelerate the enrichment process.
The backlog crisis intensified after CISA discontinued approximately $3.7 million in annual interagency funding support to the NVD program in late 2023.
While NIST redirected existing funds and contracted with cybersecurity firm Analygence to provide additional analysis support, these measures have proven insufficient against the accelerating vulnerability discovery rate.
As the backlog continues to grow through 2025, NIST faces increased pressure to implement more efficient processing methods while maintaining the accuracy and reliability that make the NVD an essential resource for national cybersecurity infrastructure.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
