NIST Will Mark All CVEs Published Before 01/01/2018 as ‘Deferred’
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
The National Institute of Standards and Technology (NIST) announced on April 2, 2025, that all Common Vulnerabilities and Exposures (CVEs) with a published date prior to January 1, 2018, will be marked as “Deferred” within the National Vulnerability Database (NVD) dataset.
This significant change affects approximately 94,000 CVEs, representing about 34% of all vulnerability records in the database.
NIST’s decision comes as the organization faces mounting challenges in processing new vulnerability submissions, which increased by 32% in 2024.
At points last year, the backlog reached 18,000 records as the institute struggled to keep pace with the growing volume of vulnerability reports.
Decision Driven by Resource Constraints and Growing Backlog
According to NIST’s announcement, the “Deferred” status indicates that the organization “does not plan to prioritize updating NVD enrichment or initial NVD enrichment data due to the CVE’s age.”
The change will be implemented over several nights and is intended to provide “additional clarity regarding which CVE records are prioritized”.
Security professionals have expressed concern about the potential implications of this change, particularly as AI-powered exploitation techniques evolve.
Marc Gaffan, CEO of IONIX, noted that while NIST’s focus on newer vulnerabilities is understandable, the critical factor in evaluating any CVE is its exploitability.
“With the rapid advancement of AI capabilities, there’s growing concern that older CVEs may be revived through novel exploitation techniques,” Gaffan warned.
“This trend could catch organizations off guard, leaving them unprepared to address the new risks and exposures these re-emerging threats may introduce”.
Ted Miracco, CEO of Approov, emphasized that older vulnerabilities often pose significant risks because they typically remain unpatched in legacy systems still in production, particularly in critical infrastructure, government, medical, and financial sectors.
Continuing Monitoring of Critical Vulnerabilities
NIST has clarified that despite the “Deferred” status, the organization will continue to accept and review requests to update metadata for these older CVE records.
“Should any new information clearly indicate that an update to the enrichment data for the CVE is appropriate, we will continue to prioritize those requests as time and resources allow,” the announcement stated.
Importantly, NIST has committed to prioritizing any pre-2018 CVEs that are added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability (KEV) catalog, regardless of their deferred status.
Jon France, CISO at ISC2, suggested that security teams should focus not only on CVSS scores but also consult external enrichment sources such as MITRE CVE when validating patch status or threat mitigation.
Security experts recommend mapping older CVEs to a software bill of materials (SBOM) to identify at-risk libraries and components, especially for organizations maintaining legacy systems.
The change affects users of the NVD API and other services that rely on regular updates to vulnerability data.
CVEs marked as “Deferred” will display a banner on their CVE Detail Pages indicating this status, providing clear visibility into which NIST is actively maintaining records.
Organizations should review their vulnerability management strategies to account for this change and consider implementing additional monitoring for older systems where these deferred CVEs might be present.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
NIST Will Mark All CVEs Published Before 01/01/2018 as ‘Deferred’
Author: KaaviyaThe National Institute of Standards and Technology (NIST) announced on April 2, 2025, that all Common Vulnerabilities and Exposures (CVEs) with a published date prior to January 1, 2018, will be marked as “Deferred” within the National Vulnerability Database (NVD) dataset.
This significant change affects approximately 94,000 CVEs, representing about 34% of all vulnerability records in the database.
NIST’s decision comes as the organization faces mounting challenges in processing new vulnerability submissions, which increased by 32% in 2024.
At points last year, the backlog reached 18,000 records as the institute struggled to keep pace with the growing volume of vulnerability reports.
Decision Driven by Resource Constraints and Growing Backlog
According to NIST’s announcement, the “Deferred” status indicates that the organization “does not plan to prioritize updating NVD enrichment or initial NVD enrichment data due to the CVE’s age.”
The change will be implemented over several nights and is intended to provide “additional clarity regarding which CVE records are prioritized”.
Security professionals have expressed concern about the potential implications of this change, particularly as AI-powered exploitation techniques evolve.
Marc Gaffan, CEO of IONIX, noted that while NIST’s focus on newer vulnerabilities is understandable, the critical factor in evaluating any CVE is its exploitability.
“With the rapid advancement of AI capabilities, there’s growing concern that older CVEs may be revived through novel exploitation techniques,” Gaffan warned.
“This trend could catch organizations off guard, leaving them unprepared to address the new risks and exposures these re-emerging threats may introduce”.
Ted Miracco, CEO of Approov, emphasized that older vulnerabilities often pose significant risks because they typically remain unpatched in legacy systems still in production, particularly in critical infrastructure, government, medical, and financial sectors.
Continuing Monitoring of Critical Vulnerabilities
NIST has clarified that despite the “Deferred” status, the organization will continue to accept and review requests to update metadata for these older CVE records.
“Should any new information clearly indicate that an update to the enrichment data for the CVE is appropriate, we will continue to prioritize those requests as time and resources allow,” the announcement stated.
Importantly, NIST has committed to prioritizing any pre-2018 CVEs that are added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability (KEV) catalog, regardless of their deferred status.
Jon France, CISO at ISC2, suggested that security teams should focus not only on CVSS scores but also consult external enrichment sources such as MITRE CVE when validating patch status or threat mitigation.
Security experts recommend mapping older CVEs to a software bill of materials (SBOM) to identify at-risk libraries and components, especially for organizations maintaining legacy systems.
The change affects users of the NVD API and other services that rely on regular updates to vulnerability data.
CVEs marked as “Deferred” will display a banner on their CVE Detail Pages indicating this status, providing clear visibility into which NIST is actively maintaining records.
Organizations should review their vulnerability management strategies to account for this change and consider implementing additional monitoring for older systems where these deferred CVEs might be present.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
