In February, the number of vulnerabilities processed and enriched by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) started to slow. By May, 93.4% of new vulnerabilities and 50.8% of known exploited vulnerabilities were still waiting on analysis, according to research from VulnCheck.
Three months later, the problem persists. While NIST has a plan to get back on track, the current state of common vulnerabilities and exposures (CVEs) isn’t keeping pace with new vulnerability detections. Here’s a look at what’s behind the backlog, why CVEs may no longer be the Holy Grail of IT defense and how security teams can stay ahead of attacker efforts.
What’s behind the backlog?
Budget cuts are partially responsible for CVE analysis issues. As noted by Security Magazine, NIST funding was cut by 12% this year, making it more difficult for the agency to identify and analyze CVEs.
The sheer number of reported vulnerabilities also poses a problem for analysis efforts; Flashpoint research found that NIST reported 33,137 vulnerabilities in 2023. In part, rising numbers are tied to improved detection capabilities. As companies expand security efforts with cloud-based technologies and AI-enabled tools, they’re better able to pinpoint potential threats. As a result, bigger numbers aren’t always indicative of increased risk, but they do speak to a growing number of potential attack paths.
NIST does have a plan to clear the backlog. According to backlog update struggles attackers change tactics
