Go back

The Real Danger Lurking in the NVD Backlog

Patrick Garrityin/patrickmgarrity/

Weekly CVE's Published by Status

On February 12, 2024, the NIST National Vulnerability Database (NVD) began slowing the processing and enrichment of new vulnerabilities. Since that date, 12,720 new vulnerabilities and counting have been added to NVD but 11,885 have not been analyzed or enriched with critical data that help security professionals determine what software has been affected by a vulnerability. By February 15, the NVD website announced that users might experience "delays in analysis efforts."

Numerous prominent and influential voices in the industry have warned about how this gives malicious threat actors an upper hand in weaponizing vulnerabilities with exploits that greatly increases supply chain risks across critical sectors.

With the recent slowdown of the NIST National Vulnerability Database (NVD), it's crucial to understand the gravity of the situation. Nation-state threat actors and ransomware gangs continue to target organizations with devastating consequences, while our own house is in disarray. Although we can speculate on the underlying causes leading to the NVD's near cessation, one thing is clear: threats continue to persist and show no signs of following NIST's lead.

This research aims to illustrate this gravity, utilizing data sourced from the NVD and VulnCheck’s exploit and vulnerability service. The research focused on new CVE’s published by NVD between February 12 and May 20, 2024.

Key Findings

  • 93.4% of new vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.
  • 50.8% of VulnCheck Known Exploited Vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.(Source: VulnCheck KEV).
  • 55.9% of Weaponized Vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.
  • 82% of CVEs with a Proof-of-Concept Exploit have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.

NIST NVD's Important Role in the Vulnerability Ecosystem

For over 20 years, the NIST NVD has played a critical role as a primary source for software vulnerability data, serving organizations worldwide. The NVD has provided three primary functions:

  • CVE Enrichment: CVSS scoring, CWE, CPE configurations, and reference tags.
  • Consumable Data Access: Consistent and easy-to-consume JSON, CVEs with enrichment from one source.
  • CNA/Vendor Accountability: CVE rejections and data quality.

While there is debate over the NVD’s approach, it has a long track record as the go-to source for enriched CVE data and is incorporated into several government mandates as the source of truth for vulnerability management requirements.

As the security community reacts to an uncertain future for the NVD and scrambles to fill this void, it is important to provide real-world insight into the threats that persist as the NVD falters to provide a critical service for the world.

NVD Current Processing Status of CVEs Since February 12, 2024

The outlook for the NVD is bleak. As of now, 93.4% of vulnerabilities remain unanalyzed. Out of 12,720 new vulnerabilities added to the database since February 12, 11,885 have not been analyzed by the NVD.

NVD Status Since February 12th, 2024

Unaddressed Known Exploited CVEs

As of May 20th, 50.8% of Known Exploited Vulnerabilities are unanalyzed by the NVD. Thirty out of 59 Known Exploited Vulnerabilities (KEVs) have not been analyzed by the NVD (Source: VulnCheck KEV).

Several of the Known Exploited Vulnerabilities that are unanalyzed impact technologies including Microsoft Windows, Adobe ColdFusion, Progress Flowmon, ChatGPT, Qnap, Netlify OpenMetadata, WordPress and others.

VulnCheck Known Exploited Vulnerabilities (KEV) catalog is a real-time collection of known exploited vulnerabilities that is inclusive of CISA KEV, made available as a free community resource with publicly referencable citations.

Weekly CVE's Published by Status

Unaddressed Weaponized CVEs

Weaponized typically is an exploit that delivers a substantial payload. For example, Metasploit exploits are considered "weaponized" (as they can deliver meterpreter or other advanced payloads).

As of May 20th, 55.9% of Weaponized Vulnerabilities are unanalyzed by the NVD. Thirty-eight out of 68 Weaponized Vulnerabilities have not been analyzed by the NVD (Source: VulnCheck Exploit and Vulnerbality Intelligence).

Weekly CVE's Published by Status

Unaddressed Vulnerabilities w/ Proof-of-Concept Code

As of May 20th, 82% of CVEs with a Proof-of-Concept Exploit are unanalyzed by the NVD: Of the 482 CVEs that have a Proof-of-Concept Exploit associated, 396 remain unanalyzed by the NVD.

Weekly CVE's Published by Status

The Path Forward for CVE.org and NIST NVD

While uncertainty around the future of NIST NVD remains, it’s in the best interest of the CVE community to coordinate efforts to fill the void that NIST has currently created.

  • For CVE numbering authorities (CNAs), it benefits downstream consumers of CVE data to provide more complete data when publishing new CVEs. CNAs should work toward enriching CVE records as completely as possible, including the submission of product names, vendor names, version numbers, thorough descriptions, broad references, CPE, CVSS, and CWE.
  • CVE.org/MITRE and NVD should focus on automating CVE enrichment where possible and focus on completing the gaps where CNAs haven’t supplied sufficient information. NVD should deprioritize analyzing every CVE submission and move to a model where they establish trust with CNAs and the CVE program that doesn’t require a manual review of every CVE.
  • CVE.org/MITRE should consider accelerating the Authorized Data Provider (ADP) program to validate and allow third-party contributions to enrich CVE.org data. This would include incorporating projects like CISA’s Vulnrichment project, CISA KEV and other third party sources.

Regardless of the uncertainty, VulnCheck is committed to contributing back to the security community. VulnCheck is providing vulnerability enrichment services, including CPE and access to NIST-NVD and CVE Mitre data from a single source at no cost. Anyone can register for the free service here: https://vulncheck.com/community.

VulnCheck also provides a commercial service with broad access to vulnerability and exploit intelligence,including: Vulnerabilities in Open Source packages / dependencies, Vulnerabilities in ICS/OT, IoMT, IoT, mobile, etc., devices, Git repositories for new exploit PoCs, Caching of exploit PoCs, Exploit Maturity classification, Exploit Type classification, Evidence of exploitation in-the-wild & exploitation timelines and more.

About VulnCheck

VulnCheck is helping organizations not just to solve the vulnerability prioritization challenge - we’re working to help equip any product manager, CSIRT/PSIRT or SecOps team and Threat Hunting team to get faster and more accurate with infinite efficiency using VulnCheck solutions.

We knew that we needed better data, faster across the board, in our industry. So that’s what we deliver to the market. We’re going to continue to deliver key insights on vulnerability management, exploitation and major trends we can extrapolate from our dataset to continuously support practitioners.

Are you interested in learning more? If so, VulnCheck's Exploit & Vulnerability Intelligence has broad threat actor coverage. Register and demo our data today.