It’s been just over a month since the National Vulnerability Database (NVD) announced temporary delays in adding analysis and updates to newly published vulnerabilities (CVEs). As the weeks passed, that delay snowballed into a mini crisis: almost half of all CVEs published in 2024 are missing CPE enrichment. That’s 3,364 out of 6,884 so far this year.
Before we get into what’s happening and why it matters, it’s important to note that Securin aggregates and enriches intelligence from multiple sources, so our platform continues to protect our customers from evolving threats. While the NVD hasn’t provided CVSS scores for over 950 CVEs, our Risk Index scores and Threat Intelligence continue to support organizations in their vulnerability management initiatives – CVSS is not a single point of failure.
But it’s also important to acknowledge the challenge that this slowdown poses across the community: as Securin threat expert Aviral Verma puts it, “Threat actors have no sympathy for NIST’s predicament as they continue to ramp up their exploitation of vulnerabilities.”
So, back to what’s happening and what it means…
Missing in Action
Since 2005, the NVD has acted as a centralized hub for identification and information on cybersecurity vulnerabilities. They collaborate with multiple stakeholders to maintain the world’s most widely used software vulnerability database – their CVEs are unique identifiers for vulnerabilities and exposures – the metadata and information they enrich each vulnerability with is crucial to the cybersecurity community. Without it, we’re all essentially shooting in the dark when it comes to establishing precisely which vendors and applications are impacted by any given vulnerability.
Can we figure things out, share data and fill in the gaps ourselves? Of course we can – and we do. But it’s a massive workload, especially for organizations relying on the NVD as their sole source of information.To really understand what’s going on, let’s take a look at some of the technical aspects of why this problem is so serious.
The Impact of NVD Delays on Cybersecurity
NVD’s slowdown, including the missing enrichment data, hinder cybersecurity efforts by depriving researchers and security teams of crucial vulnerability and exposure details. This gap in crucial information undermines vulnerability management strategies – exposing organizations to cyberattacks.
While the NVD works to overcome its challenges, threat actors are free to take advantage of the lack of visibility to ramp up their exploitation of vulnerabilities, exploiting the gaps in data enrichment and targeting organizations with increased precision and severity. As the below diagram illustrates, there are 99 vulnerabilities with a published PoC but we don’t know whether or not they’re exploited – “armed weapons, waiting to be fired,” as Aviral Verma describes them.
As we can see above, there is no CPE (Common Platform Enumeration) enrichment. Massive chunks of vital information about the structures, IT systems, software and packages affected by the CVE are missing. These are significant blindspots but, as Securin’s VI shows, threat actors have already noticed – they are already weaponized or have significant dark/social web discussion of them.
These examples below show how two CVEs were exploited by threat actors and added to CISA KEVs (Known Exploited Vulnerabilities), but took 23 days for the NVD to add information on which products were impacted by them. That’s 23 days without data to help build defenses, all while attacks are underway.
Vulnerability scanners use CPE to detect affected assets and configurations, crucial for prioritizing and remediating security risks. CVSS scores and metrics such as Attack Vector, User Interaction, Attack Complexity, Privileges Required and CIA triad provide critical insights into the severity and potential impact of vulnerabilities. Without this information, we face challenges in accurately assessing and prioritizing security risks, leaving systems and data vulnerable to exploitation. Organizations that rely exclusively on NVD face significant exposure to cyberattack.
Working Around the Lack of CPEs
There’s no escaping the reality that NVD’s comprehensive coverage of CVEs made it a vital source for information. Sources such as OSV and GitHub Security Advisories cover open source vulnerabilities, but security teams will still be tasked with matching vulnerabilities to proprietary enterprise software from vendors like Apple, Cisco or Microsoft.
Securin VI provides impacted vendors, products and packages data for a significant number of the NVD CVEs – the below image shows top vendors whose CVEs and missing CPE data on the NVD are enriched with impacted product information by Securin VI:
Securin VI allows organizations to accurately assess risk without the need for CVSS by aggregating information from multiple sources beyond NVD and monitoring CVE chatter across deep and dark web, formulating a vulnerability’s Risk Index.
The shortcomings of NVD in providing comprehensive enrichment data on recent CVE entries hinder vulnerability management and increase organizations’ vulnerability to cyberattacks. While NVD addresses these issues, threat actors exploit vulnerabilities with precision, underscoring the need for accurate vulnerability data. Platforms like Securin VI provide alternative solutions by enriching missing data, helping organizations enhance their cybersecurity posture against evolving threats.