Dive Brief:
- The National Institute of Standards and Technology has analyzed less than 1 in 10 vulnerabilities published in the National Vulnerability Database since mid-February, according to research VulnCheck released Thursday.
- As of May 19, 11,885 of the 12,720 vulnerabilities added to the NVD haven’t been analyzed or enriched with critical data, the report found.
- NIST analysis is missing from more than half of the known exploited vulnerabilities in VulnCheck’s catalog, the vulnerability research firm found. VulnCheck currently tracks twice as many actively exploited vulnerabilities as the Cybersecurity and Infrastructure Security Agency.
Dive Insight:
NIST scaled back the NVD program in mid-February amid a growing backlog and said it is prioritizing analysis of the most significant or actively exploited vulnerabilities. NIST did not answer questions about VulnCheck’s research by publication time.
VulnCheck’s research accentuates concerns cybersecurity experts shared about an analysis gap when NIST paused. The resource-constrained agency reported an all-time high of 33,137 vulnerability disclosures last year, and it was falling behind.
“NVD processed most vulnerabilities in a timely fashion before this slowdown,” Patrick Garrity, senior researcher at VulnCheck, said via email. “However, there are instances where the CVE numbering authority didn’t publish a vulnerability that had exploitation evidence.”
NIST has not yet analyzed known exploited vulnerabilities linked to Microsoft Windows, Adobe ColdFusion, Progress Flowmon, ChatGPT and other technology vendors, according to VulnCheck.
NIST’s pause on some of its NVD activities is also leaving many CVEs with unexamined proof-of-concept exploits More than 4 in 5 CVEs with a proof-of-concept exploit have not been analyzed by the NVD since the slowdown, according to VulnCheck.
“There are broad implications when it comes to the visibility of vulnerabilities that are not analyzed and processed by CVE,” Garrity said.
Many security tools, threat and risk scoring systems rely on NVD enrichment data, such as common platform enumerations and the CVSS. “This creates a cascading effect across the wider security community,” Garrity said.