The Alarming NVD Backlog: Over 50% of Known Exploited Vulnerabilities Await Analysis

The NVD has slipped deeper into its backlog of CVEs awaiting analysis, with 12,527 in the queue (up 22% from two weeks ago) and just 169 currently undergoing analysis. CVE enrichment, the process of adding valuable details and context to a CVE record, stalled out at the NVD in mid-February and has yet to recover.

NIST, the agency responsible for the database, last updated the public with a notice on April 25, stating that it is “prioritizing analysis of the most significant vulnerabilities” and working with agency partners to add support, as well as pursuing long-term solutions to the challenge.

Communication from NIST has been sparse but CISA has stepped in with its new Vulnrichment project that focuses on adding Common Platform Enumeration, Common Vulnerability Scoring System, Common Weakness Enumeration, and Known Exploited Vulnerabilities to CVEs. The goal is to help organizations and vendors prioritize remediation with additional information on severity and exploitability, but it also introduces the requirement of processing an additional source for CVE data.

More Than 50% of Exploited CVEs are Still Awaiting Analysis#

Today, VulnCheck, a vulnerability intelligence platform, published a report that highlights the gravity of the situation. One of the most alarming findings is that more than half of the known exploited vulnerabilities (KEVs) have not been analyzed by the NVD since it suddenly halted CVE enrichment in February:

• 93.4% of new vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.
• 50.8% of VulnCheck Known Exploited Vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.(Source: VulnCheck KEV).
• 55.9% of Weaponized Vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.
• 82% of CVEs with a Proof-of-Concept Exploit have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.

While the NVD’s notice states that it is prioritizing analyzing the most significant vulnerabilities, the data from VulnCheck shows that the agency is not getting to even half of the serious threats that have been logged. Weaponized vulnerabilities, those considered capable of delivering a substantial payload, are also among those awaiting analysis, with 55.9% pending review.

“Several of the Known Exploited Vulnerabilities that are unanalyzed impact technologies including Microsoft Windows, Adobe ColdFusion, Progress Flowmon, ChatGPT, Qnap, Netlify OpenMetadata, WordPress and others,” VulnCheck security researcher Patrick Garrity said in the report.

VulnCheck’s KEV catalog also includes CISA KEV and is available as a free resource. The company is advocating for CNAs to be able to enrich CVE records as completely as possible and for the NVD to focus on automating enrichment where possible.

“NVD should deprioritize analyzing every CVE submission and move to a model where they establish trust with CNAs and the CVE program that doesn’t require a manual review of every CVE,” Garrity said.

The loss of reliable CVE enrichment from NVD exacerbates the fragmentation of security vendors in tracking vulnerabilities and makes it more complex for organizations who have to rely on multiple sources for this data. This can lead to potential gaps in coverage and delays in responses to threats.

“The NVD is a key part of the software ecosystem, and despite deficiencies with NVD and its associated processes, it is and has served as a key part of the vulnerability management landscape for decades,” Aquia co-founder Chris Hughes said in a post titled Death Knell of the NVD? shortly after the NVD halted CVE enrichment.

“That said, the current lack of communication and clarity, coupled with decreasing quality of CVE’s due to a lack of enrichment is undoubtedly giving credibility to criticisms and risks further jeopardizing the NVD’s longterm trust and reliability.”

In the absence of any communication from NIST about a path forward, it’s impossible to know where they are taking the program in the future, or if CISA’s Vulnrichment program is part of the plan to pass off enrichment responsibilities. Security vendors are doing their best to fill the gaps by providing their own analyses, leveraging other databases, and sharing resources via social media and messaging apps to ensure continuous protection for their customers.

It’s clear that vulnerabilities are not slowing down while NIST is transitioning its processes and infrastructure. The vulnerability ecosystem may be forced into adopting a more decentralized model where the decades-old NVD is no longer a central point of data. This shift may align with the “consortium” approach NIST claimed it will spearhead, but it appears to be evolving organically in response to current challenges rather than as a result of direct leadership.