Background
On 15 April 2025, an internal memo from the non-profit research and development organization MITRE was circulated online. The memo warned that funding for their maintenance of the Common Vulnerabilities and Exposures (CVE) program would end effective 16 April 2025. The CVE Program is widely used by the global cyber security community to categorize vulnerabilities in a standardized format by assigning them unique CVE ID numbers. Shortly before the lapse of the contract on 16 April 2025 it was reported that an 11-month extension to the contract had been agreed, but the long-term stability of the program has been called into question.
Why does it matter?
The CVE program is widely used to share information about publicly known information-security vulnerabilities in publicly released software packages in a universally understood format. MITRE warned that termination of funding would likely lead to deterioration of the national vulnerability databases and advisories, tool vendors, incident response operations, and critical infrastructure. The announcement has prompted serious concern throughout the cyber security community, as having standardised and consistent information about exploitable software vulnerabilities is crucial for assessing the risk they pose and responding appropriately.
While MITRE has overall responsibility for assigning CVE IDs, there are also 458 local CVE Numbering Authorities in 40 countries with the authority to independently assign CVEs. The CVE program is also separate from the National Vulnerability Database (NVD) which is managed by the US government’s National Institute of Standards and Technology (NIST). The NVD provides more detailed information about software vulnerabilities but is still dependent on their categorisation by the CVE program to enrich them. It is unclear how these systems will operate without MITRE’s leadership and oversight of the CVE program.
What is the immediate impact?
The Cybersecurity and Infrastructure Security Agency (CISA), the US government agency responsible for funding the CVE program has now executed an eleven-month extension to ensure there is no immediate lapse in critical services. The website listing historical CVE IDs will remain active and new CVE IDs will be added and there will be no immediate impact on vulnerability scanning technologies that indirectly rely on CVE program data. It is unclear what will happen after the expiry of the extension.
What will happen next?
A new non-profit organisation called the CVE Foundation has been announced, which is intended to act as a successor to MITRE as custodian of the CVE program. The foundation was planned in response to fears that of cuts to US federal government funding for the program, and it will likely seek alternative sources of funding and support.
If the CVE program were to lapse in future, it would likely have a knock-on effect reducing the speed and consistency of the categorisation of new vulnerabilities and their incorporation into vulnerability databases such as the NVD. These databases used by vulnerability scanning technologies to identify and remediate software vulnerabilities prior to their exploitation. It would also impact the ability of incident responders to identify, communicate about, and mitigate against the exploitation of new vulnerabilities.
What should organisations do now?
If the CVE program and related resources such as the NVD become degraded, organisations should diversify sources of information about threat intelligence and potentially exploitable software vulnerabilities.
Please contact S-RM if you are concerned about your organisation’s ability to manage software vulnerabilities.
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
