In the world’s largest NVD vulnerabilities database, controlled by the National Institute of Standards and Technologies of the United States (NIST), a serious failure occurred recently, leading to a significant increase in the number of unpublished vulnerabilities. There was a serious failure which raised concerns among cybersecurity researchers.
Since mid-February 2024, issues with processing new data arose in the database’s operation, and as of May 9, the service stopped displaying new vulnerabilities. This development has caused worry among cybersecurity professionals.
Efforts are being made by experts from both the public and private sectors to address the backlog of vulnerabilities accumulated over three months and fill in any gaps where possible.
From February 12 of this year, NIST has only been able to analyze and add 4524 out of 14,286 vulnerabilities to its database. This situation hampers the awareness of security teams and provides new opportunities for attackers.
During the recent RSA conference, Emmanuel Cavia, the CEO of riskorizon.ai, highlighted that unprocessed vulnerabilities are already being exploited. Many companies rely on NVD for software updates and fixes, making the halt in publications a significant issue.
Since May 9, employees from various organizations have confirmed that new vulnerabilities have not been added to the database through the API. The last processed vulnerability was added on May 9.
A NIST representative explained that the issues stemmed from the transition to the new CVE-JSON data format. While the processing of vulnerabilities continued, public publications were suspended for system updates until May 14.
In March, Tanya Brier, the manager of the NVD program, announced the formation of a consortium to address these problems, but specific details remain undisclosed. Private companies like riskorizon.ai have launched the NVD Backlog Tracker to monitor raw vulnerabilities.
RISKHORIZON.AI claims to cover 85% of unprocessed vulnerabilities, providing criticality and exploitation data, though access to the platform is subscription-based. Other companies such as Trend Micro and Vulncheck are actively publishing new vulnerabilities as alternatives to NVD.
On May 8, the Cybersecurity and Infrastructure Security Agency (CISA) of the United States