NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Skyrockets
NIST has officially shifted the National Vulnerability Database (NVD) to a risk-based enrichment model, ceasing analysis for most new CVEs due to overwhelming submission volumes. This policy change leaves thousands of vulnerabilities without critical CVSS and CPE metadata, forcing organizations to rely on decentralized data sources and CNA-provided scores that often conflict with independent analysis.
Source:
Socket
Key Takeaways
- NIST is abandoning comprehensive CVE enrichment, moving to a risk-based model focused only on CISA KEV, federal software, and EO 14028 critical software.
- Tens of thousands of backlogged CVEs are being moved to 'Not Scheduled', leaving them without critical CVSS severity scores or CPE data required for automated matching.
- NIST will no longer provide independent CVSS scores if a CNA has already provided one, despite a 25.4% conflict rate between NVD and GitHub Advisory scores.
- The vulnerability disclosure pipeline is severely bottlenecked, and emerging AI-driven discovery tools (like Mythos) are expected to exacerbate the issue.
- Organizations must shift away from relying on a single, centralized source (NVD) for vulnerability enrichment and patch prioritization.
Affected Systems
- Vulnerability Management Systems
- NVD-dependent Security Tools
- Automated Patch Management Workflows
Vulnerabilities (CVEs)
- CVE-2024-27306
- CVE-2025-48756
- CVE-2025-47735
- CVE-2025-47737
- CVE-2025-48751
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No detection rules are provided as this article discusses vulnerability management policy changes rather than specific threat actor TTPs.
Detection Engineering Assessment
EDR Visibility: None — This issue pertains to vulnerability intelligence and metadata enrichment, not endpoint execution or malicious behavior. Network Visibility: None — This issue pertains to vulnerability intelligence and metadata enrichment, not network traffic. Detection Difficulty: N/A — This is a systemic vulnerability management issue, not a detectable cyber attack.
Required Log Sources
- Vulnerability Scanner Logs
- Asset Management Systems
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Security teams should proactively audit vulnerability management pipelines to identify reliance on NVD CPE data, as missing enrichment will lead to undetected vulnerable software in the environment. | Vulnerability Management System Logs | N/A | Low |
Control Gaps
- Vulnerability Scanners relying solely on NVD for CPE/CVSS data
- Automated patch prioritization workflows dependent on NVD enrichment
Recommendations
Immediate Mitigation
- Evaluate current vulnerability management tools for their reliance on NVD for CPE and CVSS enrichment.
- Incorporate alternative vulnerability intelligence sources (e.g., VulnDB, GitHub Advisory Database) into prioritization workflows.
Infrastructure Hardening
- Shift vulnerability prioritization strategies to heavily weight CISA KEV and active exploitation intelligence over static CVSS scores.
User Protection
- N/A
Security Awareness
- Educate security and patching teams on the discrepancies between CNA-provided CVSS scores and independent analysis, noting that severity ratings may vary significantly between sources.