NIST Stopped Scoring Most CVEs. The Signal You Actually Need Was Never in NVD.
NIST has significantly reduced its enrichment of CVEs in the National Vulnerability Database (NVD), limiting full analysis to a small subset of critical vulnerabilities. This policy change exposes organizations relying solely on NVD CVSS scores to significant blind spots, necessitating a shift toward threat intelligence-driven prioritization based on real-world weaponization and active exploitation.
Source:
Recorded Future
Detection / HunterGoogle
What Happened
The National Vulnerability Database (NVD) run by NIST has stopped providing detailed scores and information for the vast majority of new software vulnerabilities. This affects any organization that relies on these scores to decide which software updates to apply first. Because attackers do not wait for official scores to start exploiting weaknesses, relying only on the NVD can leave companies exposed to active threats. Organizations should update their security programs to prioritize vulnerabilities based on real-world threat intelligence, such as whether a flaw is actively being used by hackers.
Key Takeaways
- NIST has drastically reduced NVD enrichment, focusing only on CISA KEV, federal software, or EO 14028 critical software.
- Industry estimates suggest 80-85% of future CVEs will lack CVSS scores and affected product mappings in the NVD.
- Relying solely on NVD for vulnerability prioritization creates a significant operational gap and exposure to risk.
- Effective prioritization should focus on the vulnerability weaponization lifecycle, such as active exploitation and verified PoC availability, rather than static CVSS scores.
Affected Systems
- Vulnerability Management Programs
- NVD-dependent workflows and scanners
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules are provided as this article focuses on vulnerability management strategy and intelligence scoring.
Detection Engineering Assessment
EDR Visibility: None — The article discusses vulnerability management policy and intelligence scoring, not endpoint behaviors. Network Visibility: None — No network indicators or behaviors are discussed. Detection Difficulty: N/A — Not applicable as this is a strategic intelligence piece rather than a technical detection guide.
Required Log Sources
- Vulnerability Scanner Logs
- Threat Intelligence Feeds
Control Gaps
- Over-reliance on NVD CVSS scores for patch prioritization
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Audit existing vulnerability management workflows to determine the extent of reliance on NVD-supplied CVSS scores.
Infrastructure Hardening
- Evaluate integrating external threat intelligence feeds to enrich vulnerability data beyond NVD capabilities.
- Consider shifting patch prioritization metrics to focus on the vulnerability weaponization lifecycle (e.g., active exploitation, PoC availability).
User Protection
- N/A
Security Awareness
- Educate vulnerability management and IT operations teams on the limitations of CVSS and the operational impact of the NVD enrichment reduction.
MITRE ATT&CK Mapping
- T1588.005 - Obtain Capabilities: Vulnerabilities
- T1588.006 - Obtain Capabilities: Exploits