The recent slowdown at the National Vulnerability Database has caused a backlog of 93% of newly reported vulnerabilities since the NIST announced delays in February. This delay has raised concerns among threat intelligence vendors and cybersecurity professionals regarding the prioritization of patching efforts and the overall security landscape.

In a recent report by VulnCheck, updates on the vulnerability landscape following disruptions to the NVD were highlighted. The NIST announced on Feb. 13 that it was working to establish a consortium to improve the NVD program, which led to temporary delays in vulnerability analysis. The NIST stated that they are prioritizing the analysis of the most significant vulnerabilities and working with agency partners to bring on more support for vulnerability analysis.

VulnCheck’s report revealed that a significant number of unanalyzed vulnerabilities, including weaponized flaws with public proof-of-concept (PoC) exploits, remain unresolved. The report emphasized the critical role the NVD has played in helping organizations prioritize vulnerabilities for over 20 years by providing CVSS scoring and vendor accountability. However, there has been a debate over the effectiveness of the NVD’s current approach, with the report referring to the NVD’s future as “uncertain.”

The report highlighted that 12,720 new vulnerabilities have been added to the NVD since Feb. 12 but have not been analyzed or enriched with critical data to help security professionals determine the affected software. The backlog of unanalyzed vulnerabilities has raised concerns about the ability of organizations to address potential security risks effectively.

VulnCheck also addressed the impact of the delays on CISA’s Known Exploited Vulnerabilities (KEV) catalog, which federal agencies are required to mitigate. The report found that 50.8% of vulnerabilities added to the KEV catalog have not been reviewed by the NVD, affecting software such as Microsoft Windows, Adobe ColdFusion, ChatGPT, and WordPress.

Furthermore, the report highlighted the alarming number of weaponized vulnerabilities that remain unaddressed in the threat landscape. More than 55% of weaponized flaws were awaiting analysis as of Monday, with only 2.9% undergoing analysis. The report warned that delays in analyzing vulnerabilities with publicly available PoC exploits could give threat actors an upper hand in exploiting vulnerabilities for malicious purposes.

VulnCheck called for coordination among the CVE program community to address the void created by the NVD’s delays. The vendor recommended automating the CVE enrichment process and prioritizing the analysis of every CVE submission to fill information gaps. The lack of communication from NIST about resolving the NVD’s issues has left the security community uncertain about the program’s future.

Concerns about the vulnerability problem have been further highlighted by recent reports showing an increase in zero-day vulnerabilities used in widespread attack campaigns. The surge in vulnerability exploitation in breaches has raised concerns about the cybersecurity posture of enterprises of all sizes.

In conclusion, the backlog of unanalyzed vulnerabilities at the NVD has raised significant concerns among cybersecurity professionals and threat intelligence vendors. The impact of the delays on patching efforts and vulnerability prioritization underscores the need for coordinated efforts to address the backlog and ensure the security of critical systems and data. The future of the NVD remains uncertain, and industry stakeholders must work together to mitigate the risks posed by unanalyzed vulnerabilities in the threat landscape.

Source link