Summary: The National Vulnerability Database (NVD) faces a significant backlog of over 16,000 unanalyzed vulnerabilities, which could escalate to nearly 30,000 by the end of 2024 if processing rates do not improve. Resource challenges and an influx of new security flaws are hindering the National Institute of Standards and Technology’s (NIST) ability to manage the database effectively.
Threat Actor: N/A | NIST
Victim: Cybersecurity Sector | National Vulnerability Database
Key Point :
- The NVD is receiving over 100 new security flaws daily but has only analyzed about 30, leading to a growing backlog.
- NIST has contracted a cybersecurity firm to assist in clearing the backlog, but experts warn that automated processing and additional support may be necessary.
- The backlog is attributed to increased software vulnerabilities and changes in interagency support, affecting major cybersecurity vendors.
Government
,
Industry Specific
,
Security Operations
New Analysis Reveals Growing Crisis for the National Vulnerability Database
An overwhelming backlog of unanalyzed vulnerabilities at the National Institute of Standards and Technology threatens to extend into 2025 unless the agency dramatically accelerates its processing operations, a new analysis reveals.
See Also: Zero Trust Unleashed: Keeping Government Secrets Safer Than the Crown Jewels
The National Vulnerability Database, which serves as the United States’ official repository for common vulnerabilities and exposures, receives an average daily influx of more than 100 newly reported security flaws, according to a dashboard released Friday by the cybersecurity firm Fortress Information Security. NIST has meanwhile analyzed just over 30 new CVEs on average throughout 2024 and has a growing backlog of more than 16,000 vulnerabilities.
The database has been plagued by resource challenges and other constraints that hinder NIST’s ability to clear the massive backlog of security risks, which could potentially affect major cybersecurity vendors such as CrowdStrike, Microsoft Defender and leading cloud security posture management tools such as Orca and Wiz (see: Experts Warn the NVD Backlog Is Reaching a Breaking Point). NIST unveiled a plan to restore the database in May, and it awarded an $865,657 contract to the Maryland-based cybersecurity firm Analygence for additional processing support to help clear the backlog “by the end of the fiscal year,” which is Sept. 30.
Analysis from Fortress Information Security indicates the analysts would need to clear more than 217 vulnerabilities each day to clear the backlog and begin processing newly reported CVEs – far more than the daily average under current processing capacity. The firm estimates the backlog could surge to nearly 30,000 unanalyzed flaws by the end of 2024 if NIST fails to ramp up its analysis rate.
NIST blamed “a variety of factors” for the backlog in late April. In a notice to its website, it attributed its slow processing rates to “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.” The agency declined to provide further details at the time as to the apparent disruption in interagency support. NIST did not immediately respond to a request for comment on the continued growth of the backlog.
A spokesperson for NIST previously told Information Security Media Group the agency was coordinating with the Cybersecurity and Infrastructure Security Agency to add new, unanalyzed security flaws into the database while “working on ways to address the increasing volume of vulnerabilities through technology and process updates.”
Experts have meanwhile called for automated processing of some vulnerabilities, as well as additional support from the private sector and federal agencies such as CISA, though NIST currently remains responsible for the primary analysis and management of the database.
Source: https://www.bankinfosecurity.com/national-vulnerability-backlog-could-surge-to-30000-by-2025-a-25866