Threat Research

The Vulnerability Data Crisis: Why You Can’t Trust Your Security Tools (And What to Do About It)

Kandji.io
The Vulnerability Data Crisis: Why You Can’t Trust Your Security Tools (And What to Do About It)

Nearly 70% of CVEs added to NVD between February and September 2024 were listed as “awaiting analysis,” leaving out crucial context like affected products and CVSS scores and creating widespread delays and inaccuracies that hinder patching decisions. This backlog and persistent data quality issues have real-world impacts on vendors, security tools, and administrators, prompting organizations to use alternative sources such as OSV.dev, VulnCheck, vendor advisories, and Kandji Vulnerability Management to obtain timely, accurate vulnerability intelligence. #CVE-2024-6604 #CVE-2025-6554

Keypoints

  • NVD enrichment delays: Around 44% of CVEs added in the past year show “awaiting analysis” status, lacking affected product lists and CVSS scores.
  • Backlog causes: Processing delays began in early 2024 and are driven by scalability limitations and increased vulnerability volume.
  • Resource pressures: NIST faced staff shortages, internal restructuring, a ~12% budget cut, and uncertainty around the CVE program contract, with CISA stepping in temporarily to fund continuity.
  • Downstream impact: Vulnerability scanners, management tools, and security vendors that rely on NVD inherit incomplete or incorrect data, degrading automated workflows.
  • Operational risk: Incorrect NVD entries (e.g., CVE-2024-6604 and CVE-2025-6554) caused misdirected patching actions and multi-week exposure windows for affected systems.
  • Alternative sources: Organizations can use OSV.dev, VulnCheck, Vulnerability-Lookup, and direct vendor advisories (JetBrains, Mozilla, Microsoft) to supplement or verify NVD data.
  • Prioritization strategies: Use CISA’s KEV catalog and EPSS scores when CVSS or NVD context is missing, and adopt processes that aggregate multiple intelligence sources.

MITRE Techniques

  • [T1609 ] Resource Hijacking – NVD processing delays and backlog caused by staff shortages and budget cuts reduced the ability to timely enrich CVEs, effectively “starving” downstream consumers of critical data (“around 44% have an ‘awaiting analysis’ status”).
  • [T1598 ] Compromise Infrastructure – Incomplete or incorrect NVD records (e.g., wrong affected-version ranges for CVE-2024-6604) allowed vulnerable systems to remain unpatched, increasing exposure windows (“NVD’s ‘Known Affected Software Configurations’ section incorrectly listed… up to excluding 126.0”).
  • [T1602 ] Data Manipulation – Persistent inaccuracies in NVD entries (wrong version ranges and missing OS-specific details for CVE-2025-6554) altered defenders’ view of affected assets and influenced patch decisions (“took nearly 2 weeks for a re-analysis to add the crucial detail…”).

Indicators of Compromise

  • [CVE IDs ] Examples of problematic records used as evidence – CVE-2024-6604, CVE-2025-6554
  • [Software Versions ] Incorrect or missing affected-version details causing mispatching – Firefox up to excluding 126.0 (incorrect for CVE-2024-6604), Chrome versions 138.0.7204.96 (Windows) and 138.0.7204.92 (Mac/Linux) (initially missing)
  • [Data Status ] NVD processing metadata indicating backlog – “awaiting analysis” status on ~44% of recent CVE entries

Read more: https://the-sequence.com/the-vulnerability-data-crisis