Tag: CVE Program

  • Crisis in CVE Funding Sparks Urgent Rethink in Vulnerability Management

    Crisis in CVE Funding Sparks Urgent Rethink in Vulnerability Management

    A funding crisis involving the Common Vulnerabilities and Exposures (CVE) program has raised alarms within the cybersecurity community, prompting a critical reevaluation of vulnerability management practices. The CVE program, a vital resource for security professionals, consolidates publicly disclosed vulnerabilities, enabling organizations to prioritize and mitigate security risks effectively. Recent developments highlight the fragility of this system, particularly as the CVE program faced funding cuts before the Cybersecurity and Infrastructure Security Agency (CISA) intervened with an 11-month funding extension.

    Despite this temporary solution, the longer-term prospects for the CVE program remain unclear. The immediate funding crisis spotlighted concerns about the evolving landscape of cyber threats, especially as the number of disclosed vulnerabilities has surged, with over 40,000 CVEs identified in 2024 alone. Security analysts argue that traditional prioritization methods—relying heavily on CVSS scores—may no longer suffice in the face of sophisticated cybercriminal tactics.

    Ferhat Dikbiyik of Black Kite expressed concerns that security teams must now adapt their approaches. “Traditional vulnerability management says: Patch the loudest alert,” he noted. “But that’s no match for ransomware gangs who weaponize a vulnerability days after disclosure.” The shift, according to Dikbiyik, should focus on real-world risk, considering questions such as exploitability and vendor exposure. This reflects a broader sentiment in the field, particularly following JPMorgan Chase’s assessment of flaws in the CVSS scoring system.

    Experts, including Haris Pylarinos from Hack The Box, advocate leveraging automation and AI technologies to enhance vulnerability triage processes, aiming for a proactive rather than reactive stance on security. Yet, cybersecurity leaders caution that organizations relying solely on CVSS metrics may find themselves unprepared for contemporary threats.

    As vulnerability management evolves, implementing robust patch management processes and maintaining comprehensive inventories of software and devices are critical. Rik Ferguson from Forescout emphasized the importance of understanding the operational context of vulnerabilities, particularly in complex environments like hospitals where precision in security is paramount. “If you are responsible for a hospital environment, you absolutely need to know which fridge stores the sandwiches and which one stores the blood or meds,” he explained.

    The incidents surrounding the CVE funding crisis serve as a clarion call for the cybersecurity community, underscoring the importance of adapting strategies to contend with an increasingly challenging threat landscape. As organizations strive for resilience, blending proven security fundamentals with active, real-time intelligence appears vital for effectively navigating the future of cybersecurity.

  • Cybersecurity Community Breathes a Sigh of Relief as CVE Database Funding Extended

    Cybersecurity Community Breathes a Sigh of Relief as CVE Database Funding Extended

    The cybersecurity sector was recently shaken to its core as announcements regarding the future of the Common Vulnerabilities and Exposures (CVE) database created a significant sense of uncertainty. Originally slated to go dark, the database, which serves as a cornerstone for global communication about cybersecurity vulnerabilities, will now continue to operate following an 11-month funding extension granted by the Cybersecurity and Infrastructure Security Agency (CISA). This last-minute reprieve was welcomed by many cybersecurity professionals who rely on the CVE as a critical resource in their everyday work.

    Mitre, which has overseen the CVE for 25 years, faced severe scrutiny as fears about the database’s discontinuation spread throughout the industry. “Losing the CVE would be akin to removing essential language from first responders’ communication,” remarked Keith Ibarguen, Senior Vice President of Engineering at Trustwave. This sentiment emphasizes the integral role the CVE plays in maintaining security across various sectors, bridging communication gaps and enabling a unified approach to vulnerability management.

    While the extension provides temporary relief, it has also ignited discussions about the future of the CVE system. Industry leaders are calling for a comprehensive plan that ensures long-term viability and resilience of the vulnerability database. The cybersecurity community, recognizing the CVE’s foundational importance, has begun actively engaging in dialogue regarding the establishment of a sustainable framework that will prevent such crises from occurring in the future.

    Experts have suggested that collaborative discussions between public and private sectors could pave the way for improved governance of the CVE system. As Keith Ibarguen pointed out, this is an opportune moment for stakeholders to organize and establish a robust and future-proof structure for managing cybersecurity vulnerabilities. The urgency of the situation is clear: timely action is required to ensure that the cybersecurity landscape is not left vulnerable, especially given the rapid evolution of cyber threats.

  • Future of CVE Program in Jeopardy: Cybersecurity Community Calls for Stability

    Future of CVE Program in Jeopardy: Cybersecurity Community Calls for Stability

    The Common Vulnerabilities and Exposures (CVE) Program, a vital resource for cybersecurity professionals, faces uncertainty as the US government retracts its support. For 25 years, this program has provided a standard method for naming and cataloguing vulnerabilities, thereby allowing defenders to communicate and respond effectively to real-world threats.

    The withdrawal of consistent federal funding has sparked concerns throughout the security industry. Although an 11-month extension of funding provides temporary relief, experts are questioning the long-term stability of a program on which the global cybersecurity defense framework relies. In light of this, the pressing issue is how the industry can remain prepared and aligned without this critical resource.

    The CVE program plays an essential role in training and readiness by providing real-world scenarios for cybersecurity practice. As an integral part of purple team exercises, it enhances collaboration between red and blue teams. However, disruptions in the program could lead to outdated defense strategies, undermining the preparedness of cyber teams against evolving threats.

    The potential ripple effect across the cyber ecosystem could be significant, particularly for businesses in sensitive sectors such as healthcare, finance, and energy, where timely response to vulnerabilities is essential. Without the CVE system, cybersecurity efforts may become uncoordinated, exposing organizations to greater risks. Experts are calling for a stable governance model to safeguard the future of the program and are considering new alternatives as the need for consistent threat communication persists. The newly established CVE Foundation aims to ensure continued access to the CVE program in the years to come, symbolizing hope for a resilient future.

  • Exploitation of Vulnerabilities on the Rise: 159 CVEs Flagged in Q1 2025

    Exploitation of Vulnerabilities on the Rise: 159 CVEs Flagged in Q1 2025

    In the first quarter of 2025, a striking total of 159 Common Vulnerabilities and Exposures (CVEs) have been identified as actively exploited in the wild, marking an increase from the 151 CVEs reported in the previous quarter, according to a recent analysis by VulnCheck. The report highlights a concerning trend wherein 28.3% of these vulnerabilities were exploited within one day of their disclosure.

    This rapid exploitation translates to 45 security flaws being weaponized for real-world attacks within the crucial first 24 hours following their announcement. Furthermore, 14 other flaws were found to be exploited within a month, and another 45 vulnerabilities were reported to be abused within a year. Such statistics emphasize the urgent need for organizations to prioritize timely patching of vulnerabilities.

    The majority of the exploited vulnerabilities were discovered in content management systems (CMSes), which accounted for 35 instances, followed by network edge devices (29), operating systems (24), open source software (14), and server software (14). Major vendors affected during this quarter included Microsoft Windows with 15 exploits, followed by Broadcom VMware (6), Cyber PowerPanel (5), Litespeed Technologies (4), and TOTOLINK Routers (4).

    According to VulnCheck, an average of 11.4 Known Exploited Vulnerabilities (KEVs) were disclosed weekly, contributing to a total of 53 per month. Also noteworthy, the Cybersecurity and Infrastructure Security Agency (CISA) added 80 vulnerabilities during this quarter, with only 12 showing no prior public evidence of exploitation. The findings underscore the importance of proactive cybersecurity measures as the landscape of threats continues to evolve.

    Moreover, Verizon’s newly released Data Breach Investigations Report for 2025 revealed that the exploitation of vulnerabilities has grown by 34% as an initial access method for data breaches, now accounting for 20% of all intrusions. Data from Mandiant also showed that exploits remain the most frequently observed initial infection vector for the fifth consecutive year.

    While there is a slight decline in the percentage of intrusions starting with exploitation of vulnerabilities compared to previous years, the data continues to underscore the critical need for vigilance within the cybersecurity community.

  • Future of CVE Program in Question Amid Funding Concerns

    Future of CVE Program in Question Amid Funding Concerns

    The Common Vulnerabilities and Exposures (CVE) Program, an essential resource for identifying software vulnerabilities, faced a critical funding challenge earlier this week, raising alarms within the cybersecurity community. Established in 1999 and managed by the federal contractor Mitre, the program’s funding from the U.S. Department of Homeland Security was set to expire, leading to fears of disruption in vital security operations reliant on CVE data. Experts noted that effective bug coordination, national incident response, and various critical security tools could be jeopardized if the program ceased to function.

    Fortunately, the Cybersecurity and Infrastructure Security Agency (CISA), a part of DHS, intervened at the last moment by exercising a contract option that secures the program’s funding for the next 11 months. Tod Beardsley, a CVE Program board member and VP of security research at runZero, expressed relief that immediate crisis was avoided, stating, “we’re in no immediate danger, which is great.” This temporary funding arrangement allows Mitre to continue managing the CVE Program until early March 2026.

    Nevertheless, this situation highlights an underlying need for a long-term strategy regarding the governance and funding of the CVE Program. Experts suggest that transitioning to a more globally oriented, non-profit model may be the optimal solution, particularly as the number of assigned CVEs surged from 28,818 in 2023 to 40,009 in 2024. Chester Wisniewski, director of global field CTO program at Sophos, indicated that a shift away from a U.S.-centric management framework could provide numerous benefits for the international community.

    A newly formed CVE Foundation, established by key figures from the CVE board, aims to ensure a more distributed funding model for CVEs, enhancing the integrity, availability, and identification of vulnerabilities in a sustainable manner. In tandem with these efforts, other initiatives are emerging, including the EU’s cybersecurity agency ENISA establishing its own vulnerability database, and the introduction of the Global CVE Allocation System.

    As discussions unfold about the future of the CVE Program, the industry has a window of approximately 10 months to unite behind a new governance strategy that could restore stability and confidence within the cybersecurity landscape. Collective efforts will be crucial in supporting a program that has become indispensable for IT defenders worldwide as they work to maintain a robust security posture against evolving cyber threats.