The US National Institute of Standards and Technology (NIST) is abandoning its efforts to analyze every submitted Common Vulnerability and Exposure (CVE), and will now focus only on the more severe vulnerabilities.
In a new triage-based approach, the agency will add details, or 'enrich', only those CVEs that meet certain criteria. The rest will still be listed in the National Vulnerability Database (NVD), but won't automatically be enriched.
The move represents an admission that NIST simply can't cope with a surge in CVE submissions, which increased 263% between 2020 and 2025. Submissions during the first three months of this year were nearly one-third higher than the same period last year.
"We enriched nearly 42,000 CVEs in 2025 — 45% more than any prior year. But this increased productivity is not enough to keep up with growing submissions," the agency said in an announcement.
The CVEs set for enrichment include those appearing in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, and will be outlined within one business day of receipt, along with CVEs for software used within the federal government or for critical software as defined by Executive Order 14028.
"While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories," NIST said.
"That said, these criteria may not catch every potentially high-impact CVE. Therefore, users can request enrichment of any unscheduled CVEs by emailing us at nvd@nist.gov. We will review those requests and schedule the CVEs for enrichment as resources allow."
NIST NVD overhaul spells bad news
The move by NIST has sparked concerns within the cybersecurity industry over the visibility of potential threats.
Ian Gray, VP of intelligence at Flashpoint, noted that security teams globally have relied on the NVD to provide “context to support prioritization decisions”. The move to focus on certain vulnerabilities could create blind spots for enterprises, he warned.
"CVE submissions have grown 263% between 2020 and 2025, and NIST can no longer keep pace by enriching everything," he commented.
"The result is a widening gap between the volume of vulnerabilities being disclosed and the amount of context defenders have available to evaluate them. That gap doesn’t disappear just because enrichment becomes more selective. Organizations will need additional intelligence to understand what actually matters most.”
Shane Fry, chief technology officer at RunSafe Security, echoed Gray’s comments, adding that organizations will need to be more proactive in identifying vulnerabilities that affect them.
"NIST is drowning in vulnerabilities to enrich, but the new list for prioritization for enrichment is going to leave many CVEs on the table and radically increase the difficulty for businesses and software developers to keep their software patched," he said.
Fry said "vulnerability visibility is imperfect", but noted that organizations using a more diverse set of data sources will gain a more "reliable insight into vulnerabilities" that apply to their specific organization.
"More importantly, organizations need to assume unknown vulnerabilities already exist in their software and deploy protections that can prevent exploitation before a patch – or a CVE score – is ever available."
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
UK government targets 'sovereign AI' gains with new £500 million startup funding scheme
IT workers are feeling the heat as AI raises expectations
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaught
Experts welcome EU-led alternative to MITRE's vulnerability tracking scheme
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updated
