The world’s most widely used vulnerability index – the Common Vulnerabilities and Exposures (CVE) system – is failing, with scores often inaccurate and appearing too late.
According to research from DevSecOps firm Sonatype, of the 1,552 open source vulnerabilities disclosed in 2025, 64% lacked severity scores from the National Vulnerability Database (NVD).
Only 36% of open source CVEs had a CVSS score assigned by the NVD, while nearly half of all unscored vulnerabilities were rated ‘Critical’ or ‘High’ in severity.
Over this year, there's been a mean delay of more than six weeks between disclosure and NVD scoring, with some advisories taking up to 50 weeks.
This, researchers warned, is creating an operational bottleneck and placing enterprises globally at risk.
"In an era where exploit proofs-of-concept appear within hours and patches land within days, such lag times make 'official' data functionally irrelevant. By the time NVD assigns a score, attackers have already exploited and moved on," researchers noted.
CVE ratings are missing the mark
Meanwhile, Sonatype found the ratings themselves are often unreliable. Of the CVEs that were scored, fewer than one-in-five severity ratings were correct.
In 62% of cases, the severity of NVD scores was overstated, while 34% understated it. On top of that, 19,945 false positives and 156,474 false negatives were identified across CVE records, thereby wasting developer time and obscuring real threats.
Of the CVEs that changed severity category after Sonatype analysis, 83% moved to a lower category.
“The CVE program was never built for the scale and speed of modern, component-based software development. That has been the case with open source, and is even more true with AI,” said Brian Fox, CTO and co-founder of Sonatype.
“Vulnerability intelligence must shift from indexing what someone assigned yesterday, to delivering real-time insight into what’s actually running in your environment.
“CVE remains a shared language — but it can’t be the full story anymore. We need intelligence that is dynamic: version-aware, ecosystem-aware and ready at machine-speed.”
CVE data is vital in combating cyber crime
CVE data is fundamental to the vast majority of cybersecurity decisions. But in 2024, between February and May, NVD simply stopped scoring most new CVEs as it awaited contract renewal.
By May, 93% of new vulnerabilities and 50.8% of known exploited vulnerabilities were still waiting on analysis, according to research from VulnCheck. Since then, Sonatype said NVD has failed to return to its earlier levels of research output.
The researchers note that both NVD and the Mitre Corporation have made improvements to the system over the last eighteen months – but more needs to be done.
"With the current MITRE–US government contract set to expire in March 2026, the coming year marks a pivotal moment to reassess how the CVE program operates — and whether its next phase will modernize to meet the realities of today’s software ecosystem," they noted.
"This is the window to ask harder questions, test alternatives, and ensure the next iteration of vulnerability intelligence serves defenders, not legacy processes."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Threat actors are exploiting flaws more quickly – here's what business leaders should do
- Patch management vs vulnerability management
- AI-generated code is now the cause of one-in-five breaches
-
IBM’s Confluent acquisition will supercharge its AI credentialsAnalysis IBM described Confluent as a “natural fit” for its hybrid cloud and AI strategy, enabling “end-to-end integration of applications, analytics, data systems and AI agents”.
-
AWS' no-nonsense reputation could pay dividends with agentic AIOpinion While AWS has jumped on the agentic AI hype train, its reputation as a no-nonsense, reliable cloud provider will pay dividends
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
