Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updated
CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
The world’s most widely used vulnerability index – the Common Vulnerabilities and Exposures (CVE) system – is failing, with scores often inaccurate and appearing too late.
According to research from DevSecOps firm Sonatype, of the 1,552 open source vulnerabilities disclosed in 2025, 64% lacked severity scores from the National Vulnerability Database (NVD).
Only 36% of open source CVEs had a CVSS score assigned by the NVD, while nearly half of all unscored vulnerabilities were rated ‘Critical’ or ‘High’ in severity.
Over this year, there's been a mean delay of more than six weeks between disclosure and NVD scoring, with some advisories taking up to 50 weeks.
This, researchers warned, is creating an operational bottleneck and placing enterprises globally at risk.
"In an era where exploit proofs-of-concept appear within hours and patches land within days, such lag times make 'official' data functionally irrelevant. By the time NVD assigns a score, attackers have already exploited and moved on," researchers noted.
CVE ratings are missing the mark
Meanwhile, Sonatype found the ratings themselves are often unreliable. Of the CVEs that were scored, fewer than one-in-five severity ratings were correct.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
In 62% of cases, the severity of NVD scores was overstated, while 34% understated it. On top of that, 19,945 false positives and 156,474 false negatives were identified across CVE records, thereby wasting developer time and obscuring real threats.
Of the CVEs that changed severity category after Sonatype analysis, 83% moved to a lower category.
“The CVE program was never built for the scale and speed of modern, component-based software development. That has been the case with open source, and is even more true with AI,” said Brian Fox, CTO and co-founder of Sonatype.
“Vulnerability intelligence must shift from indexing what someone assigned yesterday, to delivering real-time insight into what’s actually running in your environment.
“CVE remains a shared language — but it can’t be the full story anymore. We need intelligence that is dynamic: version-aware, ecosystem-aware and ready at machine-speed.”
CVE data is vital in combating cyber crime
CVE data is fundamental to the vast majority of cybersecurity decisions. But in 2024, between February and May, NVD simply stopped scoring most new CVEs as it awaited contract renewal.
By May, 93% of new vulnerabilities and 50.8% of known exploited vulnerabilities were still waiting on analysis, according to research from VulnCheck. Since then, Sonatype said NVD has failed to return to its earlier levels of research output.
The researchers note that both NVD and the Mitre Corporation have made improvements to the system over the last eighteen months – but more needs to be done.
"With the current MITRE–US government contract set to expire in March 2026, the coming year marks a pivotal moment to reassess how the CVE program operates — and whether its next phase will modernize to meet the realities of today’s software ecosystem," they noted.
"This is the window to ask harder questions, test alternatives, and ensure the next iteration of vulnerability intelligence serves defenders, not legacy processes."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Threat actors are exploiting flaws more quickly – here's what business leaders should do
- Patch management vs vulnerability management
- AI-generated code is now the cause of one-in-five breaches
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
The NCSC wants to build an AI-powered 'Cyber Shield' to protect the UK from hackersNews The aim is to create a national, sovereign defence capability to protect government agencies and critical infrastructure
-
IBM targets data center efficiency gains with new z17 and LinuxONE offeringsNews Cost, data center footprint, and performance improvements are coming for IBM Z and LinuxONE customers
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
OpenAI expands 'Daybreak' cyber program: New tools, partnerships, and a cyber-focused GPT-5.5 aim to help 'patch the world'News The company has added new tools, signed up partners, and released its GPT-5.5-Cyber model more widely
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
NIST is overhauling the National Vulnerability Database due to skyrocketing reports – experts worry it will ‘leave many CVEs on the table’News Drowning in CVEs, the NIST agency will now fully analyze only the most severe vulnerabilities
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components