Introduction
On April 2, 2025 [4] [8], the National Institute of Standards and Technology (NIST) announced a significant policy change regarding the management of Common Vulnerabilities and Exposures (CVEs). This change involves ceasing updates to CVEs published before January 1, 2018, unless they are part of the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog [3] [6] [8] [9]. This decision aims to optimize resource allocation and improve the management of newer vulnerabilities.
Description
On April 2, 2025 [4] [8], the National Institute of Standards and Technology (NIST) announced that it would cease updates to all Common Vulnerabilities and Exposures (CVEs) published before January 1, 2018 [1] [8], designating them as “Deferred” in the National Vulnerability Database (NVD) [2] [3] [4] [5] [6] [7] [8] [9]. This classification indicates that NIST will not prioritize updates or initial enrichment data for these older CVEs unless they are included in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog [3] [9]. A banner will be displayed on the CVE Detail Pages to indicate their deferred status [2] [3] [9]. This change aims to optimize resources for newer vulnerabilities and clarify which CVEs are actively managed [10], affecting approximately one in three CVEs in the NVD [5] [9], totaling around 94,000 records.
The decision is a response to a significant backlog of 18,000 records, exacerbated by a surge in new submissions [2], with a projected 32% increase anticipated for 2024 and beyond. Following this announcement [9], the number of Deferred CVE entries surged to over 20,000 [9], with projections indicating that it could reach 100,000 [9]. It is important to clarify that this deferred status does not imply abandonment; NIST will continue to accept and review requests for metadata updates on these CVEs [4], prioritizing them as resources allow [4] [8].
Security teams are encouraged to reassess their vulnerability management strategies, inventory all software [5], and prioritize patching deferred vulnerabilities where feasible [6]. Organizations should also harden or segment outdated infrastructure and leverage real-time threat intelligence to detect potential exploitation attempts. While older CVEs will not receive regular updates [4], their criticality may change if new exploitation methods emerge [4], particularly if they are elevated to KEV status [4].
NIST has faced challenges in efficiently importing and enriching incoming data [6], contributing to the backlog [3]. To address these delays, NIST is exploring new systems and technologies [7], including artificial intelligence [3] [7], to improve processing efficiency [6]. The modernization of the NVD includes implementing machine learning technologies for automation [2], updating system APIs [2], and enhancing collaborations with Authorized Data Publishers (ADPs) to improve metadata quality [2]. Plans are also in place to retire legacy data feeds and adopt updated data formats [2], including CVSS v4.0 [2], to better manage the evolving threat landscape [2]. However, initial expectations to resolve the backlog by the end of fiscal year 2024 have been hindered by ongoing inefficiencies [3]. As submissions continue to rise [1], NIST is exploring innovative solutions to better manage the increasing volume of CVEs. Tim Mackey [1] [5], head of software supply chain risk at Black Duck [1] [5], emphasized the importance for organizations to take action regarding vulnerabilities marked as deferred [1], as neglecting these may indicate weaknesses in patch management or cybersecurity programs [1].
Conclusion
The decision by NIST to defer updates to older CVEs is a strategic move to address resource constraints and improve the management of newer vulnerabilities. Organizations must adapt by reassessing their vulnerability management strategies and ensuring that deferred vulnerabilities are not overlooked. The ongoing modernization efforts by NIST, including the adoption of advanced technologies, are crucial for handling the increasing volume of CVEs and maintaining an effective cybersecurity posture. As the threat landscape evolves, continuous vigilance and adaptation will be essential for organizations to mitigate potential risks associated with deferred vulnerabilities.
References
[1] https://www.computerweekly.com/news/366622153/NIST-calls-time-on-older-vulnerabilities-amid-surging-disclosures
[2] https://gbhackers.com/nist-declares-pre-2018-cves-will-be-labeled-as-deferred/
[3] https://cybermaterial.com/nist-marks-older-cves-as-deferred-in-nvd/
[4] https://cyberpress.org/nist-announces-status-change/
[5] https://insight.scmagazineuk.com/pre-2018-vulnerabilities-given-lower-priority
[6] https://www.infosecurity-magazine.com/news/nist-defers-pre-2018-cves/
[7] https://www.hendryadrian.com/nist-puts-pre-2018-cves-on-back-burner-as-it-works-to-clear-backlog/
[8] https://cybersecuritynews.com/nist-mark-cves-deferred/
[9] https://www.metacurity.com/musks-doge-is-spying-on-federal-employees-to-spot-disloyalty-sources/
[10] https://911cyber.app/april-08-2025-cyber-briefing/
