NIST Overhauls The National Vulnerability Database After CVEs Increased 263% between 2020 and 2025 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The National Institute of Standards and Technology (NIST) has announced sweeping operational changes to the National Vulnerability Database (NVD), introducing a new risk-based prioritization model aimed at coping with an unprecedented rise in reported software vulnerabilities.

The move marks one of the most significant shifts in the history of the NVD, a critical resource used globally by governments, security vendors, enterprises, and researchers to track and assess cybersecurity weaknesses. Under the new policy, NIST will no longer immediately perform full enrichment analysis on every newly published Common Vulnerabilities and Exposures (CVE) entry. Instead, it will focus resources on vulnerabilities considered most likely to pose systemic or national security risk.

The change comes after years of escalating pressure on the federal program, which has struggled to keep pace with the accelerating number of software flaws disclosed each year.

According to NIST, the number of submitted CVEs increased 263% between 2020 and 2025, reflecting the expanding digital ecosystem, broader vulnerability disclosure practices, growth in open-source software dependencies, and more aggressive security research worldwide.

That trend appears to be continuing in 2026. NIST said vulnerability submissions during the first quarter of the year were already nearly one-third higher than during the same period in 2025.

Even as disclosure volume exploded, the agency said it had significantly increased output. In 2025 alone, NIST enriched nearly 42,000 CVEs, a 45% increase over any previous year.

Still, officials acknowledged that manual and semi-manual workflows are no longer sufficient.

“This increased productivity is not enough to keep up with growing submissions,” NIST said in its announcement.

For cybersecurity defenders who rely on enriched NVD records for patch prioritization, the admission confirms what many in industry had already observed: vulnerability management systems built around historical disclosure volumes are being strained by scale.

While many organizations track CVE IDs themselves, the NVD adds structured intelligence that makes those identifiers operationally useful.

Historically, NIST analysts enriched vulnerabilities by adding:

• Severity scores such as Common Vulnerability Scoring System (CVSS)
• Product and software version mappings
• Weakness classifications
• Impact metrics
• Searchable metadata for automation tools
• References for remediation and exploitation context

Security teams use this data to drive vulnerability scanners, risk dashboards, compliance systems, patching programs, and supply-chain security reviews.

Without enrichment, a CVE may exist publicly but offer less actionable context.

Effective immediately, NIST said it will prioritize enrichment for three categories of vulnerabilities:

1. Vulnerabilities Listed in CISA’s KEV Catalog: CVEs included in the Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities (KEV) Catalog will receive top priority.

These are flaws that have been confirmed as actively exploited in real-world attacks.

NIST said its target is to enrich these vulnerabilities within one business day of receipt.

2. Software Used by the Federal Government: Vulnerabilities affecting software deployed across U.S. government environments will also receive accelerated handling.

This reflects the federal government’s increasing emphasis on centralized vulnerability management and zero trust modernization.

3. Critical Software Defined Under Executive Order 14028: Products categorized as critical software under Executive Order 14028 — issued after major supply-chain incidents such as the SolarWinds cyberattack breach — will remain a priority class.

That order sought stronger software security standards across the federal ecosystem.

NIST emphasized that all CVEs will still appear in the NVD. However, many will now carry a status of:

“Lowest Priority – not scheduled for immediate enrichment.”

This means vulnerabilities outside priority categories may lack full metadata for some time, or indefinitely unless resources permit.

For security teams, the practical effect could include:

• Delayed official severity scoring
• Missing product mappings
• Slower integration into some scanners and asset tools
• Greater dependence on vendor advisories and third-party feeds
• Increased need for internal triage processes

This reflects a broader industry reality: not every disclosed flaw creates equal risk.

In another major procedural change, NIST said it will stop routinely issuing its own separate severity score when a CVE Numbering Authority (CNA) has already provided one.

CNAs include major vendors, open-source foundations, and authorized organizations that assign CVE IDs directly.

Previously, NIST often recalculated scores independently, creating occasional discrepancies between vendor and NVD assessments.

By stepping back from duplicate scoring, the agency hopes to conserve analyst time and reduce redundancy.

However, organizations accustomed to treating NVD scores as the authoritative benchmark may need to revisit workflows.

NIST also said it is revising how it handles previously enriched vulnerabilities that are later updated.

Until now, modified CVEs were typically reanalyzed. Going forward, NIST will only revisit them when a change materially affects the existing enrichment data.

• Newly discovered exploitation methods
• Expanded affected product ranges
• Major scoring changes
• Corrections to attack complexity or privileges required

Routine metadata edits may no longer trigger a full re-review.

Perhaps the most consequential operational decision concerns the long-standing backlog of unenriched vulnerabilities.

NIST confirmed that CVEs published before March 1, 2026 that remain pending will be shifted into a “Not Scheduled” status unless they meet the new priority criteria.

The agency acknowledged that a significant backlog began forming in early 2024 and has not been fully cleared.

This formal reset suggests NIST is abandoning hopes of processing historical queues under the previous model.

There are several structural reasons behind the surge in CVEs:

Expanding Software Supply Chains: Modern applications rely on thousands of open-source components, increasing discovery opportunities.

Better Security Research: Bug bounty programs, automated code analysis, and coordinated disclosure have expanded dramatically.

More CNA Participation: Additional vendors can now issue CVEs directly, accelerating publication rates.

Regulatory Pressure: Governments increasingly require disclosure transparency.

Cloud and OT Growth: Industrial systems, SaaS platforms, APIs, and embedded devices have broadened the attack surface.

The result is a vulnerability ecosystem producing data at a pace traditional review models struggle to absorb.

Security leaders may need to adapt quickly.

Organizations that depended heavily on NVD enrichment should consider supplementing with:

• Vendor advisories
• Threat intelligence feeds
• Exploit telemetry
• EPSS-style probability models
• Asset criticality scoring
• Compensating controls analysis

In practical terms, vulnerability management is shifting from “patch everything rated high” toward contextual risk management.

That mirrors the philosophy behind NIST’s own new approach.

The NVD has long been considered foundational infrastructure for the cybersecurity ecosystem. Countless commercial and open-source products ingest its data automatically.

Any slowdown or change in coverage therefore affects:

• Federal agencies
• Managed security providers
• Compliance teams
• Critical infrastructure operators
• Software vendors
• Security researchers

Still, many experts argue prioritization is preferable to overextension.

Publishing lower-quality or severely delayed records for all vulnerabilities may be less useful than rapidly processing the subset attackers are actually exploiting.

NIST said the shift will allow resources to be redirected toward “automated systems and workflow enhancements” needed for long-term sustainability.

That likely signals increased use of:

• AI-assisted vulnerability classification
• Automated CVSS scoring support
• Structured vendor data ingestion
• Machine-readable exploit intelligence
• Dynamic prioritization systems

If successful, those improvements could modernize how public vulnerability intelligence is maintained.

Despite the operational reset, NIST stressed that it remains committed to maintaining the NVD as a free and reliable public resource.

The agency described the changes as necessary to preserve the database’s long-term viability amid unprecedented demand.

For the cybersecurity sector, the message is clear: the age of manually enriching every disclosed vulnerability may be ending, replaced by a model centered on risk, exploitation, and criticality.

That transition may reshape how defenders worldwide decide what to patch first.