Importantly, NIST has committed to prioritizing any pre-2018 CVEs that are added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability (KEV) catalog, regardless of their deferred status. Security experts recommend mapping older CVEs to a software bill of materials (SBOM) to identify at-risk libraries and components, especially for organizations maintaining legacy systems. Organizations should review their vulnerability management strategies to account for this change and consider implementing additional monitoring for older systems where these deferred CVEs might be present. Ted Miracco, CEO of Approov, emphasized that older vulnerabilities often pose significant risks because they typically remain unpatched in legacy systems still in production, particularly in critical infrastructure, government, medical, and financial sectors. CVEs marked as “Deferred” will display a banner on their CVE Detail Pages indicating this status, providing clear visibility into which NIST is actively maintaining records. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This significant change affects approximately 94,000 CVEs, representing about 34% of all vulnerability records in the database. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. At points last year, the backlog reached 18,000 records as the institute struggled to keep pace with the growing volume of vulnerability reports. The change will be implemented over several nights and is intended to provide “additional clarity regarding which CVE records are prioritized”. “This trend could catch organizations off guard, leaving them unprepared to address the new risks and exposures these re-emerging threats may introduce”. “Should any new information clearly indicate that an update to the enrichment data for the CVE is appropriate, we will continue to prioritize those requests as time and resources allow,” the announcement stated. She is covering various cyber security incidents happening in the Cyber Space.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Apr 2025 12:05:29 +0000