NIST says exploited vulnerability backlog cleared but end-of-year goal for full list unlikely

The federal body in charge of processing prominent vulnerabilities said a backlog of unanalyzed exploited bugs has been cleared.

The National Institute of Standards and Technology (NIST) has faced backlash since it became clear earlier this year that thousands of critical vulnerabilities were not being analyzed or enriched since the agency announced cutbacks in February. Enrichment involves adding contextual data to an entry about a vulnerability in the National Vulnerability Database (NVD).

With help from the Cybersecurity and Infrastructure Security Agency (CISA) and several private sector companies, NIST said on Wednesday that they now “have a full team of analysts on board” and are “addressing all incoming CVEs as they are uploaded into our system.”

“In addition, we have addressed all Known Exploited Vulnerabilities (KEVs) that were in the backlog, and we are processing all new KEVs as they come in,” they said.

As of September 21, researchers at VulnCheck said 72.4% of all CVEs — more than 18,000 — in the database had yet to be fully analyzed and 46.7% of all exploited vulnerabilities remained unanalyzed.

Despite the substantial progress, NIST said its previous goal of clearing the entire backlog of both exploited and unexploited bugs by the end of the year will not be met. 

CISA became the first Authorized Data Provider (ADP) earlier this year, allowing the agency to contribute information to vulnerability records on behalf of NIST. 

“However, our initial estimate of when we would clear the backlog was optimistic,” NIST said. “This is due to the fact that the data on backlogged CVEs that we are receiving from Authorized Data Providers (ADPs) are in a format that we are not currently able to efficiently import and enhance.

“To address this issue, we are developing new systems that will allow us to process incoming ADP data more efficiently.”

NIST did not respond to requests for comment about whether CISA is the only ADP. They are currently the only one listed on the CVE website. 

Dozens of cybersecurity experts previously signed a letter in April addressed to Congress and Secretary of Commerce Gina Raimondo imploring them to fund and protect the NVD, calling it “critical infrastructure for a large variety of cybersecurity products.” 

Each listing in the database has information added about a vulnerability’s severity, the products it affects and more. Earlier this year, researchers found that of the 12,720 new vulnerabilities added since February, 11,885 were not “analyzed or enriched with critical data that help security professionals determine what software has been affected by a vulnerability.”

Rob Joyce, the recently retired cybersecurity director for the National Security Agency, said in May that the backlog “is a significant risk” and means the cybersecurity industry now lacks understanding of the evolving attack surface.