CVE funding crisis offers chance for vulnerability remediation rethink

A recent funding crisis involving the Common Vulnerabilities and Exposures (CVE) program sent a wave of panic through the cybersecurity community, raising questions among security professionals about how the potential dissolution of the program would impact their approaches to security triage.

The CVE program, which provides a publicly available archive of disclosed vulnerabilities, is highly trusted by security professionals for prioritizing and addressing vulnerabilities in their tech stacks.

Last month, the MITRE Corporation, which administers the program under contract to the US government’s Cybersecurity and Infrastructure Security Agency (CISA), announced that its funding had been pulled, an unprecedented crisis that was ultimately averted when an 11-month funding extension option was exercised by CISA.

That extension solved the immediate problem without resolving longer-term uncertainty about the future of the CVE program and its funding. As a result, enterprise approaches to security triage still need to be re-evaluated, and systems and processes potentially re-engineered.

Vulnerability surge

CVEs directly affect how defenders learn to detect, identify, and respond to vulnerabilities.

Last year (2024) marked a sharp increase in published vulnerabilities, with more than 40,000 CVEs disclosed, representing a 38% year-on-year increase, according to a recent study by cyber risk management platform firm Black Kite.

More than 20,000 vulnerabilities had a Common Vulnerability Scoring System (CVSS) score of 7.0 or higher, and over 4,400 were classified as critical (CVSS 9.0+).

However, CVSS scores alone fall short when attempting to gauge the threat posed by particular vulnerabilities.

Exploitability, vendor exposure, and supply chain interdependencies play a significant role in determining real-world risk, according to Black Kite’s Research & Intelligence Team (BRITE).

“Traditional vulnerability management says: Patch the loudest alert,” Ferhat Dikbiyik, chief research and intelligence officer of Black Kite, told CSO. “But that’s no match for ransomware gangs who weaponize a vulnerability days after disclosure and use your vendors to walk right in.”

Dikbiyik added: “You need three questions for every CVE: Can it be exploited? Is it exposed online? And how deep does it run in our supply chain? That’s the shift — from CVSS to real-world risk.”

The warning follows earlier security research from merchant bank JPMorganChase, which pointed to various flaws in the CVSS vulnerability scoring system.

For example, CVSS scores fail to account for contextual factors such as the environment in which a vulnerability exists or whether it has been actively exploited in the wild, the researchers told delegates at last year’s Black Hat Europe conference.

Automatic for the people

AI technologies could act as a temporary bridge for vulnerability triage — but not a replacement for a stable CVE system, according to experts consulted by CSO.

“Automation and AI-based tools can also enable real-time discovery of new vulnerabilities without over-relying on standard CVE timelines,” said Haris Pylarinos, founder and chief executive of cybersecurity training program Hack The Box. “Organizations that continue to be resilient are the ones that consider vulnerability management as an ongoing, multi-layered process underpinned by continuous threat exposure management — not a quick, single-source solution.”

Risk management

Rik Ferguson, vice president of security intelligence at cybersecurity vendor Forescout, warned that organizations relying principally or solely on the CVSS metric to prioritize their vulnerability remediation programs need to rethink their approach.

“Risk without context is just noise,” Ferguson told CSO. “Intelligence without relevance is just data.”

“Understanding third-party exposure is essential, but what’s often missing in these analyses is the operational context,” Ferguson added.

With so many vulnerabilities, assets, and suppliers in play, especially in environments that include OT, IoT, and medical devices, prioritization quickly becomes overwhelming.

Vulnerability management has moved far beyond managing Microsoft’s Patch Tuesday updates, penetrative software, and network device security updates. Businesses need to be concerned about accounting for software a vendor hasn’t patched in six months or the open-source component quietly sitting in production, for example.

Ferguson said enterprises not only have a software asset inventory but knowledge about every device, its role, and its criticality to mission or operations.

“If you are responsible for a hospital environment for example, you absolutely need to know which fridge stores the sandwiches and which one stores the blood or meds,” Ferguson explained. “That’s the level of precision security teams need to move from awareness to action.”

Countermeasures

Hack The Box’s Pylarinos agreed that detailed oversight of the hardware and software running within an organisation is essential before applying robust patch management processes, which remain a dull headache that won’t go away.

Following best practices for network security design is also important because a foundationally secure architecture can reduce risk related to both known and unknown vulnerabilities. These best practices include measures such as strong network segmentation, least privilege access, and multi-factor authentication.

Pylarinos added: “There are several proactive steps that security teams can also take to mitigate vulnerabilities. If this news shows us anything, it’s the insecurity of relying solely on CVE data moving forward. CISA’s KEV [Known Exploited Vulnerabilities], vendor advisories, and private threat feeds, for example, can all be used to provide further context and a wider view of the vulnerability landscape.”

Pairing solid security fundamentals with active, real-time intelligence is enterprise security’s best bet.

“The integration of live threat intelligence, threat-informed training, and investment in internal penetration testing and threat modelling provides security teams with a more comprehensive overview of current threat levels and better identification of vulnerabilities,” Pylarinos concluded.