Government , Industry Specific , Security Operations

National Vulnerability Backlog Could Surge to 30,000 by 2025

New Analysis Reveals Growing Crisis for the National Vulnerability Database
National Vulnerability Backlog Could Surge to 30,000 by 2025
The National Vulnerability Database currently has a backlog of more than 16,000 unanalyzed flaws.

An overwhelming backlog of unanalyzed vulnerabilities at the National Institute of Standards and Technology threatens to extend into 2025 unless the agency dramatically accelerates its processing operations, a new analysis reveals.

See Also: The CIS Security Operations Center (SOC)

The National Vulnerability Database, which serves as the United States' official repository for common vulnerabilities and exposures, receives an average daily influx of more than 100 newly reported security flaws, according to a dashboard released Friday by the cybersecurity firm Fortress Information Security. NIST has meanwhile analyzed just over 30 new CVEs on average throughout 2024 and has a growing backlog of more than 16,000 vulnerabilities.

The database has been plagued by resource challenges and other constraints that hinder NIST's ability to clear the massive backlog of security risks, which could potentially affect major cybersecurity vendors such as CrowdStrike, Microsoft Defender and leading cloud security posture management tools such as Orca and Wiz (see: Experts Warn the NVD Backlog Is Reaching a Breaking Point). NIST unveiled a plan to restore the database in May, and it awarded an $865,657 contract to the Maryland-based cybersecurity firm Analygence for additional processing support to help clear the backlog "by the end of the fiscal year," which is Sept. 30.

Analysis from Fortress Information Security indicates the analysts would need to clear more than 217 vulnerabilities each day to clear the backlog and begin processing newly reported CVEs - far more than the daily average under current processing capacity. The firm estimates the backlog could surge to nearly 30,000 unanalyzed flaws by the end of 2024 if NIST fails to ramp up its analysis rate.

NIST blamed "a variety of factors" for the backlog in late April. In a notice to its website, it attributed its slow processing rates to "an increase in software and, therefore, vulnerabilities, as well as a change in interagency support." The agency declined to provide further details at the time as to the apparent disruption in interagency support. NIST did not immediately respond to a request for comment on the continued growth of the backlog.

A spokesperson for NIST previously told Information Security Media Group the agency was coordinating with the Cybersecurity and Infrastructure Security Agency to add new, unanalyzed security flaws into the database while "working on ways to address the increasing volume of vulnerabilities through technology and process updates."

Experts have meanwhile called for automated processing of some vulnerabilities, as well as additional support from the private sector and federal agencies such as CISA, though NIST currently remains responsible for the primary analysis and management of the database.


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.