BIPI
BIPI

The NVD CVE Backlog Crisis: What the NIST Breakdown Means for Vulnerability Management

Threat Intelligence

NIST's National Vulnerability Database stopped enriching CVEs in February 2024 and struggled through 2025. The resulting backlog disrupted vulnerability management programmes globally. A practical guide to alternative intelligence sources and resilient vuln management.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 9, 2025 · 10 min read

#nvd#cve#vulnerability-management#nist#threat-intelligence

For decades, the National Vulnerability Database operated by NIST has been the authoritative, freely accessible source of CVE enrichment data: CVSS scores, CPE mappings identifying which products are affected, and CWE classifications. Vulnerability management programmes, scanners, SCA tools, and SIEM content pipelines all depend on NVD as their foundational data layer. In February 2024, NIST effectively stopped enriching new CVEs, and the backlog — unprocessed CVEs with no CVSS scores, no CPE mapping, no severity data — ballooned to over 93,000 entries by mid-2025.

The impact on enterprise vulnerability management has been significant but unevenly distributed. Organisations with sophisticated programmes that consume multiple threat intelligence feeds noticed the problem early and adapted. Organisations relying solely on NVD-fed scanner data found their risk prioritisation systematically broken: known-exploited vulnerabilities were appearing in scanner output with no severity score, getting deprioritised behind older CVEs with established CVSS scores.

93,000+
CVEs in NVD backlog without CVSS scores or CPE mappings as of mid-2025
Feb 2024
Month NIST effectively halted new CVE enrichment operations
4,000+
New CVEs published per month in 2025 — the backlog grew faster than processing resumed

Root Cause Analysis

NIST attributed the backlog to a combination of factors: a sharp increase in CVE publication volume, a contract transition affecting the third-party enrichment programme, and internal resourcing constraints exacerbated by federal hiring freezes. CISA stepped in with a supplemental funding mechanism, but restoration of full throughput was delayed repeatedly through 2024 and into 2025.

Impact on Vulnerability Management Programmes

  • Scanner outputs show CVEs with no severity score, breaking risk-based prioritisation workflows
  • CPE mappings missing means automated asset-to-vulnerability correlation fails for unenriched CVEs
  • SCA tools that rely on NVD for package vulnerability data produce incomplete results for new CVEs
  • SIEM content mapping CVE IDs to MITRE ATT&CK techniques breaks when CVE metadata is absent
  • Compliance programmes requiring CVSS-based remediation SLAs cannot set timelines for unenriched vulnerabilities
  • Patch management automation that gates on severity thresholds cannot prioritise unknown-severity CVEs

Alternative Intelligence Sources

The NVD crisis accelerated adoption of alternative CVE enrichment sources that security teams should now treat as primary rather than supplementary. CISA's Known Exploited Vulnerabilities catalogue is the most operationally important: it lists CVEs with confirmed exploitation in the wild, which is a stronger prioritisation signal than CVSS score regardless of NVD enrichment status.

  • CISA KEV: over 1,100 CVEs confirmed exploited in the wild; treat as P0 remediation regardless of CVSS
  • OSV (Open Source Vulnerabilities): Google-maintained, focuses on open-source packages with high CPE accuracy
  • GitHub Advisory Database: accurate CPE data for GitHub-hosted projects, updated faster than NVD
  • VulnCheck NVD++: commercial enrichment service filling NVD gaps with faster scoring and exploitation status
  • Exploit-DB and Nuclei Templates: public exploit availability as a proxy for exploitability when CVSS is unavailable
  • Vendor security advisories: Microsoft Patch Tuesday, Cisco PSIRT, Red Hat CVE pages provide CVSS before NVD

Resilient Vulnerability Management Architecture

The NVD crisis exposes a structural fragility: organisations that built vulnerability management pipelines with a single authoritative source inherit a single point of failure. Resilient architecture consumes multiple intelligence feeds, reconciles conflicts through a defined priority order, and falls back gracefully when any single source has gaps.

EPSS as a Complementary Signal

The Exploit Prediction Scoring System provides a probability score for a CVE being exploited in the wild within 30 days, independent of NVD enrichment. EPSS v3 achieves significantly better discrimination than CVSS alone: CVEs in the top 10% of EPSS scores account for over 85% of exploited vulnerabilities. During the NVD backlog period, EPSS scores are available from FIRST.org for most CVEs faster than NVD enrichment.

The NVD crisis revealed that vulnerability management programmes built on a single authoritative source are as fragile as the infrastructures they protect. Resilience requires the same defence-in-depth principles applied to intel sources as to network architecture.
EPSS top 10%
Accounts for 85%+ of actually exploited vulnerabilities — more predictive than CVSS alone
1,100+
CISA KEV entries — every organisation should be patching these first regardless of NVD status
NVD + 3 sources
Minimum recommended intelligence source diversity for enterprise vulnerability management in 2025

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.