Under-examined Critical Vulnerabilities Emerging Due to NIST's Delay in Analysis
The National Institute of Standards and Technology (NIST) has been analyzing less than 10% of vulnerabilities published in the National Vulnerability Database (NVD) since mid-February 2025. This slowdown is due to a significant increase in Common Vulnerabilities and Exposures (CVE) submissions, which has exceeded the capacity of NIST's prior processing rate, leading to a growing backlog[1][4].
The surge in CVE reports started in spring and early summer 2024, with a 32% increase in 2024 and continued growth into 2025. On average, about 131 CVEs are reported daily in the first half of 2025 compared to 113 daily in 2024, pushing total vulnerabilities over 40,000 for the year[1][2].
NIST acknowledges that the previous processing rate is insufficient to manage this higher volume, causing the backlog that limits how many vulnerabilities can be analyzed and scored promptly[1]. To address this, NIST is working on improving internal processes and exploring the use of machine learning automation to handle certain vulnerability processing tasks, aiming to reduce the backlog and catch up with new CVEs[1].
A technical issue affecting CVE processing in early 2025 also required users of the NVD API to reset specific parameters to receive the most current updates, further indicating processing challenges at NIST in managing vulnerability data[1].
This slowdown in analysis has broad implications, according to Patrick Garrity, a senior researcher at VulnCheck. Many security tools, threat, and risk scoring systems rely on NVD enrichment data, such as common platform enumerations and the CVSS. However, with more than half of the known exploited vulnerabilities in VulnCheck's catalog missing NIST analysis, these systems may not be as effective as they could be[1][4].
Moreover, more than 4 in 5 CVEs with a proof-of-concept exploit have not been analyzed by the NVD since the slowdown, according to VulnCheck's report. This includes known exploited vulnerabilities linked to Microsoft Windows, Adobe ColdFusion, Progress Flowmon, ChatGPT, and other technology vendors[1].
The resource-constrained agency reported an all-time high of 33,137 vulnerability disclosures last year and is falling behind[1]. As a result, corporate stakeholders are seeking to better understand the risk calculus of their technology stacks, asking the question: Are we a target? The evolving role of Chief Information Security Officers (CISOs) involves helping corporate stakeholders answer this question[1].
NIST did not answer questions about VulnCheck's research by the time of publication, but the research accentuates concerns cybersecurity experts shared about an analysis gap when NIST paused[1]. The number of CVEs with unexamined proof-of-concept exploits is increasing due to NIST's slowdown in analyzing vulnerabilities[1].
[1] - Source: VulnCheck's report on the NIST analysis slowdown [2] - Source: NVD statistics on CVE reports [3] - Source: NIST's acknowledgement of the backlog and need for improvement [4] - Source: VulnCheck's research on the number of CVEs with unexamined proof-of-concept exploits and the impact on the security community.
- The increasing number of unanalyzed vulnerabilities due to NIST's slowdown in cybersecurity analysis could potentially affect the effectiveness of many data-and-cloud-computing systems that rely on National Vulnerability Database enrichment data, such as common platform enumerations and the CVSS.
- With more than 80% of Common Vulnerabilities and Exposures (CVEs) featuring proof-of-concept exploits remaining unanalyzed by the National Institute of Standards and Technology (NIST), there is a growing concern about the cybersecurity risks associated with technologies from various vendors, including Microsoft Windows, Adobe ColdFusion, Progress Flowmon, ChatGPT, and others.
