NIST transitions National Vulnerability Database to risk-based triage as CVE deployment reaches record levels

The US National Institute of Standards and Technology today announced an overhaul of how it processes cybersecurity vulnerabilities in the National Vulnerability Database.

NIST is abandoning its long-standing goal of comprehensively analyzing all Common Risks and Exposures in favor of a risk-based testing model that prioritizes the most dangerous errors. The change, which went into effect today, is a result of the volume of CVE submissions NIST has been receiving and the number is high. Between 2020 and 2025, CVE submissions increased by 263 percent and in the first quarter of this year, it was almost a third higher than the same period last year.

NIST predicted approximately 42,000 CVEs by 2025, a 45% year-over-year increase, but the increase in production is not enough to keep up with the growing needs. Under the new model, NIST will now fully enrich only CVEs that meet one of three criteria.

Criteria required for CVE termination include vulnerabilities listed in the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Agency catalog, CVEs affecting software used in the federal government, and CVEs affecting software considered critical under Executive Order 14028.

With the new model, NIST aims to enrich KEV catalog entries within one business day of discovery.

Some of the reported CVEs, however, do not go away. They will still be listed in the NVD but will be classified as “Unscheduled,” meaning that NIST will not automatically add the vulnerability scores and product data that security teams rely on to prioritize patching.

The agency also faces a significant backlog that has grown since early 2024. All CVEs with an NVD publication date prior to March 1, 2026, that remain unenriched will be moved to the “Unscheduled” category, NIST is considering for development only as resources allow. CVEs already in the KEV catalog are not included in that sweep.

The new model includes two additional process changes. NIST will no longer release its severity score for CVEs that the CVE Numbering Authority has already assigned. That will eliminate duplicate analysis, and fixed CVEs will only be re-analyzed if the change affects enrichment data rather than automatically for every update.

While NIST does not directly blame the increase in CVE deployments on artificial intelligence, it is one of the main drivers behind the surge in CVE deployments, according to Vincenzo Iozzo, founder and CEO of threat detection and response provider SlashID Inc.

“We’ve seen a dramatic increase in valid AI vulnerabilities reported. According to reports, in the last year alone, the number of vulnerabilities reported has more than doubled,” Iozzo told SiliconANGLE via email. “As a result, NIST’s new policy makes sense and the categories still covered are the most important.”

And, he added, “major types of languages ​​are getting close to being ready enough to allow organizations to prioritize and manage vulnerabilities in their environment, reducing the need for advanced CVEs.”

Shane Fry, chief technology officer at cybersecurity solutions company RunSafe Security Inc., believes that “this announcement is a signal to the industry that the time to wait for CVE points before you act is over.”

“Vulnerability visibility is not perfect, but organizations using a diverse set of vulnerability data sources will have a more reliable understanding of vulnerabilities and which ones are affected by them,” said Fry. “More importantly, organizations need to assume that unknown vulnerabilities already exist in their software and implement safeguards that can prevent exploitation before a patch – or CVE score – is available.”

Image: NIST