.png
)
Introduction
The National Institute of Standards and Technology (NIST) revealed a pivotal shift in their policy on April 2, 2025. All Common Vulnerabilities and Exposures (CVEs) documented before January 1, 2018, will now be labeled as “Deferred” in the National Vulnerability Database (NVD). This strategic move impacts around 94,000 CVE entries, which comprises roughly 34% of the database’s total vulnerabilities.
Challenges Leading to Change
Last year, NIST encountered severe delays, with a backlog peak of 18,000 submissions, reflecting a 32% rise in new reports during 2024 alone. This backlog stemmed from the increased pace at which new vulnerability submissions were being logged.
Resource Constraints Drive Policy Adjustment
This policy update signifies that NIST will not prioritize initial enrichment data or updates for these older CVE records due to their age. Over several nights, these changes will be implemented to provide clear insights into which vulnerabilities are prioritized for updates.
Security Implications
Security experts have voiced concerns about this decision, especially considering the sophisticated nature of AI-driven exploitation methods. Marc Gaffan, CEO of IONIX, highlighted the potential for older CVEs to be exploited anew due to emerging AI technologies. Furthermore, organizations utilizing legacy systems in essential services might face increased risks from these latent vulnerabilities.
Ensuring Continued Vigilance on Critical Vulnerabilities
Despite the “Deferred” status, NIST confirmed ongoing efforts to update critical CVEs on request, particularly those highlighted in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability (KEV) catalog.
Adapting to Changes
Legacy CVEs will still appear prominently marked as “Deferred” on their detail pages within the NVD to maintain transparency. Security professionals are advised to adjust their strategies accordingly and employ robust monitoring for systems potentially affected by these outdated vulnerabilities.
Practical Recommendations
Experts recommend incorporating older CVEs into a software bill of materials (SBOM) to assess and mitigate risks efficiently. Such practices are crucial for organizations that maintain legacy systems, ensuring they remain safeguarded against potential exploits that could leverage these vulnerabilities.
Overall, this shift by NIST is a calculated decision to manage resources more effectively while keeping a vigilant eye on pressing security threats through selective focus.
Related: Explosive Data Breach Exposed: Inside Look at Medialand’s Compromised Cybersecurity
Last Updated: April 8, 2025
