As the CVE program faces an uncertain future, security teams must look beyond static vulnerability databases and invest in real-time detection and response, especially at the application layer.
On April 15, 2025, MITRE informed its board that its contract to operate the Common Vulnerabilities and Exposures (CVE) Program is set to expire on April 16, meaning it would no longer operate the system or assign CVE classifications to new vulnerabilities.
In a statement uncovered today, April 16th, a CISA spokesperson noted that the necessary funding has been allocated to ensure that critical CVE services remain in effect:
This update came just a few hours after a group of CVE Board Members announced it was forming an entity called the CVE Foundation to maintain the CVE Program under a new body.
The Implications and Unknowns
When the news broke, the community expressed deserved outrage and concern.
Cybersecurity as an industry has been built on many different foundational systems – with the CVE program being one of its most trusted pillars. Security professionals look to CVEs as a single source of truth for risk in the software that powers their businesses. Quite simply, it is the backbone of modern vulnerability management strategies.
While the latest reports tell us that funding has been secured, there are still many unknowns, such as how long it will last and what future efforts might look like. Even before this funding scare, the vulnerability community has been under pressure. For example, resource constraints for the National Vulnerability Database (NVD) have led to slower publication times, inconsistencies in data quality, and gaps in coverage.
The Reality
Systemic delays in reporting only compound the challenges that modern security teams face in patching software in a timely manner and ultimately stopping attackers from exploiting holes in modern environments.
As the industry faces these headwinds, attackers are only moving faster. While the number of known vulnerabilities has increased significantly and consistently year-over-over year, the average time it takes for an attacker to exploit a vulnerability has shrunk from months, to days, to hours.
In fact, according to VulnCheck, nearly 24% of known exploited vulnerabilities were exploited on or before their public disclosure. This means that by the time a CVE is assigned and published, there is a notable possibility that an exploit is in the wild – or worse, inside your environment.
Current Vulnerability Management
For the past decade, many key products have emerged to address known vulnerabilities. From Software Composition Analysis (SCA) to static analysis security testing (SAST), and Cloud Security Posture Management (CSPM), organizations now have a deep bench of tools designed to find and fix known vulnerabilities across their environments.
This shift-left movement has had a huge impact, but it also created an imbalance: greater spend on vulnerability management to address known vulnerabilities and relatively little to address zero-days, unreported or delayed CVEs, misconfigurations, and more. The latter is where these point-in-time tools have consistently fallen short.
In today’s world, where attackers are exploiting vulnerabilities faster than they can be reported, relying solely on CVE-based tooling is like trying to put out a forest fire with a water gun.
The Emergence of Application Detection & Response (ADR)
This is where ADR changes the game. ADR doesn’t wait for a vulnerability to be published.
Oligo’s ADR solution leverages Deep Application Inspection (DAI) to profile the behavior of application components at runtime to detect and prevent deviations from normal behavior. This enables our customers to prevent exploit attempts from CVEs and, more importantly, vulnerabilities that either haven’t been reported yet or are still waiting for a CVE identifier.
The Path Forward
CVE tracking, for the time being, is not going anywhere – but there appears to be some headwinds. This latest funding scare represents the latest sign that while CVE-based approaches remain an important pillar, their limitations may become more apparent in the future.
The bottom line: organizations need to reconsider how they protect the software that makes their business go. This doesn’t mean abandoning CVE-based tools altogether, it just means that some fires need more than a water gun to be addressed.
Additional Resources:
- ADR 101: https://www.oligo.security/blog/what-is-adr-application-detection-and-response
- CVE Enrichement: https://www.oligo.security/blog/uncovering-the-hidden-risks-how-oligo-identifies-1100-more-vulnerable-functions
- Shadow Vulnerabilities: https://www.oligo.security/blog/shining-a-light-on-shadow-vulnerabilities
