- Can you watch movies on your TV using a USB stick? You most certainly can
- Will AI replace software engineers? It depends on who you ask
- 칼럼 | AI에 보안 맡겨도 될까?··· CISO의 '에이전틱 AI' 대비 방법
- Tal Saraf (Atlassian): “Construimos una IA interna, nuestro propio patio de recreo para emplearla de forma segura”
- 구글, 제미나이 2.5 플래시 하이브리드 추론 모델 공개
NIST Defers Pre-2018 CVEs to Tackle Growing Vulnerability Backlog
All Common Vulnerabilities and Exposures (CVEs) published before January 1 2018, will now be marked as Deferred in the National Vulnerability Database (NVD), the US National Institute of Standards and Technology (NIST) has confirmed.
CVEs assigned this status will no longer be prioritized for enrichment data updates unless they appear in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.
NIST said banners will be added to affected CVE pages to make the change visible. This shift began recently and has already impacted over 20,000 entries, with the total potentially reaching 100,000.
The decision comes as NIST continues to battle a growing backlog in processing vulnerability data.
Last year, it experienced a 32% surge in submissions and failed to meet its goal of clearing the backlog by the end of fiscal year 2024. The agency attributed the delay to challenges in importing and enriching incoming data efficiently.
“To address this issue, we are developing new systems that will allow us to process incoming ADP data more efficiently,” NIST said last November.
Experts view the move as a practical response to a complex issue.
“A movement by NIST to mark older vulnerabilities as deferred is an expected evolution of the scale of management of vulnerabilities,” said Ken Dunham, cyber threat director at Qualys Threat Research Unit.
“Organizations should take this action by NIST as an indicator of the challenge to manage and prioritize their own risk.”
Jason Soroko, Senior Fellow at Sectigo, said the decision reflects a strategic reprioritization.
“This move reallocates scarce resources toward emerging threats. It relies on the premise that legacy issues are already well documented and mitigated by routine patch management,” Soroko explained.
While the deferred CVEs will remain accessible and metadata updates can still be requested, the responsibility for managing these older vulnerabilities now rests more heavily on organizations themselves.
Security teams are advised to:
- Identify and monitor legacy systems
- Prioritize patching of deferred vulnerabilities where feasible
- Harden or segment outdated infrastructure
- Use real-time threat intelligence to detect exploitation attempts
As the volume of CVEs continues to rise, NIST is also exploring the use of AI and machine learning to streamline vulnerability data processing.
