# NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions


The National Institute of Standards and Technology (NIST) has formally announced a significant restructuring of how it processes cybersecurity vulnerabilities and exposures (CVEs) in its National Vulnerability Database (NVD), instituting strict eligibility criteria for enrichment amid what officials describe as an unmanageable 263% surge in submissions. Under the new framework, CVEs that fail to meet defined thresholds will still be listed in the NVD but will not receive the detailed metadata—including CVSS scores, Common Weakness Enumeration (CWE) mappings, and Common Platform Enumeration (CPE) identifiers—that security teams have come to rely on for vulnerability prioritization and automated patch management.


## Background and Context


The NVD has long served as the de facto global reference for vulnerability intelligence, functioning as the backbone for countless enterprise security tools, SIEM platforms, vulnerability scanners, and compliance frameworks. Every CVE that enters the database traditionally undergoes a process known as "enrichment," in which NIST analysts attach structured, machine-readable metadata that enables downstream automation. Without this enrichment, a CVE is effectively a raw identifier—useful as a reference, but dramatically less actionable for defenders.


The pressure on NIST's enrichment pipeline has been building for years, but the 263% year-over-year increase in CVE submissions has pushed the system past its operational capacity. The surge reflects several converging trends: the proliferation of CVE Numbering Authorities (CNAs) willing to assign identifiers, the rise of automated vulnerability discovery tools, greater participation from open-source maintainers, and an expanding attack surface driven by cloud-native architectures, IoT devices, and AI/ML platforms. In early 2024, NIST briefly paused enrichment work altogether, leaving thousands of CVEs unanalyzed and triggering alarm across the cybersecurity community. The new criteria-based approach represents the agency's attempt to restore predictability while acknowledging that full coverage is no longer feasible.


## Technical Details


Under the revised policy, NIST will prioritize enrichment for CVEs that meet one or more of the following criteria: inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog, presence of a high or critical CVSS severity assessment from the originating CNA, coverage of widely deployed software or infrastructure components, and evidence of active exploitation in the wild. CVEs affecting niche products, unsupported legacy software, or low-impact issues may receive only minimal processing.


From a technical standpoint, the most consequential change involves CPE assignment. CPE strings are the structured identifiers that map a CVE to specific vendor products and versions—they are what allow a vulnerability scanner to determine whether a given CVE applies to a particular asset in an environment. Without a CPE, automated tools cannot reliably correlate a vulnerability to an inventory item, forcing defenders back to manual analysis. Similarly, the absence of CWE mappings limits a security team's ability to cluster related weaknesses, inform secure-coding training, or drive strategic remediation programs.


NIST has indicated it will work with CNAs to push more of the enrichment burden upstream, encouraging submitters to provide enriched data at the point of CVE assignment. This model—often referred to as "enrichment at source"—aligns with the MITRE CVE Program's broader modernization efforts but introduces variability in data quality, since CNAs differ widely in their rigor and resources.


## Real-World Impact


For enterprise security teams, the implications are immediate and significant. Vulnerability management programs built around the assumption of comprehensive NVD enrichment will need to adapt. Organizations that rely on CVSS scores from NVD to drive SLA-based patching workflows may find gaps in coverage, particularly for CVEs affecting specialized or less-common technologies. Compliance frameworks such as FedRAMP, PCI DSS, and various healthcare standards that reference NVD data may also face indirect disruption.


Managed security service providers (MSSPs) and vulnerability management vendors will likely need to invest in their own enrichment pipelines, drawing on sources such as vendor advisories, exploit databases like Exploit-DB, and commercial threat intelligence feeds. Smaller organizations without the resources to supplement NVD data may find themselves at a growing disadvantage.


The change also complicates vulnerability disclosure economics. Researchers who disclose lower-severity bugs may see their findings receive less visibility, potentially reducing the incentive to report certain classes of vulnerabilities through coordinated channels.


## Threat Actor Context


While this policy shift is not itself a threat actor story, it creates conditions that adversaries can exploit. Attackers frequently target vulnerabilities that defenders have deprioritized or overlooked, and a less-enriched NVD may expand the pool of "quiet" CVEs that fall beneath organizational detection thresholds. Ransomware operators, initial access brokers, and nation-state actors alike have demonstrated sophistication in identifying under-analyzed vulnerabilities in niche products—particularly in edge devices, VPN appliances, and managed file transfer platforms—and weaponizing them before defenders recognize the risk.


Recent campaigns exploiting vulnerabilities in products such as Ivanti Connect Secure, Progress MOVEit, and various SSL VPN gateways illustrate how even CVEs with limited initial attention can rapidly become mass-exploitation vectors. A fragmented enrichment pipeline increases the likelihood that such vulnerabilities will go unrecognized during their most dangerous early window.


## Defensive Recommendations


Security teams should take proactive steps to insulate their programs from NVD data gaps:


  • Diversify vulnerability intelligence sources. Integrate vendor advisories, CISA KEV, VulnCheck, GitHub Security Advisories, and commercial threat intelligence platforms alongside the NVD.
  • Reassess prioritization models. Move beyond CVSS-only scoring toward risk-based frameworks such as EPSS (Exploit Prediction Scoring Index) and SSVC (Stakeholder-Specific Vulnerability Categorization).
  • Strengthen asset inventory accuracy. Without reliable CPE mappings, accurate and granular asset inventory becomes the foundation of vulnerability correlation.
  • Monitor CNA advisories directly. Major vendors increasingly publish enriched data themselves; pulling directly from authoritative sources reduces dependence on NVD enrichment.
  • Invest in internal enrichment capability. Larger organizations should consider building or acquiring tooling that normalizes CVE data across sources and produces internal severity and applicability ratings.
  • Engage in threat hunting for under-prioritized CVEs. Do not assume that low enrichment equals low risk.

    • ## Industry Response


    Reaction from the cybersecurity community has been mixed. Some practitioners have expressed concern that the reduced NVD coverage will widen the gap between well-resourced enterprises and under-resourced organizations, including small businesses, public sector entities, and critical infrastructure operators. Others have acknowledged that the prior model was unsustainable and that criteria-based triage is a pragmatic response to an overwhelmed system.


    CISA has continued to expand the KEV catalog and associated guidance, positioning it as a complementary signal for prioritization. Vendors such as Tenable, Rapid7, Qualys, and Wiz have signaled intent to fill enrichment gaps through their own research teams. Meanwhile, the MITRE CVE Program and its partner CNAs are accelerating work on enriched CVE Records and the CVE 5 schema, which supports richer, more structured data at the time of assignment.


    Whether these parallel efforts can collectively preserve the ecosystem's reliance on timely, accurate vulnerability data remains to be seen. What is clear is that the era of treating the NVD as a single source of truth is ending, and defenders must adapt accordingly.


    ---


    **