Volatility in CVE: Is the Vulnerability Intelligence Ecosystem Entering a New Chapter?

Recent volatility in the funding of the Common Vulnerabilities and Exposures (CVE) program is causing significant disarray in the vulnerability intelligence ecosystem. On April 15, 2025, a leaked letter from MITRE, the maintainer of the CVE program, stated that the program would soon expire due to contracting issues. However, the Cybersecurity and Infrastructure Security Agency (CISA) announced on April 16 that it has executed a contract option to prevent any disruption in CVE services. According to news sources, this extension will last for eleven months, through March 2026.

BREAKING.

From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members. pic.twitter.com/CHi74EIRt7

— Tib3rius (@0xTib3rius) April 15, 2025

Flashpoint is actively monitoring this situation. Here are the latest developments so far:

• April 15, 2025
  • A letter from MITRE to the CVE Board was leaked online, implying that CVE may lose funding.
• April 16, 2025
  • CISA announces that it will ensure the continuation of CVE.
  • CVE board members establish the CVE foundation.
  • The European Union Vulnerability Database (EUVD) opens due to uncertainty of US-based vulnerability databases.

Why CVE Matters

While CISA’s announcement has stymied the halt of CVE in the short-term, many questions still remain. This has caused many organizations, security vendors, and the press, to ask the same question: What happens if CVE goes away?

In today’s vulnerability intelligence ecosystem, nearly every organization’s vulnerability management framework relies on it. Since its inception in 1999, The CVE system has grown into a critical global cybersecurity utility, relied upon by nearly all vulnerability scanners, SIEM platforms, patch management tools, threat intelligence feeds, and compliance reports.

CVE and its counterpart, the National Vulnerability Database (NVD) have already shown symptoms of decline. Throughout 2024 and 2025 the industry has observed increasing amounts of incomplete vulnerability data, disruption of compliance reporting, and delays in coordinated disclosure and vendor patch releases—all of which negatively impact downstream systems and processes. However, a complete shutdown of CVE would not merely be a service degradation. It is a loss of institutional infrastructure that would jeopardize billions of dollars in cybersecurity investments.

A New Chapter in the Vulnerability Intelligence Ecosystem?

At this time, the long-term health of the CVE program is uncertain. The current budget cuts to CVE could either signal a move toward a more unified US government vulnerability cataloging effort, or could mark the end of freely available US government vulnerability tracking.

The breakdown of the CVE system presents a chance to create a new, improved vulnerability management model. This new model should prioritize speed, context, transparency, and actionable insights, which the CVE system has struggled to provide.

Modernize to the Next Generation of Security Using Flashpoint

While CVE IDs can still be a useful data point in a vulnerability management strategy, they should not be the sole basis. Instead, the next generation of security needs to be built on practices that are resilient, diversified, and intelligence-driven, meaning that they can adapt to changes, use multiple sources of information, and focus on providing insights that can be used to take action, such as:

• Threat actor behavior and proof-of-concept availability
• Likelihood of exploitation in the wild
• Business context such as critical asset exposure
• Relevance to ransomware and data breach campaigns

Flashpoint’s vulnerability database fully maps to CVE, covering IT, OT, IoT, CoTs, and open-source libraries and dependencies. It also catalogs more than 100,000 vulnerabilities missed by the public source.

Join Our Community Call to Learn More

To help organizations better understand the current situation, Flashpoint will be hosting a Community Call on April 17, 2025 at 3:00 PM EDT. Join us to learn the latest developments involving CVE and newly emerging vulnerability databases such as the EUVD, how to stay resilient in this shifting landscape, and identifying the path to move forward.