Apr 17
/
Latest News
NIST Shifts Vulnerability Prioritization as CVE Volume Surges
The National Institute of Standards and Technology has announced a major shift in how it enriches cybersecurity vulnerabilities listed in the National Vulnerability Database, citing an unprecedented spike in CVE submissions. NIST said it will now enrich only those vulnerabilities that meet specific high‑impact criteria, while all others will remain listed but marked as “Not Scheduled.” The change follows a 263% increase in CVE submissions between 2020 and 2025, a trend the agency expects to continue.
Under the new model, NIST will prioritize vulnerabilities already included in CISA’s Known Exploited Vulnerabilities catalog, those affecting software used by the federal government, and those classified as critical under Executive Order 14028. The agency said the goal is to focus resources on vulnerabilities with the greatest potential for systemic impact, noting that many CVEs outside these categories pose limited broader risk. NIST added that CVE submissions in early 2026 are already nearly one‑third higher than the same period last year, and that it enriched roughly 42,000 CVEs in 2025, the highest annual total to date.
Organizations can request enrichment for unscheduled high‑impact CVEs by emailing NIST directly. The agency also announced operational changes, including discontinuing separate severity scoring when a CVE Numbering Authority has already provided one, limiting reanalysis to cases where updates materially affect enrichment data, and moving older unenriched CVEs into the “Not Scheduled” category. Updated status labels and dashboard metrics are now live to reflect these changes.
Security researchers say the shift was expected as NIST moves toward a risk‑based model. Experts warn, however, that many vulnerabilities may now lack a clear path to enrichment, leaving organizations that rely solely on NVD data with gaps. Industry analysts note that thousands of 2025 vulnerabilities still lack CVSS scores, underscoring the strain on traditional enrichment workflows. They argue that the accelerating volume of vulnerabilities and the rise of automated discovery tools demand machine‑speed approaches to analysis and a more global understanding of software risk. Others say the new model will push defenders to focus on exploitability and real‑world exposure rather than attempting to track every low‑impact flaw, a shift they believe will ultimately strengthen resilience.
Under the new model, NIST will prioritize vulnerabilities already included in CISA’s Known Exploited Vulnerabilities catalog, those affecting software used by the federal government, and those classified as critical under Executive Order 14028. The agency said the goal is to focus resources on vulnerabilities with the greatest potential for systemic impact, noting that many CVEs outside these categories pose limited broader risk. NIST added that CVE submissions in early 2026 are already nearly one‑third higher than the same period last year, and that it enriched roughly 42,000 CVEs in 2025, the highest annual total to date.
Organizations can request enrichment for unscheduled high‑impact CVEs by emailing NIST directly. The agency also announced operational changes, including discontinuing separate severity scoring when a CVE Numbering Authority has already provided one, limiting reanalysis to cases where updates materially affect enrichment data, and moving older unenriched CVEs into the “Not Scheduled” category. Updated status labels and dashboard metrics are now live to reflect these changes.
Security researchers say the shift was expected as NIST moves toward a risk‑based model. Experts warn, however, that many vulnerabilities may now lack a clear path to enrichment, leaving organizations that rely solely on NVD data with gaps. Industry analysts note that thousands of 2025 vulnerabilities still lack CVSS scores, underscoring the strain on traditional enrichment workflows. They argue that the accelerating volume of vulnerabilities and the rise of automated discovery tools demand machine‑speed approaches to analysis and a more global understanding of software risk. Others say the new model will push defenders to focus on exploitability and real‑world exposure rather than attempting to track every low‑impact flaw, a shift they believe will ultimately strengthen resilience.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.