IT & Security

What Happens When the CVE Program Runs Out of Cash

Even as the future of the CVE program remains uncertain, Vicarius ensures business as usual. With multiple data sources and proprietary detection methods, our platform continues to deliver real-time, uninterrupted vulnerability and remediation management, no matter what. We’ve got you covered.

**Update**

April 17th

In a last-minute decision, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) extended MITRE’s contract to manage the Common Vulnerabilities and Exposures (CVE) program, ensuring uninterrupted service. CISA stated, “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services” . This extension came just hours before the contract’s expiration, alleviating concerns about potential disruptions in global cybersecurity coordination. The renewed contract is set for an 11-month period, providing continued support for this vital cybersecurity resource.

April 16th

For over two decades, the Common Vulnerabilities and Exposures (CVE) program has been a cornerstone in the cybersecurity landscape, providing a standardized system for identifying and cataloging publicly disclosed cybersecurity vulnerabilities. Managed by MITRE, this program has enabled organizations worldwide to track, prioritize, and remediate security flaws effectively. However, as of today, April 16, 2025, the CVE program faces an uncertain future due to the expiration of its federal funding. 

The Funding Crisis

MITRE confirmed that its contract with the U.S. Department of Homeland Security (DHS) to develop, operate, and modernize the CVE program expired today, April 16. Yosry Barsoum, MITRE’s Vice President and Director of the Center for Securing the Homeland, stated, “On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire” . 

The expiration of this contract means that MITRE will no longer be able to assign new CVE identifiers or maintain the CVE database, which could lead to significant disruptions in how vulnerabilities are tracked and managed globally. 

This isn’t a hypothetical concern. MITRE has already sounded the alarm. In a memo obtained by The Record, MITRE stated that without immediate funding, it “will begin reducing operations and notifying key stakeholders of the program’s deterioration” .

Why This Matters

At first glance, this may sound like a bureaucratic hiccup. But the implications are widespread. The CVE program isn’t just a registry of flaws. It’s the central reference point for nearly every vulnerability scanner, threat report, and patching workflow in use today.

When a new vulnerability is discovered, it typically receives a CVE ID, an official label that allows security tools, analysts, and vendors to track it. Without that ID, vulnerabilities may go untracked, remain unpatched, or get duplicated under conflicting labels across platforms.

As SecurityWeek reported, MITRE’s internal communication warned that this gap could disrupt the ability of researchers and vendors to report and coordinate disclosures effectively.

A Breakdown in Coordination

The CVE system also underpins global vulnerability coordination. Without a single source of truth, we risk a fractured landscape where vendors maintain private CVE-like databases, researchers publish flaws without clear identifiers, and security teams struggle to prioritize threats.

CSO Online put it bluntly: “The expiration leaves the program in limbo with no clear indication if or when a new contract will be signed”.

Worse, it’s not just about future vulnerabilities. The daily work of security teams depends on CVEs to drive detection logic, prioritize risk, and initiate remediation. Without ongoing updates, even current tools will begin to degrade.

MITRE Warns of Service Disruptions

MITRE is not sugarcoating the situation. In a public update, they confirmed that funding had run out and that they would “stop assigning CVEs for newly discovered vulnerabilities starting this week” unless a new contract is signed.

This marks a turning point. The idea of CVEs being unavailable or inconsistently available was once unthinkable. Now, it’s reality.

A Bigger Problem in a Bigger System

At its core, this issue is not just about funding a database. It’s about the fragility of the systems we rely on for cybersecurity coordination. As Tenable pointed out, “The CVE program has been under strain for years, burdened by outdated processes, increasing disclosure volume, and bureaucratic slowdowns”.

The fact that such a critical infrastructure component can be paused due to a missed contract renewal raises serious questions. Who owns the responsibility of keeping this going? And what happens when trust in a central authority erodes?

What Comes Next?

There are two possibilities. Either the government reinstates funding and the CVE program resumes with minimal downtime. Or we enter a phase of disorganized tracking, with private entities scrambling to build their own registries, creating inconsistencies and duplications.

Neither outcome solves the root problem: the dependency of the global cybersecurity ecosystem on a single, underfunded point of failure.

The CVE program’s lapse is a wake-up call not just to government, but to the industry as a whole. Coordination, transparency, and shared knowledge are not luxuries. They’re prerequisites for resilience.

What Security Teams Should Do Now

Until funding is restored, expect slower or paused issuance of new CVEs. This means:

  • Vendors may publish vulnerabilities without a CVE ID.
  • Automated scanners may miss untracked flaws.
  • Patch prioritization systems could become outdated.
  • Researcher coordination may suffer from duplication or conflicting naming.

Security teams must adapt. Manual correlation of vendor advisories, real-time threat feeds, and enhanced context will be critical.

How Vicarius Supports Its Customers Amid CVE Program Uncertainty

At Vicarius, we understand the critical role that the CVE program plays in cybersecurity operations. In light of the current funding challenges, we are committed to ensuring that our customers continue to receive uninterrupted vulnerability management services.

Our platform leverages multiple data sources and proprietary algorithms to identify and prioritize vulnerabilities, enabling organizations to maintain robust security postures even in the absence of new CVE entries. We are actively monitoring the situation and will adapt our systems as needed to provide continuous protection for our clients.

As new developments surrounding the CVE program emerge, we will update this blog post accordingly.

Sagy Kratu

Sr. Product Marketing Manager

Subscribe for more

Get more infosec news and insights.

Related Posts

IT & Security

The Wolf and The Falcon - Vicarius vRx joins CrowdStrike Marketplace

CrowdStrike shows you where the risks are. Vicarius helps you fix them. Now together in the CrowdStrike Marketplace, they deliver real-time detection and automated remediation in a simple workflow.
IT & Security

Chaos in the SOC: How One Team Fought Back Against Black Basta with vRx

Follow this riveting tale of two SOC engineers responding to a Black Basta attack!
IT & Security

How an IT Admin Finally Got the CISO Off His Back with vAnalyzer

It's a tale as old as time: how do IT admins show proof for the CISO? Well, it starts with data and ends in reports.
1000+ members

Turn security converstains into remediation actions

Request a demo
SOC for service organizations
Copyright © Vicarius. All rights reserved 2024.
Linkedin
X
Youtube
Instagram
Privacy Policyterms of use