MITRE Warns of CVE Funding Crisis as Contract Expires April 16

by | Apr 16, 2025 | News

Post Views: 105

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

Update 16/04:

CISA announced on April 16th via their official website that they had executed the option period on the CVE Program contract to prevent any lapse in critical services, stating:

The CVE Program is invaluable to the cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.

CVE and CWE Programs Face Critical Disruption Amid Government Contract Lapse

Today marks a potentially devastating turning point in global cybersecurity coordination, as funding for the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs—cornerstones of vulnerability tracking—officially expires.

According to a letter sent by MITRE Vice President Yosry Barsoum to CVE Board members, the U.S. Department of Homeland Security (DHS) has not yet renewed or extended the contract under which MITRE operates these programs.

“On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire,” Barsoum stated.

The warning has triggered alarm across the cybersecurity industry, as CVE is the global backbone for tracking security vulnerabilities, and any service disruption could cripple national and international threat intelligence, vulnerability management, and incident response operations.

Letter to CVE Board (Tib3rius)

Why CVE Matters So Much

The CVE program, launched in 1999, provides a shared language and framework for identifying, labeling, and tracking vulnerabilities across all platforms and sectors.

Used in thousands of cybersecurity tools, from scanners to patch management systems
Enables clear, consistent naming of vulnerabilities to avoid confusion
Supports coordinated disclosure, advisory publication, and industry response
Serves as the foundation for NIST’s National Vulnerability Database (NVD)

MITRE also acts as the Primary CVE Numbering Authority (CNA) and oversees dozens of CNAs globally that assign CVEs to newly discovered vulnerabilities.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Industry Reactions: ‘A Cybersecurity Catastrophe in the Making’

Security leaders across the industry have warned of catastrophic consequences if CVE services go offline or slow down.

Jean Easterly, former head of CISA:
“Losing [the CVE system] would be like tearing out the card catalog from every library at once—leaving defenders to sort through chaos while attackers take full advantage.”

Casey Ellis, Bugcrowd Founder:
“CVE underpins vulnerability management, incident response, and critical infrastructure protection. A sudden interruption has the potential to bubble up into a national security problem in short order.”

CISA Responds Amid Growing Tension

While DHS, NIST, and DoD have yet to formally comment, a CISA spokesperson confirmed to BleepingComputer that:

“Although CISA’s contract with the MITRE Corporation will lapse after April 16th, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely.”

NVD Already Under Pressure

Compounding the crisis, NIST’s National Vulnerability Database (NVD) is also suffering from a growing backlog of CVEs needing analysis and enrichment. Without continued CVE assignments and updates, that backlog could surge into unmanageable territory, slowing patch development, tool updates, and vendor advisories.

Trending: Recon Tool: spoof_checker

What’s at Stake?

If MITRE is forced to pause or scale back operations:

Vulnerability tracking across the industry may stall
Security vendors could miss threats or duplicate work
Incident response coordination may fail across government and enterprise
Critical infrastructure defenses may weaken without timely vulnerability intelligence

This lapse also puts the entire CWE program at risk, which provides classification and understanding of software weaknesses that lead to vulnerabilities—essential for secure coding standards and automated detection systems.

Next Steps & Urgent Action Needed

Despite reassurances from CISA, industry insiders say time is running out. Without an immediate bridge contract or emergency funding, even a brief interruption in CVE operations could lead to long-term security gaps and systemic disruption.

As of this writing, MITRE is continuing operations, but its ability to sustain the CVE program beyond today remains uncertain.

The expiration of MITRE’s funding contract for CVE and CWE programs is not just a bureaucratic hiccup—it threatens the foundational infrastructure of global cybersecurity.
In a digital world under constant attack, the loss of CVE’s shared language and structure would force defenders to fly blind—while adversaries waste no time exploiting the chaos.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link