NIST marks all CVEs prior to Jan. 1, 2018, as ‘deferred’

Facing potential layoffs of at least 500 probationary employees, the National Institute of Standards and Technology (NIST) last week announced that it will defer all common vulnerabilities and exposures (CVEs) prior to Jan. 1, 2018.

The move — while understandable given the Trump administrations moves to trim the federal workforce — raised some concerns in the cybersecurity community, mainly because many prolific cyber incidents took place based on exploits of older CVEs, most notably WannaCry, NotPetya, and Colonial Pipeline.

Security researcher Patrick Garrity posted on LinkedIn that more than 94,000 CVEs issued prior to 2018 could be impacted, which is 34% of all total CVEs.

According to the NIST release, the agency assigned this status to older CVEs to indicate that it does not plan to prioritize updating National Vulnerability Database (NVD) enrichment because of a CVEs' age.

“We will continue to accept and review requests to update the metadata provided for these CVE records,” NIST said in the announcement. “Should any new information clearly indicate that an update to the enrichment data for the CVE is appropriate, we will continue to prioritize those requests as time and resources allow.”

Marc Gaffan, chief executive officer of IONIX, said it’s understandable that NIST has been overwhelmed by the sheer volume of newly disclosed CVEs, and its primary focus should rightly be on the initial assessment of these vulnerabilities. However, Gaffan pointed out that the critical factor in evaluating any CVE is its exploitability.

“With the rapid advancement of AI capabilities, there’s growing concern that older CVEs may be revived through novel exploitation techniques,” said Gaffan. “This trend could catch organizations off guard, leaving them unprepared to address the new risks and exposures these re-emerging threats may introduce.”

Jon France, chief information security officer at ISC2, added there are limited resources and prioritizing the more recent vulnerabilities will likely result in protecting and informing a larger number of vulnerable organizations, allowing them to take steps to remediate or mitigate vulnerabilities.

“On the other hand, there may be novel twists in older vulnerabilities that won’t be covered,” said France. “However, older vulnerabilities that are on the known exploited vulnerabilities KEV list will continue to be updated and worked on providing a measure of comfort. Keeping up-to-date with patches and latest versions of software has to be part of the equation.”

Ted Miracco, chief executive officer at Approov, pointed out that just because a vulnerability is old doesn’t mean it’s irrelevant. In fact, Miracco said older vulnerabilities are often more dangerous because nation-states like China, Russia, Iran and North Korea have historically exploited outdated, but unpatched vulnerabilities years after publication. 

“They are most likely to be present in legacy systems still in production, particularly in critical infrastructure, government, medical and financial sectors,” said Miracco. “Security teams should look beyond CVSS scores and reference external enrichment sources such as MITRE CVE when validating patch status or threat mitigation. Map older CVEs to a software bill of materials (SBOM) to identify at-risk libraries/components.”

Could AI accelerate CVEs assessment?

Lawrence Pingree,  vice president at Dispersive, explained that in general, CVEs help guide security pros with remediation and scoring assessments. Pingree said there's a ton of variation in delivery of vulnerability information in the industry, including fixes that are disclosed privately, or as part of various offerings outside of CVE and normalized disclosure processes.

“Ultimately this is a difficult situation to manage, especially since they've also been making changes with regard to scoring and process,” said Pingree. “This is probably a great example of where AI might at least help accelerate the process and do preliminary AI based evaluations ahead of a human analysis and validation step. In any case, managing the vulnerability scoring process is difficult. It sounds like they have a plan, the question is how rapidly the plan can address the backlog.”

Jason Soroko, senior fellow at Sectigo, said this move by NIST reallocates scarce resources toward emerging threats: it relies on the premise that legacy issues are already well-documented and mitigated by routine patch management. For organizations with modern security practices, the strategy sharpens defense against new exploits, he added.

“Ultimately, the decision is a calculated trade-off,” said Soroko. “It minimizes noise and boosts focus, but leaves risk mitigation for legacy systems squarely in the hands of individual organizations. Defensive security teams should not rely solely on external databases, but actively identify legacy systems and deferred vulnerabilities. Prioritize patching where feasible, enforce system hardening, and isolate or segment older systems to minimize exposure.”