"We anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure"
The 25-year-old CVE program, under which non-profit MITRE catalogues publicly disclosed cybersecurity vulnerabilities, is at imminent risk of collapse.
That’s according to a leaked letter from MITRE’s Yosry Barsoum to the CVE Board – which warned that “on Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire.”
MITRE confirmed the letter’s legitimacy to The Stack and shared a comment that effectively mirrored Barsoum’s letter. The organisation added: “The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”
CVE program collapse: CISA cuts to blame?
CVE’s “sponsor” is the US’s Cybersecurity and Infrastructure Security Agency (CISA) which has had its budget slashed and been publicly attacked by the current Trump administration. Some 1,300 CISA positions or nearly 40% of its workforce are widely reported to be at risk this week.
CISA told us: "Although CISA’s contract with the MITRE Corporation will lapse after April 16, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely."
A spokesperson declined to specify what that meant.
The Stack has also contacted CISA director nominee Sean Plankey for comment. (Plankey's nomination is on hold after an intervention by Senator Ron Wyden last week.) Former CISA Director Jen Easterly meanwhile posted on LinkedIn that what's at stake for businesses is:
"Slower, riskier responses to threats: Without CVE identifiers, your cybersecurity team can’t quickly assess which software flaws are urgent and which are not. This slows down patching, increases exposure, and creates windows for attackers to get in.
"Breakdown of trusted tools and processes: Most security tools—from scanners to risk dashboards—rely on CVEs to prioritize issues. Without them, automated defense systems start to fail, and your team is left in the dark.
"Disruption to government guidance: CISA’s “Known Exploited Vulnerabilities” (KEV) catalog, federal government’s repository for prioritizing flaws based on vulnerabilities being actively exploited by threat actors—is built entirely on CVEs. If CVEs vanish, so does one of the clearest public sector warning systems we have.
"Global coordination collapses: Cyber threats don’t stop at borders—and neither does defense. CVEs are the common language used worldwide to share intelligence and coordinate action. Lose that, and everyone’s flying blind."
"Multiple impacts to CVE"
Barsoum directs MITRE’scybersecurity research centre NCF, for the National Institute for Standards and Technology (NIST), which also reportedly faces mass-cuts under the current Trump administration.
He added in his letter to the CVE board: “If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure…”
Security programs around the world including in major enterprises rely extensively on the CVE program for consistent descriptions of vulnerabilities, and to coordinate efforts to prioritize and address them.
As Tim Peck, a senior threat researcher at Securonix put it, any break in CVE services could mean that "... the CNAs (CVE Numbering Authorities) and researchers may be unable to obtain or publish CVEs in a standardized manner. This would delay vulnerability disclosures and affect coordinated disclosure timelines. Notes on patching and remediations could be delayed offering a greater window of time to attackers to engage in exploitation. Defense-based tooling such as vulnerability scanners and platforms that rely on CVE metadata (ISA KEV, VulnCheck and Nessus for example) may stop receiving timely or trusted CVE information, breaking sync pipelines.
"Additionally, the Common Weakness Enumeration (CWE) project is vital for software weakness classification and prioritization. Its halt would affect secure coding practices and risk assessments. The CVE program is foundational infrastructure. It's not just a nice to have "referenceable list", it's a primary resource for vulnerability coordination, prioritization and response efforts across the private sector, government and open source.”
Greg Anderson, CEO and founder of vulnerability management platform DefectDojo told The Stack: "MITRE’s confirmation that it is losing DHS funding to maintain the Common Vulnerabilities and Exposures (CVE) program should concern every cybersecurity professional around the world, especially considering that the funding expires tomorrow—leaving no room for anything to be built in its place.
"If, as expected, the database goes offline tomorrow and only GitHub records remain, every security team has just lost an essential resource for early warnings and a cohesive framework for naming and addressing vulnerabilities.
"To illustrate, say a new vulnerability in encryption used across the internet emerges. Without the CVE program, one non-governing body may name the issue “The worst encryption flaw ever”, but another non-governing body names the issue “A terrible encryption flaw”, both not using the CVE-20XX-XXXX identification protocol. Without CVEs, how do we even know we’re talking about the same issue?
"The security community relies on standardizations to be able to quickly communicate about emerging threats and new vulnerabilities. Security professionals are going to have to gather and consolidate information in a piecemeal fashion without CVEs as a central repository, which costs valuable time that could be spent addressing the issues... Losing CVEs and their database could result in a total collapse of how known vulnerabilities are assessed, communicated, and remediated today."
MITRE noted that the CVE Program anchors a cybersecurity vendor market worth more than $37 billion, "providing foundational data to vendor products across vulnerability management, cyber threat intelligence, security information and event management, and endpoint detection and response."
