U.S. Govt. Funding for MITRE’s CVE Ends April 16, Cybersecurity Community on Alert

Avatar
The U.S. government funding for non-profit research giant MITRE to operate and maintain its Common Vulnerabilities and Exposures (CVE) program will expire Wednesday, an unprecedented development that could shake up one of the foundational pillars of the global cybersecurity ecosystem. The 25-year-old CVE program is a valuable tool for vulnerability management, offering a de facto standard to

The U.S. government funding for non-profit research giant MITRE to operate and maintain its Common Vulnerabilities and Exposures (CVE) program will expire Wednesday, an unprecedented development that could shake up one of the foundational pillars of the global cybersecurity ecosystem.

The 25-year-old CVE program is a valuable tool for vulnerability management, offering a de facto standard to identify, define, and catalog publicly disclosed security flaws using CVE IDs.

Yosry Barsoum, MITRE’s vice president and director of the Center for Securing the Homeland (CSH), said its funding to “develop, operate, and modernize CVE and related programs, such as the Common Weakness Enumeration (CWE), will expire.”

“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” Barsoum noted in a letter sent to CVE Board Members.

However, Barsoum pointed out that the government continues to “make considerable efforts” to support MITRE’s role in the program and that MITRE remains committed to CVE as a global resource.

The CVE program was launched in September 1999 and has been run by MITRE with sponsorship from the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).

In response to the move, cybersecurity firm VulnCheck, which is a CVE Numbering Authority (CNA), has announced that it is proactively reserving 1,000 CVEs for 2025 to help fill the void.

“A service break would likely degrade national vulnerability databases and advisories,” Jason Soroko, Senior Fellow at Sectigo, said in a statement shared with The Hacker News.

“This lapse could negatively affect tool vendors, incident response operations, and critical infrastructure broadly. MITRE emphasizes its continued commitment but warns of these potential impacts if the contracting pathway is not maintained.”

Tim Peck, Senior Threat Researcher at Securonix, told The Hacker News that a lapse could have massive consequences for the cybersecurity ecosystem where CNAs and defenders may be unable to obtain or publish CVEs, causing delays in vulnerability disclosures.

“Additionally, the Common Weakness Enumeration (CWE) project is vital for software weakness classification and prioritization,” Peck said. “Its halt would affect secure coding practices and risk assessments. The CVE program is a foundational infrastructure. It’s not just a nice to have ‘referenceable list,’ it’s a primary resource for vulnerability coordination, prioritization and response efforts across the private sector, government and open source.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

MITRE warns of lapse with CVE program as contract with US set to expire

Next Post

Chinese Android Phones Shipped with Fake WhatsApp, Telegram Apps Targeting Crypto Users

Related Posts

Suspected Iranian Hackers Used Compromised Indian Firm’s Email to Target U.A.E. Aviation Sector

Threat hunters are calling attention to a new highly-targeted phishing campaign that singled out "fewer than five" entities in the United Arab Emirates (U.A.E.) to deliver a previously undocumented Golang backdoor dubbed Sosano. The malicious activity was specifically directed against aviation and satellite communications organizations, according to Proofpoint, which detected it in late October
Avatar
Read More

CISA Warns of Active Exploits Targeting Trimble Cityworks Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that a security flaw impacting Trimble Cityworks GIS-centric asset management software has come under active exploitation in the wild. The vulnerability in question is CVE-2025-0994 (CVSS v4 score: 8.6), a deserialization of untrusted data bug that could permit an attacker to conduct remote code execution. "This could
Avatar
Read More