A potential pause in the US-funded CVE (Common Vulnerabilities and Exposures) system could significantly impact how organisations around the world identify, track, and respond to software vulnerabilities. As the contract supporting this critical infrastructure faces expiration, the security community is bracing for potential disruption. Here's what you need to know—and why it matters.
The Common Vulnerabilities and Exposures (CVE) Programme is the system that assigns unique identifiers to cybersecurity flaws in software—those “CVE-2025-XXXX” numbers that appear in patch notes, advisories, and vulnerability alerts. Since its launch in 1999, the CVE system has become a foundational part of how the security community shares, tracks, and manages known vulnerabilities.
This critical system is operated by MITRE, a not-for-profit organisation, under contract with the US Department of Homeland Security (DHS). However, as of 16 April 2025, MITRE has warned that its contract has expired and, with no renewal in place, the programme may temporarily shut down. This would mean no new CVE identifiers would be issued, and the public CVE website may eventually go offline.
The lapse is part of wider US government funding issues. In recent months, DHS has allowed several cybersecurity-related contracts to expire, and the CVE Programme may now be among them.
MITRE has issued warnings about the risks involved. According to their statements, without renewed funding:
No new CVE identifiers will be issued
The CVE website could become inaccessible
Critical tools and databases that rely on CVEs may begin to break down
MITRE’s leadership described “multiple impacts” across national infrastructure, vulnerability tracking systems, and security tool vendors if the CVE programme halts. They have expressed a strong desire to continue operating the programme but indicated that, without a new contract, they may be forced to suspend operations.
A disruption in the CVE system would affect nearly every organisation with a cybersecurity posture. Here is why:
Security teams use CVE identifiers to track known vulnerabilities, assess risk, and determine whether their systems are exposed. Without new identifiers, vulnerability management processes may stall or become inconsistent.
Standardised CVE identifiers allow teams to correlate threat intelligence and incident reports across systems. Without them, it becomes harder to verify whether different sources are describing the same vulnerability.
Many compliance frameworks and patch management policies reference CVE identifiers. If new vulnerabilities are not assigned identifiers, organisations may struggle to demonstrate that they are meeting regulatory obligations.
Security scanners, threat intelligence feeds, and vulnerability databases all rely on CVE data. A lapse in the CVE programme could affect the accuracy and timeliness of these tools.
The US Cybersecurity and Infrastructure Security Agency (CISA) has stated that it is “urgently working” to maintain CVE operations. However, as of now, no replacement contract or detailed transition plan has been announced. In the meantime:
MITRE has confirmed that historical CVE data will remain available, such as through GitHub archives.
Some CVE Numbering Authorities, such as VulnCheck, have reserved a number of CVE identifiers in advance to help bridge any short-term gap.
Security leaders are calling for an industry-led contingency plan, should government support remain on hold.
There is no need for alarm, but it is a development that should be monitored closely.
Existing CVE data remains intact, and most cybersecurity operations will continue uninterrupted in the immediate term. However, if the CVE system remains stalled for an extended period, the visibility and coordination of new vulnerabilities may suffer. This could create delays in patching and confusion during incident response.
Organisations are advised to:
Monitor security updates from trusted vendors, even if they lack CVE identifiers
Follow official communications from MITRE and CISA
Review internal tools and processes to ensure they do not rely solely on CVE data
For organisations, the key is to stay informed, remain adaptable, and ensure security processes are resilient to change. Monitor updates from trusted vendors, look beyond CVE references when assessing threats, and consider how internal systems and tools handle vulnerability data.
This is also an opportunity to stress-test how well your organisation can respond to emerging risks when the usual sources of information are temporarily disrupted. It’s a moment to reinforce—not replace—your existing security practices.
We’ll continue to track developments closely and provide updates as new information becomes available. In the meantime, vigilance, flexibility, and clarity will serve all of us well.
Latest updates straight into your inbox!
References
Public statements from MITRE Corporation on CVE operations
Statements and updates from the US Cybersecurity and Infrastructure Security Agency (CISA)