NIST Just Quit Scoring Most CVEs

NIST confirmed last week what the vulnerability management community had been bracing for: the National Vulnerability Database will no longer guarantee comprehensive analysis of most new CVE submissions. The enrichment backlog now exceeds 25,000 unprocessed CVEs. Submission volume is up 263% since 2020. The staff and funding never caught up, and NIST has made the math official.

This is a structural break, not a temporary slowdown. For roughly two decades, enterprise vulnerability programs have been built on a simple assumption: a CVE is published, NIST enriches it with CVSS scoring and CPE data, and tooling downstream consumes that enrichment to prioritize patching. That assumption is now broken for the majority of new CVEs flowing into the system.

The downstream breakage is wider than most teams realize. SIEM correlation rules keyed to CVSS base scores will see fewer high-severity triggers, not because threats got less severe but because scoring simply stops. Patch SLA clocks that start on CVSS publication will stall on un-scored entries. Vendor risk questionnaires that demand CVSS mappings will come back with blank cells from smaller vendors who relied on NIST to do the work. Board reports that summarize "critical vulnerabilities" as defined by CVSS 9.0+ will understate actual risk.

The shift showing up across the DoGood network is decisive: CISA's Known Exploited Vulnerabilities catalog is becoming the primary prioritization signal. KEV entries are curated, require documented exploitation evidence, and carry federal remediation deadlines. Four members this month reported rebuilding their patch SLA tiers entirely around KEV status, with CVSS demoted to a secondary sorting factor. One security director at a regional bank put it plainly: "We stopped trusting the score and started trusting the catalog."

The second-order effect is what security leaders should be planning for now. Without NIST enrichment, the work of determining exploitability, affected products, and severity falls back on enterprise teams and their tooling vendors. Expect commercial vulnerability scanners to start pricing CVSS enrichment as a premium feature. Expect MSSPs to build proprietary scoring layers and charge for them. The scoring layer is being privatized because the public layer just announced it cannot keep up.

What to do this week: audit every place CVSS appears in your vulnerability management workflow. Patch SLAs, SIEM rules, board reporting, vendor contracts, risk register scoring. Anywhere a CVSS threshold is the decision point, add a KEV-inclusion check as an override trigger. Pull the last 90 days of closed vulnerability tickets and flag what percentage were prioritized by CVSS vs. KEV status. That ratio is your baseline. If it is not already tilted toward KEV, the next quarter will make it so.

Source: NVD Dashboard and NIST announcement, April 21, 2026. https://nvd.nist.gov/general/news

Network signal: 38% of DoGood members submitting April priorities flagged "vulnerability prioritization" as a top-three 90-day focus, up from 11% in Q4 2025.

The data in this issue came from priority submissions by 5,000+ enterprise IT leaders. If you run IT or security at a $100M+ company and want to see what your peers are funding — and earn rewards for participating in vetted meetings with vendors worth your time — apply to join DoGood.

Microsoft disclosed on April 14 that three Defender for Endpoint bypass techniques (nicknamed BlueHammer, RedSun, and UnDefend) are being actively exploited by at least one ransomware affiliate. Ten days later, only UnDefend has a patch. BlueHammer (CVE-2026-33825) and RedSun remain in the "mitigation guidance only" column. The guidance is to disable specific ASR rules temporarily, which reduces detection coverage on the exact endpoints being targeted. Several DoGood members on Defender ATP are running stopgap CrowdStrike or SentinelOne deployments on high-value servers until patches arrive.

Source: Microsoft Security Response Center, April 14 and April 22, 2026. https://msrc.microsoft.com/update-guide

Oracle's April Critical Patch Update dropped April 15 with 481 security fixes across 27 product families. More than 300 of those vulnerabilities are exploitable remotely without authentication. The heaviest hit areas: Oracle Fusion Middleware (72 patches), Oracle Financial Services (58), and Oracle Communications (47). For any CIO whose ERP, middleware, or billing stacks touch Oracle, the next 30 days are a forced march. Members with heavy Oracle footprints are reporting a 6-to-8 week patch cycle once validation windows are factored in, which means real exposure until at least late May.

Source: Oracle Critical Patch Update Advisory, April 15, 2026. https://www.oracle.com/security-alerts/cpuapr2026.html

CISA added eight vulnerabilities to the Known Exploited Vulnerabilities catalog on April 21 and 23, with federal remediation deadlines of April 28 and May 4. The list includes flaws in Cisco Catalyst SD-WAN Manager, Citrix NetScaler ADC, Progress Telerik Report Server, and a Linux kernel privilege escalation. The short deadlines signal high-confidence exploitation in the wild. Enterprise teams should treat the May 4 date as their own internal SLA, regardless of federal status.

Source: CISA KEV Catalog Updates, April 21 and 23, 2026. https://www.cisa.gov/known-exploited-vulnerabilities-catalog

263%

Increase in annual CVE submissions to MITRE from 2020 to 2025. NIST's enrichment capacity grew less than 5% over the same period. That gap is why the NVD pipeline just broke.

The CXO Brief is powered by the DoGood network, 5,000+ IT leaders sharing what they are actually working on.

Know a CIO who needs this? Forward it and they can subscribe here.

Enterprise IT leader at a $100M+ company? Apply to join DoGood.