A recent VulnCheck report reveals a concerning trend: over half of known exploited vulnerabilities (KEVs) are absent from the US National Vulnerability Database (NVD). Among the 59 KEVs identified since February 12, 30 have yet to be analyzed by the NVD team, representing a significant gap in cybersecurity coverage. Additionally, critical metadata for 50.8% of KEVs is missing, indicating a lack of comprehensive information on these exploitable software flaws.
The report underscores the urgency of addressing vulnerabilities promptly, as KEVs pose a high level of threat to organizations. With cyber threats evolving rapidly, the delayed analysis and inclusion of vulnerabilities in the NVD highlight the challenge of keeping pace with emerging risks. Patrick Garrity, a vulnerability researcher at VulnCheck, emphasizes the pressing need for proactive measures to mitigate these threats effectively.
Moreover, the VulnCheck report reveals deficiencies in analyzing weaponized vulnerabilities and those with proof-of-concept exploits. More than half of weaponized vulnerabilities and 82% of vulnerabilities with proof-of-concept exploits have not been analyzed by the NVD since February 12. This suggests a broader issue of inadequate vulnerability assessment and response mechanisms, leaving organizations vulnerable to cyberattacks. Despite these challenges, initiatives such as the release of the new CVE format and CISA’s Vulnrichment program offer potential solutions to bridge the gap in vulnerability analysis and strengthen cybersecurity efforts.
