The National Vulnerability Database will prioritize only critical software vulnerabilities and those under active exploitation, a strategic shift to address a significant backlog created by a 2024 funding lapse.
NIST's decision marks a substantial change in how the agency manages its vulnerability analysis workload. The database will now concentrate on CVEs listed in CISA's known exploited catalog and vulnerabilities affecting federal government systems.
The funding lapse in 2024 created a substantial backlog that exceeded the agency's capacity to analyze all reported vulnerabilities. Rather than process submissions across the board, NIST is implementing a triage approach focused on threats with the highest impact and immediate risk.
Critical software vulnerabilities—those affecting widely-used systems—remain the primary focus. Vulnerabilities already documented as exploited in the wild by CISA take precedence, reflecting the real-world threat landscape.
The shift acknowledges resource constraints while maintaining focus on vulnerabilities posing the greatest risk to organizations and government infrastructure. NIST continues accepting submissions for all vulnerability types, though analysis timelines for lower-priority entries may extend significantly.
Federal prosecutors have unsealed a 2024 indictment charging three Russian nationals and two web hosting services with facilitating cyberattacks and money laundering that victimized cybercrime targets of $62 million.
A hacker accessed Suno's source code using stolen employee credentials, revealing that the AI music generator scraped decades of audio from YouTube to train its model.
Criminals can now clone voices with AI in mere seconds, outpacing traditional authentication defenses that banks and financial institutions rely on to prevent fraud.
Five malicious versions of AsyncAPI packages were published to npm, delivering a remote access trojan capable of stealing credentials and sensitive data from developer systems.