“MITRE’s CVE Program Support Ends Today, Leaked Internal Letter Confirms”

A leaked letter from MITRE, dated April 15, 2025, has sent shockwaves through the cybersecurity community.

The document, addressed to CVE Board Members and signed by Yosry Barsoum, Vice President and Director of MITRE’s Center for Securing the Homeland (CSH), reveals that MITRE’s contract to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE) program expires today, April 16, 2025.

This development threatens the continuity of a foundational cybersecurity resource relied upon globally.

CVE Program: The Backbone of Vulnerability Management

The CVE program, launched in 1999 and managed by MITRE with funding from the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), provides a standardized system for identifying, defining, and cataloging publicly disclosed cybersecurity vulnerabilities using unique identifiers known as CVE IDs (e.g., CVE-2024-43573).

This system enables organizations worldwide to prioritize and remediate security risks efficiently, forming the backbone of vulnerability management, incident response, and cyber threat intelligence tools.

As of April 2025, the CVE database contains over 274,000 entries, underscoring its critical role in the cybersecurity landscape.

Hundreds of organizations, known as CVE Numbering Authorities (CNAs), are authorized by MITRE to assign CVE numbers to new vulnerabilities, ensuring consistent and centralized tracking.

Implications of Funding Expiry

In the letter, Barsoum warns of “multiple impacts” should a break in service occur, including the “deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure”.

Without new funding, MITRE will be unable to assign new CVE IDs or maintain the program’s infrastructure, leaving the cybersecurity ecosystem in limbo.

Security experts have described the potential shutdown as “tragic,” noting that the CVE program is the de facto international standard for vulnerability identification.

“Without it, we can’t track newly discovered vulnerabilities,” said Sasha Romanosky, senior policy researcher at the Rand Corporation.

The ripple effects could disrupt national vulnerability databases, slow vendor responses, and undermine coordinated defenses against emerging threats.

Recent Program Developments and Technical Shifts

The CVE program has undergone significant changes in recent years to adapt to evolving threats. These include:

• Transitioning to a new website (CVE.ORG) and updating the CVE record format to JSON, with legacy format support ending June 30, 2024.
• Expanding the CVE assignment to include service-based vulnerabilities, not just flaws in distributed software products.
• Supporting a cybersecurity vendor market valued at over $37 billion, providing foundational data to products across vulnerability management, SIEM, and endpoint detection and response.

MITRE’s Commitment and Community Response

Despite the uncertainty, MITRE has reaffirmed its commitment to the CVE program as a global resource, emphasizing ongoing efforts by the government to secure continued support.

Industry stakeholders such as VulnCheck have pledged support for MITRE and the CVE ecosystem, recognizing the program’s decades-long contributions.

In an official statement, MITRE confirmed to Cyber Security News: “April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire.

The government continues to make considerable efforts to support MITRE’s role in the program, and MITRE remains committed to CVE as a global resource”.

Looking Ahead

As the cybersecurity world waits for a resolution, the expiration of MITRE’s CVE contract highlights the fragility of critical infrastructure underpinning global digital security.

Without immediate action, organizations may face delays in vulnerability tracking, advisories, and cyber response, exposing critical infrastructure to heightened risk.

The coming days will be pivotal in determining the future of vulnerability management and the security of digital ecosystems worldwide.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates