The National Institute of Standards and Technology (NIST) is struggling to manage the rising backlog of vulnerabilities in the National Vulnerability Database (NVD). As new CVE (Common Vulnerabilities and Exposures) reports continue to flood in, the delay is creating serious challenges for cybersecurity teams.
CVE Submissions Surge, NIST Struggles to Keep Up
According to NIST’s latest update, the backlog worsened despite efforts to maintain processing speeds. In 2024, CVE submissions jumped by 32%, leaving NVD systems overwhelmed. Even as operations returned to normal after a mid-year slowdown, the submission volume kept growing.
NIST now expects the number of reports to climb even higher in 2025. This rapid increase is already creating bottlenecks, making it harder for organizations to get timely information on emerging threats.
Vulnerability Management Teams Feel the Impact
The delay is affecting companies that depend on the NVD’s accurate and enriched data to protect their networks. Without faster processing, the gap between discovering new vulnerabilities and taking action keeps widening.
For cybersecurity professionals, this delay translates into blind spots. Systems remain exposed longer, increasing the risk of cyberattacks and data breaches.
Outdated Systems and Manual Processes Fuel the Backlog
NIST admits that the current NVD workflow wasn’t built to handle today’s CVE volumes. Its data systems rely heavily on outdated formats and manual enrichment processes. These bottlenecks are slowing everything down.
Even with more staff onboard, NIST’s pool of trained analysts and limited automation tools hasn’t been enough. Manual review processes continue to stall progress.
AI and Machine Learning Could Offer a Way Out
To solve the crisis, NIST is exploring the use of artificial intelligence (AI) and machine learning. These tools could automate parts of the processing pipeline, helping analysts focus on more complex tasks.
However, until that happens, the backlog will likely continue to grow—putting more pressure on vulnerability management programs worldwide.
Why the NVD Backlog Poses a Real Threat
Cybersecurity teams rely on the NVD as a trusted source of truth. When that system stalls, it creates serious risks. Without current vulnerability data, companies cannot prioritize patches or updates effectively.
If left unresolved, this backlog could weaken global defenses. Threat actors may exploit these delays, targeting systems left vulnerable due to outdated information.
