Tuesday, May 6, 2025
HomeCVE/vulnerabilityMITRE Ends CVE Program Support – Leaked Internal Memo Confirms Departure

MITRE Ends CVE Program Support – Leaked Internal Memo Confirms Departure

Published on

SIEM as a Service

Follow Us on Google News

A leaked internal memo dated April 15, 2025, has sent shockwaves through the cybersecurity community, revealing that MITRE’s contract to operate the Common Vulnerabilities and Exposures (CVE) program is set to expire today, April 16, 2025.

The letter, reportedly obtained from a reliable source and addressed to CVE Board Members, is signed by Yosry Barsoum, Vice President and Director of MITRE’s Center for Securing the Homeland (CSH).

The memo casts doubt on MITRE’s continued role in maintaining the CVE program, a foundational pillar in global cybersecurity.

- Advertisement - Google News

MITRE, a not-for-profit organization headquartered in McLean, Virginia, operates several federally funded research and development centers (FFRDCs), including the National Cybersecurity FFRDC, which has long supported the CVE initiative.

The CVE program, funded by the U.S. Department of Homeland Security, standardizes the identification and cataloging of cybersecurity vulnerabilities and is relied upon by organizations worldwide.

The leaked memo warns that the expiration of MITRE’s contract to “develop, operate, and modernize CVE and several other related programs, such as CWE,” could result in significant disruptions.

Potential impacts cited include the deterioration of national vulnerability databases and advisories, negative effects on tool vendors and incident response operations, and broader risks to critical infrastructure.

Notably, cybersecurity reporter David DiMolfetta has confirmed the authenticity of the memo, further heightening industry concerns.

The CVE database, with more than 274,000 entries, underpins a $37 billion cybersecurity vendor market.

Its standardized records enable efficient vulnerability management, cyber threat intelligence, and response across industry, government, and national security sectors. Any interruption in MITRE’s stewardship threatens to destabilize this global system.

The program has faced transitions in recent years, including a migration to a new website (CVE.ORG), updating record formats to JSON, and expanding assignments to service-based vulnerabilities beyond traditional software flaws.

These adaptations reflect the evolving threat landscape but underscore the necessity for consistent funding and operational continuity.

In an official response to Cyber Security News, a MITRE spokesperson confirmed, “April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE) Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire.

The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”

As the cybersecurity community awaits clarity, the potential lapse of MITRE’s support puts the future of vulnerability management—and global cyber resilience—at a critical juncture.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Signal App Used by Trump Associate Targeted in Security Breach

A major security scare has erupted in Washington after reports emerged that a Trump...

CISA Issues Alert on Langflow Vulnerability Actively Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert regarding an actively...

Windows Deployment Services Hit by 0-Click UDP Flaw Leading to System Failures

A newly discovered pre-authentication denial-of-service (DoS) vulnerability in Microsoft’s Windows Deployment Services (WDS) exposes enterprise networks...

Critical Microsoft 0-Click Telnet Vulnerability Enables Credential Theft Without User Action

A critical vulnerability has been uncovered in Microsoft’s Telnet Client (telnet.exe), enabling attackers to...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Signal App Used by Trump Associate Targeted in Security Breach

A major security scare has erupted in Washington after reports emerged that a Trump...

CISA Issues Alert on Langflow Vulnerability Actively Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert regarding an actively...

Windows Deployment Services Hit by 0-Click UDP Flaw Leading to System Failures

A newly discovered pre-authentication denial-of-service (DoS) vulnerability in Microsoft’s Windows Deployment Services (WDS) exposes enterprise networks...