A leaked internal memo dated April 15, 2025, has sent shockwaves through the cybersecurity community, revealing that MITRE’s contract to operate the Common Vulnerabilities and Exposures (CVE) program is set to expire today, April 16, 2025.
The letter, reportedly obtained from a reliable source and addressed to CVE Board Members, is signed by Yosry Barsoum, Vice President and Director of MITRE’s Center for Securing the Homeland (CSH).
The memo casts doubt on MITRE’s continued role in maintaining the CVE program, a foundational pillar in global cybersecurity.
MITRE, a not-for-profit organization headquartered in McLean, Virginia, operates several federally funded research and development centers (FFRDCs), including the National Cybersecurity FFRDC, which has long supported the CVE initiative.
The CVE program, funded by the U.S. Department of Homeland Security, standardizes the identification and cataloging of cybersecurity vulnerabilities and is relied upon by organizations worldwide.
The leaked memo warns that the expiration of MITRE’s contract to “develop, operate, and modernize CVE and several other related programs, such as CWE,” could result in significant disruptions.
Potential impacts cited include the deterioration of national vulnerability databases and advisories, negative effects on tool vendors and incident response operations, and broader risks to critical infrastructure.
Notably, cybersecurity reporter David DiMolfetta has confirmed the authenticity of the memo, further heightening industry concerns.
The CVE database, with more than 274,000 entries, underpins a $37 billion cybersecurity vendor market.
Its standardized records enable efficient vulnerability management, cyber threat intelligence, and response across industry, government, and national security sectors. Any interruption in MITRE’s stewardship threatens to destabilize this global system.
The program has faced transitions in recent years, including a migration to a new website (CVE.ORG), updating record formats to JSON, and expanding assignments to service-based vulnerabilities beyond traditional software flaws.
These adaptations reflect the evolving threat landscape but underscore the necessity for consistent funding and operational continuity.
In an official response to Cyber Security News, a MITRE spokesperson confirmed, “April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE) Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire.
The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”
As the cybersecurity community awaits clarity, the potential lapse of MITRE’s support puts the future of vulnerability management—and global cyber resilience—at a critical juncture.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…