The National Institute of Standards and Technology (NIST) recently made a significant update to the National Vulnerability Database (NVD): the introduction of a new CVE status called “Deferred.” This status has been applied to over 80,000 CVEs and we expect this to apply to over 95,000 CVEs over the next few days, and according to NIST:
We are assigning this status to older CVEs to indicate that we do not plan to prioritize updating NVD enrichment or initial NVD enrichment data due to the CVE’s age.
While this update may help NIST better allocate its limited resources, it introduces new risk to organizations that rely on the NVD as their primary source of vulnerability intelligence.
On paper, “Deferred” implies lower urgency—but in reality, the risks tied to these CVEs haven’t disappeared. In fact, older vulnerabilities are often recycled and reused in active campaigns by both opportunistic and sophisticated threat actors.
The “Deferred” label doesn’t mean these vulnerabilities are safe to ignore. It simply means they’re no longer being enriched with updated metadata by the NVD. That includes vital details like metrics, affected products, exploit information, and other intelligence.
VulnCheck treats every CVE as a forever-day, because we know exploitation doesn’t adhere to timelines or maintenance cycles. Our platform continues to monitor, enrich, and prioritize all CVEs—regardless of their status in the NVD.
Here’s how we do it:
- Autonomous Enrichment: We continuously collect and apply new evidence of in-the-wild exploitation, new exploit discoveries, and related IOCs.
- Threat Actor Attribution: Our intelligence maps CVEs to real-world adversaries and campaigns, helping prioritize what matters most to your organization and deprioritize the things that don’t.
- Exploit Discovery: VulnCheck identifies new exploit code and activity faster than traditional feeds, often before it spreads widely.
- Complete CVE Coverage: No CVE is left behind. Whether it’s newly published or deemed “Deferred,” VulnCheck delivers enrichment and context to every vulnerability.
- Retro CWE Mapping: NIST NVD only goes as far back as 2007 for mapping CWEs, VulnCheck maps CWEs as far back as 1998.
The introduction of the “Deferred” status represents a fundamental shift in how vulnerability data is curated at NIST and it further highlights the limitations of relying solely on the NVD for vulnerability intelligence.
We’re committed to providing a comprehensive, real-time view of the exploitability landscape—so you’re never blindsided by a supposedly “low-priority” vulnerability that turns out to be actively exploited.
If you’re ready to take a more proactive, evidence-based approach to vulnerability intelligence, let’s talk. VulnCheck is purpose-built to help teams detect, prioritize, and respond to real-world threats—no matter how long ago the CVE was published.
VulnCheck is helping organizations not just to solve the vulnerability prioritization challenge – we’re working to help equip any product manager, security team and threat hunting team to get faster and more accurate intelligence with infinite efficiency using VulnCheck solutions.
We knew that defenders needed better data, faster across the board, in our industry. So that’s what we deliver to the market. We’re deliver key insights on vulnerability management, exploitation and major trends we can extrapolate from our dataset to continuously support practitioners.
Are you interested in learning more? If so, VulnCheck’s Exploit & Vulnerability Intelligence has the broadest coverage.
