The Cybersecurity and Infrastructure Security Agency (CISA) has extended funding to the MITRE Corporation, ensuring the continued operation of the Common Vulnerabilities and Exposures (CVE) program, a linchpin of global cybersecurity. Announced late on April 15, 2025, just hours before the program’s funding was set to expire, the 11-month extension averts a crisis that could […]
The post CISA Extend Funding to MITRE to Keep CVE Program Running appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Concerns about the future of the MITRE CVE Program continue to circulate. The Tenable Security Response Team has created this FAQ to help provide clarity and context around this developing situation.
BackgroundThe Tenable Security Response Team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding changes around the MITRE CVE Program. As the situation continues to evolve, we will continue to provide updates as new information is released.
FAQWhat is the current status of the MITRE CVE Program?
As of April 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has extended funding for the MITRE CVE Program for one year. In a post and update to their website, CISA confirmed the extension, and a spokesperson added that they “executed the option period on the contract to ensure there will be no lapse in critical CVE services.”
— Cybersecurity and Infrastructure Security Agency (@CISAgov) April 16, 2025
When did CVE Board Members find out about the expiration of the MITRE CVE Program and other related programs?
CVE Board members received a notification from MITRE on April 15, 2025. This notification was circulated on social media and picked up in news articles. Tenable published a blog post about the forthcoming expiration and updated it on April 16 upon news of the subsequent renewal.
What is the importance of the CVE Program?
The CVE Program provides the industry with a common identifier used for identifying vulnerabilities which in turn allows the industry to fully track all affected products, remediations, tactics, techniques and procedures (TTPs) and risk measurements for a vulnerability. Without this we run the risk of being unable to accurately map active exploitation and associated risk to that vulnerability.
One important function that the CVE program serves is to operate as a CVE Naming Authority (CNA) of last resort, particularly when there are disputes over CVE issuance. This helps to minimize conflicting reports and duplicate records.
What is the value of having a CVE Naming Authority (CNA)?
The CVE Program enables various entities to become a CNA. The CNA program allows vendors, researchers, open source developers and others to reserve and assign CVEs while providing information about a vulnerability. Currently there are over 450 CNAs that participate in the CVE Program.
What is Tenable’s relationship with the CVE Program?
Tenable is a CNA within the CVE Program and, as such, issues CVEs for its own products and vulnerabilities in other products discovered by its research team for which there is no CNA.
What about the announcements of efforts from the CVE Foundation and GCVE?
On the morning of April 16, 2025, the CVE Foundation published a press release regarding an effort for transitioning the CVE program to a non-profit foundation established by active CVE Board members. The CVE Foundation aims to move the CVE Program away from a government-funded project to eliminate the risk of “a single point of failure in the vulnerability management ecosystem.”
Additionally, we are aware of other efforts being launched, including the Global CVE (GCVE) allocation system by the Computer Incident Response Center Luxembourg (CIRCL). According to their FAQ, GCVE is a “decentralized system for identifying and numbering security vulnerabilities.” The GCVE site notes that existing CNAs can become GCVE Numbering Authorities (GNAs) and would have autonomy to define their own policies for the identification of vulnerabilities.
Tenable will continue to monitor these evolving efforts surrounding CVE and other programs and update the community as we learn more.
How is Tenable impacted by the interruptions to CVE issuance at both MITRE and the National Vulnerability Database (NVD)?
With uncertainty around interruptions to the CVE Program, Tenable has reserved a sufficient number of CVEs for disclosing vulnerabilities in our products and those discovered in other products.
Tenable is not dependent on either MITRE or NVD for sourcing the logic needed to determine if a product is vulnerable or not. We source our coverage from vendor advisories, which will enable us to continue providing coverage as long as vendors publish security advisories.
Get more informationJoin Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
The post Frequently Asked Questions About the MITRE CVE Program Expiration and Renewal appeared first on Security Boulevard.
Concerns about the future of the MITRE CVE Program continue to circulate. The Tenable Security Response Team has created this FAQ to help provide clarity and context around this developing situation.
BackgroundThe Tenable Security Response Team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding changes around the MITRE CVE Program. As the situation continues to evolve, we will continue to provide updates as new information is released.
FAQWhat is the current status of the MITRE CVE Program?
As of April 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has extended funding for the MITRE CVE Program for one year. In a post and update to their website, CISA confirmed the extension, and a spokesperson added that they “executed the option period on the contract to ensure there will be no lapse in critical CVE services.”
— Cybersecurity and Infrastructure Security Agency (@CISAgov) April 16, 2025
When did CVE Board Members find out about the expiration of the MITRE CVE Program and other related programs?
CVE Board members received a notification from MITRE on April 15, 2025. This notification was circulated on social media and picked up in news articles. Tenable published a blog post about the forthcoming expiration and updated it on April 16 upon news of the subsequent renewal.
What is the importance of the CVE Program?
The CVE Program provides the industry with a common identifier used for identifying vulnerabilities which in turn allows the industry to fully track all affected products, remediations, tactics, techniques and procedures (TTPs) and risk measurements for a vulnerability. Without this we run the risk of being unable to accurately map active exploitation and associated risk to that vulnerability.
One important function that the CVE program serves is to operate as a CVE Naming Authority (CNA) of last resort, particularly when there are disputes over CVE issuance. This helps to minimize conflicting reports and duplicate records.
What is the value of having a CVE Naming Authority (CNA)?
The CVE Program enables various entities to become a CNA. The CNA program allows vendors, researchers, open source developers and others to reserve and assign CVEs while providing information about a vulnerability. Currently there are over 450 CNAs that participate in the CVE Program.
What is Tenable’s relationship with the CVE Program?
Tenable is a CNA within the CVE Program and, as such, issues CVEs for its own products and vulnerabilities in other products discovered by its research team for which there is no CNA.
What about the announcements of efforts from the CVE Foundation and GCVE?
On the morning of April 16, 2025, the CVE Foundation published a press release regarding an effort for transitioning the CVE program to a non-profit foundation established by active CVE Board members. The CVE Foundation aims to move the CVE Program away from a government-funded project to eliminate the risk of “a single point of failure in the vulnerability management ecosystem.”
Additionally, we are aware of other efforts being launched, including the Global CVE (GCVE) allocation system by the Computer Incident Response Center Luxembourg (CIRCL). According to their FAQ, GCVE is a “decentralized system for identifying and numbering security vulnerabilities.” The GCVE site notes that existing CNAs can become GCVE Numbering Authorities (GNAs) and would have autonomy to define their own policies for the identification of vulnerabilities.
Tenable will continue to monitor these evolving efforts surrounding CVE and other programs and update the community as we learn more.
How is Tenable impacted by the interruptions to CVE issuance at both MITRE and the National Vulnerability Database (NVD)?
With uncertainty around interruptions to the CVE Program, Tenable has reserved a sufficient number of CVEs for disclosing vulnerabilities in our products and those discovered in other products.
Tenable is not dependent on either MITRE or NVD for sourcing the logic needed to determine if a product is vulnerable or not. We source our coverage from vendor advisories, which will enable us to continue providing coverage as long as vendors publish security advisories.
Get more informationJoin Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
New vulnerabilities in Windows Task Scheduler’s schtasks.exe let attackers bypass UAC, alter metadata, modify event logs, and evade detection. These actions map to MITRE ATT&CK tactics: Persistence, Privilege Escalation, Execution, Lateral Movement, and Defense Evasion. Abuse of schtasks.exe enables stealthy task creation and manipulation without alerting defenders, making it a reliable tool for maintaining access […]
The post Windows Task Scheduler Vulnerabilities Allow Attackers Gain Admin Account Control appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Cybercriminals have launched a sophisticated malware campaign leveraging fake PDF-to-DOCX converter websites that mimic the popular legitimate service PDFCandy. The malicious websites, including domains such as candyxpdf[.]com and candyconverterpdf[.]com, deploy an elaborate social engineering tactic designed to harvest sensitive information from unsuspecting users seeking to convert document formats. When users attempt to convert documents on […]
The post Beware of Online PDF Converters That Tricks Users to Install Password Stealing Malware appeared first on Cyber Security News.