CVE Aggregation in Times of Uncertainty

Editor’s Note: This is the first of a two-part series addressing the purpose of CVE databases, the future of MITRE, and ultimately, how Asimily approaches CVEs in the realm of risk mitigation in IoT. Stay tuned for part two, coming later this week.

For 25 years, MITRE has operated the Common Vulnerabilities and Exposures (CVE) database on behalf of the federal government. The CVE dataset has served a valuable role in identifying and scoring vulnerabilities, providing valuable context for security teams at organizations of all sizes. 

On April 15, 2025, MITRE warned that the funding for the CVE database was due to expire on the following Wednesday. A day later, on April 16, the Cybersecurity and Infrastructure Security Agency (CISA) said it had reached a funding deal that would allow MITRE to continue operating the database. 

Now that funding is secured and the CVE database can continue, it’s worth considering how this source of information fits within the context of a broader vulnerability management program. The value that a centralized source of vulnerability information across industries provides is clear. However, it does not necessarily mean that organizations should rely on it too heavily either. 

The Role of the CVE Database and CNA (CVE Numbering Authority) 

The CVE database was designed as a centralized, publicly available source for vulnerability reporting. Managed by the MITRE Corporation, the database consists of more than 276,000 CVEs reported to the database over the past 25 years. It was first conceived in a white paper with the intent of making vulnerability information freely available. Thousands of CVEs are added every month.

The database serves a vital purpose as a repository of vulnerability information, complete with severity scoring in the form of a Common Vulnerability Scoring System (CVSS) rating from 0.0 to 10.0 for how serious the reported vulnerability is. Security teams can review the entry for the reported software vulnerability in one of their systems and understand: 

• What part of the software is vulnerable
• How severe the vulnerability is 
• Different components of the CVE, expressed as a vector string 

This common database streamlines vulnerability reporting for software companies. Now, when software companies report information about identified issues in their software, they can deliver that intelligence to the CVE database, and security teams can access it whenever they need. Vulnerability scanning solutions also check against the database when operated to identify any potential vulnerabilities in an organization’s systems. 

Many software companies have been assigned CNAs (CVE Numbering Authorities). CNAs are organizations designated to assign and document CVEs for vulnerabilities within their product. They are comprised of vendors, researchers, open source, CERT, hosted service, bug bounty providers, and consortium organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities. CNAs are entities. While there are several CNAs, most of whom do not affect the CVE database, a few CNAs materially affect the CVE Database. Such CNAs are large software companies like Microsoft, Linux, Google, Adobe, and a couple of others. These CNAs can assign their own CVE IDs and generally publish their own CVEs on their products.

Aggregation of the CVE Databases to Close Gaps

Even though the CVE Database contains information about the NVD NIST CVE Database, the NIST CVE Database does not contain additional information published by manufacturers. Information published by ICS Cert does not contain information contained in exploit databases like KEV and other sources. It also does not contain information on where a patch is available. While all of these databases add valuable insight into the current CVE landscape, there is no single public database that will comprehensively account for all of the CVEs impacting an organization. Combing through each of these databases is a time-intensive task, especially when considering the volume of CVEs published.

Asimily aggregates all of this information into a common database within the platform. Going beyond the CVE identified by any of these organizations, Asimily also combines exploitability in the wild, merged with additional AI-driven research from Asimily Labs, plus information on patch availability from the original manufacturer of the software. This depth of information can be broken down separately within Asimily and is available to every Asimily customer, enabling users to look at the source of information for the CVEs.

What if MITRE Loses Funding?

The concerns that arose in April 2025, when MITRE looked as though it would lose its funding, were valid. But this is not the first time MITRE’s funding has run into similar obstacles. In 2024, there was a similar but lesser-known issue when MITRE had limited resources. During this time, CVEs were not being assigned, or CVE Vectors were not being researched.

While this is a major concern, the major CNAs do provide a key source of data that can be leveraged. And this is exactly what Asimily has been leveraging to provide customers with the most accurate and actionable CVE data as part of our core product.

For many years, Asimily Labs has been analyzing the data published by the key CNAs and augmenting it with supplemental research to support our customer base. Broadly, Asimily Labs extracts information from CNAs using its purpose-built NLP (Natural Language Processing) algorithms to get data. Then, Asimily’s NLP augments this data with missing information to build a clear picture for users. Asimily demonstrated this in 2024 when MITRE was experiencing similar delays in reporting. Asimily Labs successfully filled the gap for many of the CVEs to ensure Asimily customers continued to operate without any difficulties.

Today, Asimily continues to append this data with additional information such as exploitability in the wild, merged with additional AI-driven research like patch availability from the original manufacturer of the software. This ensures Asimily customers have comprehensive information and are backed by Asimily, an organization that is evaluating their key risks at all times.

But even with all of the above, is the aggregated CVE database with exploits in the wild enough to maintain security? In 2024, there were 40,077 vulnerabilities reported to the CVE database and provided with a CVSS score. With such a high volume of CVES, how can organizations ensure they are acting on CVEs relevant to their technology? Further, how do you ensure that the CVEs you are addressing are the highest priority for reducing risk?

Read Part 2 to understand how Asimily goes further on CVE prioritization and mitigation than any other security solution for IoT, OT, and IoMT devices.