The National Institute of Standards and Technology (NIST) has announced that all CVEs published before 1 January 2018, will be marked as ‘Deferred’ in the National Vulnerability Database (NVD).
“All CVEs with a published date prior to 01/01/2018 will be marked as Deferred within the NVD dataset. We are assigning this status to older CVEs to indicate that we do not plan to prioritize updating NVD enrichment or initial NVD enrichment data due to the CVE’s age,” NIST explained
It added that: “CVEs marked as Deferred will display a banner on their CVE Detail Pages indicating this status.”
This change will take place over the course of several nights, the Institute said. “We are doing this to provide additional clarity regarding which CVE records are prioritized.”
NIST added that it will continue to accept and review requests to update the metadata provided for these CVE records. “Should any new information clearly indicate that an update to the enrichment data for the CVE is appropriate, we will continue to prioritize those requests as time and resources allow.”
NIST also said it will prioritize any CVEs that are added to the KEV regardless of status.
Reallocating Scare Resources
This move reallocates scarce resources toward emerging threats, said Jason Soroko, Senior Fellow at Sectigo. “It relies on the premise that legacy issues are already well documented and mitigated by routine patch management. For organizations with modern security practices, the strategy sharpens defense against new exploits. Ultimately, the decision is a calculated trade-off. It minimizes noise and boosts focus, but leaves risk mitigation for legacy systems squarely in the hands of individual organizations.”
Defensive security teams should not rely solely on external databases but actively identify legacy systems and deferred vulnerabilities, Soroko added. “Prioritize patching where feasible, enforce system hardening, and isolate or segment older systems to minimize exposure. Integrating real-time threat intelligence helps pinpoint when attackers target known weaknesses, allowing teams to act swiftly.”
An Expected Solution
Management of vulnerabilities is complex when you consider the diversity and depth of scale that we have in 2025, with most larger organizations having hundreds to thousands of apps and associated patches across legacy, cloud, and mobile infrastructure with various dependencies, explained Ken Dunham, Cyber Threat Director at Qualys. “A movement by NIST to mark older vulnerabilities as deferred is an expected evolution of the scale of management of vulnerabilities as they continue to grow in number with the explosion of apps and associated vulnerabilities in 2025.”
Entities should take this action by NIST as an indicator of the challenge to manage and prioritize their own risk, particularly for high-value assets and any assets with increased exposure to attack surface, Dunham added. “Exploitation often occurs amongst more moderate and older vulnerabilities still in production, requiring more complex patching priorities for organizations to manage vulnerability risk ranging from zero-days and emergent risk to long-term likely exploitation from persistent actors.”
Dunham says a strong threat and vulnerability patch management program, with strong CMDB, validation of successful patching, KPIs and metrics, risk-based prioritization, and holistic SecOps, are required to address the continual threat and vulnerability management needs of an organization.
Underperforming Patch Management
Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, said while it may be concerning to see older CVEs, particularly those associated with prominent vulnerabilities, be triaged to a lower priority, the reality is that the CVE remains in the NVD with a recognition that updates to older CVEs are infrequent. “For practical purposes, I would view any organization who hasn’t patched or mitigated something that is now labeled as “Deferred” as having an underperforming patch management or DevOps cybersecurity program.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.