The MITRE CVE program, the backbone of global vulnerability tracking, is now facing an unexpected and critical disruption. As of mid-April 2025, U.S. government funding for the program has officially expired, and there appears to be no immediate backup plan in place. With no renewed contract and no alternate source of support, the future of the program remains uncertain, and that’s bad news for cybersecurity professionals worldwide.
No Contract, No Coverage: MITRE Warns of CVE Lapse
The MITRE CVE program contract expires on April 16, and MITRE has confirmed they’ve received no new funding to continue operations. In a statement released across several platforms, MITRE warns CVE lapse may already be impacting the timely assignment and tracking of software vulnerabilities.
MITRE, the non-profit organization that manages the Common Vulnerabilities and Exposures (CVE) system, stressed the seriousness of the situation. Without federal funding, they cannot maintain CVE assignments, support CVE Numbering Authorities (CNAs), or perform the essential administrative work that keeps the cybersecurity ecosystem functioning. In simpler terms, no funding, no CVE updates.
This CVE program funding lapse comes at a time when global cybersecurity threats are escalating, and the timing couldn’t be worse.
Why does the CVE Program Matter?
For anyone unfamiliar, the CVE program is how we identify, label, and track software vulnerabilities. It’s like a universal barcode system for bugs—used by government agencies, corporations, security researchers, and even everyday tech companies to understand and manage cyber threats. When a software flaw is discovered, it’s given a CVE ID so it can be tracked and patched.
Without MITRE’s active management, this entire system is at risk of breaking down. The MITRE CVE contract expiration means that vulnerabilities could go untracked or be delayed in recognition, leaving systems exposed for longer periods. It also impacts how quickly patches can be developed and how promptly security advisories are issued.
No Backup in Sight
What’s perhaps most alarming is that MITRE confirmed there is no backup plan or alternate organization ready to step in. As of now, there is no clear timeline for contract renewal, nor has any agency stepped up to fill the gap. According to MITRE, this lapse impacts not just new CVE assignments but also ongoing coordination with over 300 global partners.
That means even if a vulnerability is discovered today, it may not receive a proper CVE ID until the issue is resolved, potentially weeks or months from now.
What’s Next For MITRE?
As of now, the cybersecurity community is in limbo. The hope is that funding will be restored quickly, but there’s no official word from the federal government. With thousands of security issues surfacing globally every month, a prolonged CVE program funding lapse could ripple across industries, impacting everything from enterprise software to national defense systems.
Until then, researchers and security teams are left without one of their most vital tools—and the digital world just got a little more vulnerable.
