From Firmware to Factory Floor: Why Made in America Depends on CVE Security

Manufacturing is one of the most exposed industries to cyber threats because it depends on connected systems and outdated technology. The recent near-disruption of the Common Vulnerabilities and Exposures (CVE) program, shows how fragile key cybersecurity processes can be. For manufacturers, any disruption in vulnerability resources and tools like CVE can delay threat detection and put production and safety at risk.

On April 15, 2025, MITRE announced that its contract with the U.S. Department of Homeland Security (DHS) to operate the Common Vulnerabilities and Exposures (CVE®) program was set to expire. For over 25 years, this program has provided standardized IDs for software vulnerabilities, serving as a cornerstone of global cybersecurity.

The news raised concerns across the industry, but on April 16, CISA secured an 11-month extension, ensuring the CVE program continues through March 2026. While this buys time, it underscores the need to prepare for potential shifts in how vulnerabilities are tracked.

Here, we explain the situation, clarify what’s changing and what isn’t, and share how Forescout ensures uninterrupted protection for our customers. CISA KEV is helpful and Forescout supports its continued use and leadership in vulnerability tracking. It is the most well-known catalog for exploited vulnerabilities, but it comes with some limitations that reinforce a need for a wider cybersecurity lens.

 

1. What the CVE Security Program Does and Its Challenges

The CVE program, managed by MITRE and funded by CISA, assigns unique IDs to software vulnerabilities. These IDs act like labels, helping security teams, researchers, and vendors track and fix threats consistently. For example, a flaw in a popular web browser might get a CVE ID, making it easier to share fixes and alerts.

However, the CVE system has limitations:

• Narrow Scope: It focuses on open-source and major software, often missing vulnerabilities in enterprise tools, cloud services, or hardware.
• ID Gaps: Lesser-known or proprietary systems may not get CVE IDs, leaving gaps in tracking. Imagine a critical flaw in a niche medical device that goes unlisted.
• Delays: Assigning CVE IDs can take weeks, slowing down defenses.
• Oversimplification: Complex issues get one ID, which can miss important details.
• Overreliance: Many security tools rely solely on CVEs, making them vulnerable to disruptions.

These challenges highlight why the recent contract uncertainty caused alarm.

 

2. What Happened Recently

On April 15, 2025, MITRE announced its DHS contract to manage the CVE and Common Weakness Enumeration (CWE™) programs would end without renewal. Industry experts and the CVE Board voiced concerns about potential gaps in vulnerability tracking.

The next day, April 16, CISA extended MITRE’s contract through March 2026, using incremental funding to maintain operations. This ensures short-term stability but leaves questions about long-term funding and governance, especially as the industry relies heavily on CVE IDs.

 

3. What This Means for Vulnerability Management

If the CVE secruity program were to stop, the impact would be significant, with no easy escape from our current dependency. Without CVE IDs, critical systems like CISA’s Known Exploited Vulnerabilities (KEV) list and the Exploit Prediction Scoring System (EPSS) would falter, as both rely on CVEs to identify and prioritize high-risk vulnerabilities. Losing this guidance would force asset owners to manually sift through threats, increasing workload and risk.

Additionally, without a centralized ID system, vulnerabilities would lack consistent names across vendors and researchers, making it hard to know if everyone is addressing the same issue. The National Vulnerability Database (NVD), despite its flaws, serves as the best central hub for searching vulnerabilities. Without CVEs, no comparable alternative exists, leaving the industry fragmented and less efficient.

 

4. How the Industry Is Responding

The cybersecurity community is exploring alternatives to reduce reliance on CVEs:

• Advisory Links: Using URLs from vendor advisories or GitHub issues as unique, permanent IDs.
• GitHub Security Advisories: Open-source projects can use GitHub’s system to assign and track vulnerability IDs.
• Vendor IDs: Companies like Microsoft and Apple use internal IDs, often mapped to CVEs later.
• Third-Party Platforms: Tools like Vulncheck aggregate vulnerability data, including issues without CVE IDs.
• CISA’s KEV List: This curated list prioritizes vulnerabilities actively exploited in the wild, regardless of CVE status.

Emerging but immature alternatives also show promise:

• Global CVE Allocation System (GCVE): A proposed decentralized system compatible with CVEs, allowing numbering authorities to operate independently. Still conceptual, it lacks widespread adoption.
• European Vulnerability Database (EUVD): In beta, this ENISA-led database aggregates multi-source vulnerability data, driven by EU regulations. It’s not a full NVD replacement but could grow with funding.
• CISA Advisories: CISA publishes industrial vulnerabilities, but its focus is narrow, and it struggles with updates from vendors like Siemens. Reorganization may limit its scope further.
• CVE Foundation: Launched April 16, 2025, this nonprofit aims to take over the CVE program, promising details soon. Its plans remain unclear.
• National Databases: Russia and China have their own databases, but global trust is low. Germany’s VDE-CERT focuses on OT vulnerabilities for German firms, with limited scale and funding.

These options, both established and emerging, show the industry’s ability to adapt if the CVE system evolves.

 

5. How Forescout Is Prepared

At Forescout, we’ve built our platform to stay resilient, not just against cyber threats but also against shifts in the security ecosystem. Unlike tools that depend solely on CVEs, our approach ensures continuous protection.

Direct Vendor Data: Our team pulls critical vulnerability data straight from trusted vendors, bypassing delays in CVE or National Vulnerability Database (NVD) updates. This means faster alerts for our customers.

Non-CVE Tracking: Our platform handles vulnerabilities with or without CVE IDs, covering emerging threats in proprietary or niche systems. For example, we can detect a flaw in a cloud service even if it lacks a CVE.

VL-KEV: A database maintained by Forescout Research – Vedere Labs includes vulnerabilities observed in our Adversary Engagement Environment honeypots or reported to be used by threat actors in our knowledge base.

Multi-Source Intelligence: We blend data from:

• CVE and KEV: We enhance CVE records with severity scores and exploitation data, prioritizing what’s actively targeted (per CISA’s KEV list).
• NVD Overrides: We fix delays or errors in NVD data to keep alerts accurate.
• Public and Proprietary Feeds: Our research, partnerships, and automated tools provide exclusive insights, ensuring broad coverage.
• Real-Time Adaptation: We’re monitoring the CVE program’s evolution, including the new CVE Foundation’s plans. Our teams are ready to adjust to changes in formats or protocols, ensuring seamless vulnerability tracking.

Drill Down: Tracking CVE’s in the Forescout 4D Platform™:  Our platform has a database of CVE’s specifically for OT, IoT, IoMT, and networking vendors. In most cases (> 95%) we find information about vulnerabilities directly from the vendors. This has the following advantages:

When a vendor doesn’t assign CVE identifiers, the vulnerability can still be added to the platform. Competitive products often do not know about vulnerabilities without a CVE, so this is a distinct advantage with Forescout.

Analysts at CISA or NVD sometimes have different interpretations of the CVSS score. It can happen that the same vulnerability has three different CVSS scores. One party says that the CVE is high risk, another says the risk is medium to low. This can be confusing for end users. With our platform, we use the CVSS as calculated by the vendor, simply assuming the vendor knows best about its own products.

Using the original source for vulnerabilities means that the vulnerability detection can be added quicker to. This sometimes saves weeks or several months of delays.

When a vendor updates the advisory, the NVD or CISA is not always informed, so these can contain outdated information. For example,  a solution could be missed or it could incorrectly list certain software versions as not being vulnerable, causing an affected device to be not patched. Always check the vendor’s advisory for the most up-to-date and accurate information.

Many OT issues are not reported in the NVD, especially supply-chain vulnerabilities. When vendors publish about supply-chain vulnerabilities, they are added to the platform.

 

6. What’s Next

The CVE program’s extension through March 2026 gives the industry time to plan for sustainable funding and governance. Post-extension, the CVE Foundation or other models, like the EUVD, may play larger roles, but the system’s core role is likely to persist.

For Forescout customers, there’s no change. Our platform delivers timely, accurate vulnerability data, whether vulnerabilities have CVE IDs or not. We’ll keep you informed as the situation evolves, staying transparent and proactive.

In the meantime, Forescout is a member of the U.S. Joint Cyber Defense Collaborative and will leverage this forum to work with CISA and the industry more broadly to ensure the CVE database is maintained.

Stay protected with Forescout: Don’t let uncertainty in vulnerability tracking put your organization at risk. Contact our team to learn how Forescout’s platform delivers unmatched visibility and protection, no matter the vulnerability source. Subscribe to our blog for the latest updates on the CVE program and cybersecurity trends.

---

References

• CISA Known Exploited Vulnerabilities Catalog
• GitHub Security Advisories
• CVE Foundation
• European Vulnerability Database (EUVD)
• Global CVE Allocation System
• VDE-CERT
• Exposing the Exploited : A Quantitative Analysis of Vulnerabilities Under the Radar »: Vedere Labs research, May 2024