MITRE Ends CVE Program Support – Leaked Internal Memo Confirms Departure

A leaked internal memo dated April 15, 2025, has sent shockwaves through the cybersecurity community, revealing that MITRE’s contract to operate the Common Vulnerabilities and Exposures (CVE) program is set to expire today, April 16, 2025.

The letter, reportedly obtained from a reliable source and addressed to CVE Board Members, is signed by Yosry Barsoum, Vice President and Director of MITRE’s Center for Securing the Homeland (CSH).

The memo casts doubt on MITRE’s continued role in maintaining the CVE program, a foundational pillar in global cybersecurity.

MITRE, a not-for-profit organization headquartered in McLean, Virginia, operates several federally funded research and development centers (FFRDCs), including the National Cybersecurity FFRDC, which has long supported the CVE initiative.

The CVE program, funded by the U.S. Department of Homeland Security, standardizes the identification and cataloging of cybersecurity vulnerabilities and is relied upon by organizations worldwide.

The leaked memo warns that the expiration of MITRE’s contract to “develop, operate, and modernize CVE and several other related programs, such as CWE,” could result in significant disruptions.

Potential impacts cited include the deterioration of national vulnerability databases and advisories, negative effects on tool vendors and incident response operations, and broader risks to critical infrastructure.

Notably, cybersecurity reporter David DiMolfetta has confirmed the authenticity of the memo, further heightening industry concerns.

The CVE database, with more than 274,000 entries, underpins a $37 billion cybersecurity vendor market.

Its standardized records enable efficient vulnerability management, cyber threat intelligence, and response across industry, government, and national security sectors. Any interruption in MITRE’s stewardship threatens to destabilize this global system.

The program has faced transitions in recent years, including a migration to a new website (CVE.ORG), updating record formats to JSON, and expanding assignments to service-based vulnerabilities beyond traditional software flaws.

These adaptations reflect the evolving threat landscape but underscore the necessity for consistent funding and operational continuity.

In an official response to Cyber Security News, a MITRE spokesperson confirmed, “April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE) Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire.

The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”

As the cybersecurity community awaits clarity, the potential lapse of MITRE’s support puts the future of vulnerability management—and global cyber resilience—at a critical juncture.