NIST Limits CVE Enrichment, Impacting SAP Security Teams

The National Institute of Standards and Technology (NIST) is changing how it handles Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD).

The agency will continue to list all CVEs, but it will no longer immediately enrich every record with severity scores, affected-product mappings, and other structured analysis, shifting to a prioritized model focused on vulnerabilities with the greatest potential impact.

This change preserves the NVD as a public registry. It reduces the consistency of the enrichment layer many security teams rely on to interpret and prioritize vulnerabilities.

Robert Holland, Vice President and Research Director at SAPinsider, said, “This may mean that very few CVEs reported against SAP systems will ever be enriched.”

What NIST Changed

NIST is shifting the National Vulnerability Database to a more selective approach.

The agency will focus detailed analysis on CVEs in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, as well as vulnerabilities tied to software used by the federal government and other critical systems.

All CVEs will still be listed in the NVD. Not all will receive the same level of detail. Lower-priority entries may appear without full analysis, including severity scores or clear mappings to affected products. That gap will change how teams manage risk.

As Holland explains, “SAP security professionals, like security professionals everywhere, rely on information in CVE descriptions to understand and prioritize vulnerabilities.” Without that context, prioritization becomes less consistent.

NIST is also stepping back from routinely assigning its own severity scores when a score already exists from the CVE issuer (CVE Numbering Authority, or CNA). That reduces duplicate work but places more weight on vendor- or submitter-provided data.

Why NIST Made the Change

NIST said CVE submissions increased 263% between 2020 and 2025, with submissions in early 2026 running nearly one-third higher than the same period the prior year.

The increase reflects several factors. Vulnerability discovery has expanded, including automated and AI-assisted tools that surface more issues. Participation in the CVE ecosystem has also grown, with more CNAs issuing identifiers, alongside a rising volume of software and components that can generate flaws.

The agency increased output to match. It enriched nearly 42,000 CVEs in 2025, more than any previous year. But that pace was still not enough to keep up with incoming volume. The NVD team has remained relatively small even as vulnerability reporting accelerated, leaving tens of thousands of CVEs without full analysis.

Backlogs persisted as submissions continued to rise. Capacity has not kept pace with demand. Now that pressure is shifting to enterprise security teams.

“While NIST has struggled to manage the CVE enrichment backlog, the shift to focusing on vulnerabilities with the widest impact will force many organizations to find other sources of information,” Holland said.

The Impact on SAP Security Teams

The change has direct implications for SAP security programs. Enterprise SAP environments are typically business-critical, highly integrated, and dependent on accurate vulnerability context to guide patching and risk decisions.

SAP security teams that depend on NVD enrichment will face gaps in vulnerability detail. After NIST’s decision, that detail will not always be available. As a result, teams may not have enough information to assess risk or decide what to fix first.

That increases reliance on vendor-provided context. SAP Security Notes, vendor advisories, and other supplier data become more important sources of information, alongside exploitability signals and internal system knowledge.

It also changes how teams monitor risk. Checking the NVD alone is no longer sufficient. Security teams will need to combine multiple sources to build a complete view of vulnerability impact across their SAP landscape.

What This Means for SAPinsiders

• Centralized vulnerability context is fragmenting. As NIST narrows enrichment, vulnerability context becomes distributed across vendors, tools, and internal teams. This fragmentation increases variation in how risk is interpreted, reducing consistency across organizations and making benchmarking and shared prioritization more difficult.
• Visibility becomes less consistent across tools. Security tools will continue to ingest CVE data, but the completeness of that data will vary more than before. In the near term, as vendors and providers adjust, some vulnerabilities may appear without enough detail to trigger alerts or map cleanly to affected systems.
• Monitoring requires stronger coordination across sources. Most security teams already use multiple sources to monitor vulnerabilities, but the balance is shifting. As NVD enrichment becomes less consistent, teams will need tighter coordination across vendor advisories, exploitability signals, and internal system context.