Federal Vulnerability Programs Face Funding Crises as Critical Flaws Exploited in the Wild
Recent disclosures highlight growing strain on U.S. cybersecurity infrastructure, as key vulnerability tracking programs grapple with funding shortages and operational delays. In early 2024, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) accumulated a backlog of thousands of unprocessed vulnerabilities—a bottleneck that persists today. Meanwhile, the Common Vulnerabilities and Exposures (CVE) program, supported by the Cybersecurity and Infrastructure Security Agency (CISA), narrowly avoided a contract lapse, exposing the security community’s dependence on its continuity.
Lawmakers, including Rep. Bennie Thompson (D-Miss.) and Rep. Zoe Lofgren (D-Calif.), have urged the Government Accountability Office (GAO) to assess federal support for these programs, following an audit of the NVD by the Commerce Department’s Office of the Inspector General. The scrutiny comes as real-world attacks exploit unpatched flaws, underscoring the urgency of resolving these systemic issues.
Active Exploits and Urgent Patches
CISA recently added CVE-2025-52163, a high-severity missing authorization vulnerability in Digiever DS-2105 Pro network video recorders, to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies were directed to mitigate or retire affected systems by January 12, as attackers actively target the flaw.
Separately, MongoDB issued an urgent warning for CVE-2025-14847, a critical remote code execution (RCE) vulnerability that could enable server takeovers. The company urged immediate patching to prevent exploitation.
Disclosure Disputes and Ethical Concerns
In an unrelated incident, Eurostar, the high-speed rail operator, accused security researchers at Pen Test Partners of blackmail after they disclosed four vulnerabilities in the company’s AI chatbot via its vulnerability disclosure program. The dispute raises questions about the boundaries of responsible disclosure and corporate responses to security findings.
As federal programs struggle to keep pace with emerging threats, the delays in vulnerability tracking and patching leave organizations—and critical infrastructure—exposed to increasingly sophisticated attacks.
Source: https://www.scworld.com/brief/gao-study-on-federal-vulnerability-tracking-efforts-urged
Digiever TPRM report: https://www.rankiteo.com/company/digiever-corp-
"id": "dig1766996016",
"linkid": "digiever-corp-",
"type": "Vulnerability",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Transportation',
'location': 'Western Europe',
'name': 'Eurostar',
'type': 'High-speed rail service operator'},
{'customers_affected': 'Federal civilian executive '
'branch agencies',
'industry': 'Surveillance/Network Video Recorders',
'name': 'Digiever',
'type': 'Technology Manufacturer'},
{'industry': 'Technology',
'name': 'MongoDB',
'type': 'Database Software Provider'},
{'industry': 'Cybersecurity/Standards',
'location': 'United States',
'name': 'NIST (National Vulnerability Database)',
'type': 'Government Agency'},
{'industry': 'Cybersecurity',
'location': 'United States',
'name': 'CISA (Cybersecurity and Infrastructure '
'Security Agency)',
'type': 'Government Agency'}],
'attack_vector': ['Exploited Vulnerability', 'Remote Code Execution'],
'date_publicly_disclosed': '2024-2025',
'description': 'Recent challenges in the CVE and NVD programs, including '
'funding issues and backlogs, have highlighted vulnerabilities '
'in federal cybersecurity infrastructure. Additionally, '
'specific vulnerabilities like CVE-2025-52163 (Digiever '
'DS-2105 Pro) and CVE-2025-14847 (MongoDB) have been actively '
'exploited or require urgent patching. Eurostar also faced '
'allegations of blackmail following vulnerability disclosures.',
'impact': {'brand_reputation_impact': ['Eurostar (allegations of blackmail)'],
'operational_impact': ['Potential server takeovers',
'Federal agency mitigation requirements'],
'systems_affected': ['Digiever DS-2105 Pro network video recorders',
'MongoDB servers']},
'investigation_status': 'Ongoing (GAO study urged, NVD audit announced)',
'lessons_learned': "The cybersecurity community's reliance on programs like "
'CVE and NVD highlights the need for sustained funding and '
'operational continuity. Vulnerability management requires '
'unified approaches and real-time risk reduction '
'strategies.',
'motivation': ['Financial Gain',
'Exploitation of Weaknesses',
'Research Disclosure'],
'post_incident_analysis': {'corrective_actions': ['GAO evaluation of CVE/NVD '
'support',
'Commerce Department audit '
'of NVD',
'CISA KEV catalog updates'],
'root_causes': ['Funding challenges',
'Program backlogs',
'Delayed vulnerability patching']},
'recommendations': ['Ensure continuous funding for CVE and NVD programs',
'Implement unified vulnerability management frameworks',
'Prioritize patching of high-severity vulnerabilities '
'(e.g., CVE-2025-52163, CVE-2025-14847)',
'Strengthen vulnerability disclosure programs to prevent '
'blackmail allegations'],
'references': [{'source': 'The Hacker News'},
{'source': 'The Register'},
{'source': 'BleepingComputer'},
{'source': 'SC Media'}],
'regulatory_compliance': {'legal_actions': ['GAO study urged on federal '
'vulnerability tracking'],
'regulatory_notifications': ['CISA KEV catalog '
'inclusion '
'(CVE-2025-52163)']},
'response': {'containment_measures': ['Urgent patching advised (MongoDB)',
'Mitigation or retirement of affected '
'systems (Digiever)'],
'remediation_measures': ['Patching CVE-2025-14847',
'Addressing CVE-2025-52163']},
'stakeholder_advisories': 'Federal civilian executive branch agencies urged '
'to mitigate CVE-2025-52163 by Jan. 12.',
'title': 'Multiple Cybersecurity Vulnerabilities and Program Challenges',
'type': ['Vulnerability Disclosure',
'Ransomware Allegation',
'Regulatory Review'],
'vulnerability_exploited': ['CVE-2025-52163', 'CVE-2025-14847']}