BrianKrebsApr 15, 2025

I boosted several posts about this already, but since people keep asking if I've seen it....

MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration Program, will expire on April 16. The CVE database is critical for anyone doing vulnerability management or security research, and for a whole lot of other uses. There isn't really anyone else left who does this, and it's typically been work that is paid for and supported by the US government, which is a major consumer of this information, btw.

I reached out to MITRE, and they confirmed it is for real. Here is the contract, which is through the Department of Homeland Security, and has been renewed annually on the 16th or 17th of April.

https://www.usaspending.gov/award/CONT_AWD_70RCSJ23FR0000015_7001_70RSAT20D00000001_7001

MITRE's CVE database is likely going offline tomorrow. They have told me that for now, historical CVE records will be available at GitHub, https://github.com/CVEProject

Yosry Barsoum, vice president and director at MITRE's Center for Securing the Homeland, said:

“On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”

USAspending.gov

Show threadBrianKrebsApr 15, 2025
It's worth asking again who would benefit from taking CVE offline? Surely not the United States government, nor its private companies. Not its allies (such as they are now) in Europe. But it almost certainly would help our adversaries, like China and Russia, because confusion and uncertainty works to their advantage always.
Show threadBrianKrebsApr 15, 2025
Probably the last CVE indexed before it goes dark should be CVE-2025-DOGE (critical, local privilege escalation vulnerability that leads to malicious code execution and data exfiltration).
Show threadArena Cops 🇺🇦✌Apr 15, 2025

@briankrebs Shouldn't officers from FBI, CIA, DIA, NSA, Department of Homeland Security & other agencies consequently all have their stopping hands on the shoulders of everyone serving "DOGE" & enemies of the United States?

#RuleOfLaw #DefendTheConstitution #DefendTheUnion #DOGE #Espionage #DataTheft #DataBreach #NationalSecurityThreat #ObstructionOfNationalDefense #USPol #USPolitics

Show threadJohn Abbe (aka Slow)Apr 16, 2025

@ArenaCops @briankrebs Show them this, and they might actually sit up and take note:

"This declaration details DOGE activity within NLRB, the exfiltration of data from
NLRB systems, and – concerningly – near real-time access by users in Russia. Notably,
within minutes of DOGE personnel creating user accounts in NLRB systems, on
multiple occasions someone or something within Russia attempted to login using all of
the valid credentials (eg. Usernames/Passwords)."

https://whistlebloweraid.org/wp-content/uploads/2025/04/2025_0414_Berulis-Disclosure-with-Exhibits.s.pdf

Show threadSteve Hersey

@slowenough @ArenaCops @briankrebs

Sadly, this all fits within the notion that bumbling wannabe-dictators are removing all the mechanisms that would stop them from doing any arbitrary thing they want to, with utter disregard for the real-world consequences of removing those mechanisms.

It's fascist dictatorship, but run by clowns.

Apr 16, 2025 at 3:40pmWeb
Show threadArena Cops 🇺🇦✌Apr 16, 2025
@n1xnx @slowenough @briankrebs The least & worst entertaining clowns, that are causing real harm to real people.