NIST Stops Scoring Most CVEs: What Saudi Financial Institutions Must Do Before Their Next SAMA Audit

On April 15, 2026, NIST quietly changed the rules of vulnerability management. The National Vulnerability Database — the backbone of patch prioritization programs for two decades — announced it will no longer enrich all CVEs with CVSS scores, CPE mappings, or CWE classifications. Driven by a 263% surge in CVE submissions since 2020, this shift leaves thousands of newly disclosed vulnerabilities arriving without the severity data that most vulnerability scanners and GRC platforms depend on. For Saudi financial institutions running SAMA CSCC-aligned security programs, the impact is immediate.

What NIST Changed on April 15, 2026

The NVD has historically processed every CVE submission and enriched it with CVSS base scores, Common Platform Enumeration (CPE) product mappings, and Common Weakness Enumeration (CWE) classifications. These three data points are what tools like Tenable Nessus, Qualys VMDR, and Rapid7 InsightVM use to generate severity ratings and patch recommendations inside your environment. Starting April 15, NIST limits enrichment to a narrow set of CVEs: those appearing in CISA's Known Exploited Vulnerabilities (KEV) catalog, CVEs in software used by the U.S. federal government, and CVEs for software designated "critical" under Executive Order 14028. All other CVEs — including many affecting open-source libraries, middleware, and third-party components embedded in banking applications — will receive no NVD enrichment. The backlog of CVEs published before March 1, 2026 has already been moved to "Not Scheduled," meaning they will never be enriched.

The scale of the problem is significant. In Q1 2026 alone, CVE submissions ran 33% ahead of Q1 2025. NIST enriched nearly 42,000 CVEs in all of 2025. The gap between submission volume and analyst capacity has simply become unbridgeable under the existing model.

Why CVSS-First Patch Programs Are Now Exposed

Most vulnerability management programs in the Saudi financial sector — and globally — are built around a CVSS severity threshold model: Critical (9.0+) patched within 72 hours, High (7.0–8.9) within 7 days, Medium within 30 days. When a vulnerability scanner identifies a finding, it looks up the CVE in NVD to pull the CVSS score and generate an SLA. If NVD has no score for that CVE, one of two things happens: the scanner flags it as "informational" and it drops to the bottom of the queue, or it sits in a "pending" state while analysts wait for enrichment that will never arrive. In both cases, a real vulnerability affecting a real system in your environment goes unpatched longer than it should. Sophisticated threat actors — who conduct their own vulnerability research entirely independent of NVD — will have already weaponized it.

The Direct Impact on SAMA CSCC Domain 3 Compliance

The Saudi Central Bank Cyber Security Framework (SAMA CSCC) Domain 3 — Cyber Security Operations — requires covered entities to maintain a formal vulnerability management lifecycle, including identification, classification, prioritization, and remediation within defined SLAs based on risk severity. Regulators expect this lifecycle to be documented, measurable, and demonstrably followed. If your vulnerability management procedure references CVSS scores from NVD as the basis for patch prioritization, and NVD no longer scores the majority of CVEs, your procedure now has a structural gap that an examiner can challenge. The question during your next SAMA audit will not be whether NIST changed its policy — it will be what your institution did in response. This creates two distinct compliance exposures: unenriched CVEs being silently deprioritized in your patching queue, and GRC platform evidence showing incomplete severity classification for a material portion of disclosed vulnerabilities.

What Threat Actors Already Know

Ransomware groups and state-affiliated actors targeting SWIFT-connected financial systems do not wait for NVD enrichment before weaponizing vulnerabilities. The groups behind attacks on financial sector organizations in Q1 2026 — including exploitation of Apache ActiveMQ, Microsoft Exchange, and Fortinet devices — routinely develop working exploits within hours of CVE disclosure, well before NIST's analysts complete enrichment. The Grinex exchange breach on April 15, 2026 — the same day NIST's policy took effect — is a reminder that attackers move at machine speed while defenders rely on databases. The NVD narrowing does not reduce the threat surface. It reduces the intelligence available to defenders while leaving attackers unaffected.

Six Steps to Adapt Your Vulnerability Management Program

1. Subscribe directly to vendor security advisories. Microsoft MSRC, Cisco PSIRT, Oracle CPU, SAP Security Notes, Fortinet PSIRT, and Palo Alto Unit 42 all publish CVSS scores independently of NVD. Configure automated ingestion of these feeds into your SIEM or vulnerability management platform so that severity data does not depend solely on NVD enrichment.
2. Replace CVSS-only prioritization with exploitation-aware scoring. Tenable's Vulnerability Priority Rating (VPR), Qualys TruRisk, and Rapid7's RISQ score incorporate real-world exploitation signals, threat actor activity, and asset context — not just NVD metadata. Transition your SLA thresholds to these scores or a risk-weighted composite.
3. Treat CISA KEV as a mandatory remediation floor. CISA's Known Exploited Vulnerabilities catalog will continue to receive NVD enrichment under the new criteria, and it represents the highest-confidence signal of active exploitation. Establish a policy that all KEV entries are remediated within 48 hours across all environments — this is both operationally defensible and clearly aligned with SAMA CSCC expectations.
4. Deploy or subscribe to a threat intelligence platform (TIP). Products such as Recorded Future, ThreatConnect, or the open-source OpenCTI aggregate exploitation signals from dark web forums, ransomware leak sites, proof-of-concept repositories, and OSINT. A CVE being actively sold on dark web markets or referenced in threat actor communications is higher priority than its CVSS score, regardless of NVD status.
5. Update your GRC platform and vulnerability management procedure. If your GRC tool ingests severity from NVD APIs, work with your vendor to integrate additional enrichment sources. Revise your written vulnerability management procedure to document the multi-source approach and retain the revision as evidence for SAMA examination — showing that your institution identified the NVD change and responded proactively.
6. Run an asset-aware emergency triage exercise. Map your Tier-1 assets — core banking systems, payment gateways, SWIFT interfaces, treasury management platforms — to vendor advisory feeds directly. For each, confirm that a CVE affecting that asset class will surface in your vulnerability management workflow even if NVD does not enrich it.

Conclusion

NIST's April 2026 NVD narrowing exposes a dependency that most vulnerability management programs never stress-tested: the assumption that every CVE would arrive with a CVSS score. For Saudi financial institutions subject to SAMA CSCC Domain 3 requirements, the gap between what NVD now provides and what your compliance program expects must be closed before your next regulatory examination. The institutions that respond by diversifying their vulnerability intelligence sources — and decoupling patch prioritization from NVD enrichment alone — will maintain operational effectiveness and a defensible compliance posture. Those that do not will face both regulatory scrutiny and real operational blind spots in a threat landscape where attackers require no NVD data at all.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment — including a review of your vulnerability management program against SAMA CSCC Domain 3 requirements.