Federal Vulnerability Programs Face Funding Crises as Critical Flaws Exploited in the Wild Recent disclosures highlight growing strain on U.S. cybersecurity infrastructure, as key vulnerability tracking programs grapple with funding shortages and operational delays. In early 2024, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) accumulated a backlog of thousands of unprocessed vulnerabilities—a bottleneck that persists today. Meanwhile, the Common Vulnerabilities and Exposures (CVE) program, supported by the Cybersecurity and Infrastructure Security Agency (CISA), narrowly avoided a contract lapse, exposing the security community’s dependence on its continuity. Lawmakers, including Rep. Bennie Thompson (D-Miss.) and Rep. Zoe Lofgren (D-Calif.), have urged the Government Accountability Office (GAO) to assess federal support for these programs, following an audit of the NVD by the Commerce Department’s Office of the Inspector General. The scrutiny comes as real-world attacks exploit unpatched flaws, underscoring the urgency of resolving these systemic issues. ### Active Exploits and Urgent Patches CISA recently added CVE-2025-52163, a high-severity missing authorization vulnerability in Digiever DS-2105 Pro network video recorders, to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies were directed to mitigate or retire affected systems by January 12, as attackers actively target the flaw. Separately, MongoDB issued an urgent warning for CVE-2025-14847, a critical remote code execution (RCE) vulnerability that could enable server takeovers. The company urged immediate patching to prevent exploitation. ### Disclosure Disputes and Ethical Concerns In an unrelated incident, Eurostar, the high-speed rail operator, accused security researchers at Pen Test Partners of blackmail after they disclosed four vulnerabilities in the company’s AI chatbot via its vulnerability disclosure program. The dispute raises questions about the boundaries of responsible disclosure and corporate responses to security findings. As federal programs struggle to keep pace with emerging threats, the delays in vulnerability tracking and patching leave organizations—and critical infrastructure—exposed to increasingly sophisticated attacks.

DigiEver, a manufacturer of DVRs, became the target of a new Mirai botnet variant which exploits a remote code execution vulnerability in their DS-2105 Pro DVRs. Akamai researchers found that this vulnerability allowed botnet operators to inject malicious code and maintain persistence on infected IoT devices. As a result, the compromised DVRs are used for further spreading the malware and brute-forcing operations. The targeted devices are about a decade old, often without the support of their manufacturers, leaving them without security updates. The incident underscores the risks associated with outdated firmware and hardware in IoT devices, which can be co-opted into botnets for large-scale cyber attacks.

A new variant of the Mirai botnet has been identified as targeting DigiEver DS-2105 Pro DVRs, exploiting a vulnerability that allows attackers to commandeer the devices. The botnet, known as 'Hail Cock Botnet', has been active since September 2024, compromised devices in the wild, particularly IoT devices, and incorporated improved encryption with ChaCha20 and XOR decryption algorithms. This campaign involved exploiting unpatched RCE vulnerabilities, with the outdated DigiEver DS-2105 Pro DVR being ten years old and therefore likely lacking updates from the manufacturer. It signifies a lack of security measures for retired or aging hardware, resulting in the botnet's ability to proliferate and potentially bring about further malicious activity.