The CVE Close Call
4–21–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, April 21, 2025, and we’re continuing to monitor a bunch of cyber news to try to distil out what’s important.
I’ll flag the follow-up items up front here, and you can pull the articles below to read the full brief. Those items include:
Insight Partners formally confirming their January cyber attack.
A whistleblower at the National Labor Relations Board with some interesting details about DOGE activity correlating with Russian IPs (including some technical details and a retaliatory note on his door with a drone photo of him walking his dog); and
But despite all of that - we’ve got more pressing news to cover, this week the demise (or not) of the CVE.
The CVE Close Call
If you’ve missed this kerfuffle over the past week, I’ll help recap.
News broke mid-week that funding for the Common Vulnerabilities and Exposures database run by MITRE - more commonly known as CVEs - would end on Wednesday, the day this news was reported.
As we know, funding cuts continue from the current administration - impacting everyone from higher education to CISA - and the CVE program was caught up in this process as MITRE held the contract from the US Department of Homeland Security.
The problem, however, is that the majority of vulnerability and remediation efforts, particularly for large enterprises and government agencies at all levels, rely on these CVE ratings to help determine severity of a newly identified vulnerability and triage the level of urgency needed in response.
This function is particularly helpful because of both the volume of vulnerabilities being discovered and the technical research required to accurately determine - or even estimate - their severity.
In 2024, there were more than 40,000 CVEs recorded, or 1 new vulnerability every about every 13 minutes, 24 hours per day, 7 days per week, 365 days per year.
And, the rate of discovery is increasing, rising 39% from 2023 to 2024.
Now, before you stop this video to run out and overhaul your vulnerability management approach, the CVE work at MITRE receive an eleven month extension on its funding before the end of Wednesday. Small comfort - especially when other information sharing mechanisms like ISACs have also had their funding cut.
Where does this leave us on the middle market side? We’ll have to look for other ways to triage severity, whether that’s from vendors or from our own research.
While we wait out the next 11 months, it’s a good opportunity to revisit your policies and procedures around vulnerability management to see if and how CVE data supports it. Look into your tools. Imagine a world without it. And then being to defend accordingly.
Like many things lately, if we can’t trust that something will be there in a way that we can rely on, we’re going to make other plans that don’t take that dependency. What a theme for 2025.
Fundraising
From a fundraising perspective, we saw a counterintuitively banner week, totaling more than $32B in newly committed capital, including:
$4.6B from Founders Fund for their third growth equity fund, busting through its $3b target
$5.4B from Linden Capital Partners for its sixth, healthcare-focused buyout fund
$2.3B from Morgan Stanley Investment Management for its third PE co-investment fund; and
Last but not least, EQT secured over $10b in commitments for its ninth pan-Asia buyout fund.
At the same time, the Financial Times is reporting that China is pulling back from US Private Equity investments, which is not small news considering how the FT frames it:
“These Chinese funds are among the world’s biggest investors in alternative assets. In 2023, CIC and Safe each had about a quarter of their respective $1.35tn and $1tn of assets invested in alternatives, according to data provider and consultancy firm Global SWF.”
That’s more than $580B if those numbers are accurate.
At the same time, the FT’s other headline reads “Private equity goes ‘risk off’ as it pauses dealmaking” due to “economic uncertainty unleashed by US tariffs.” The Wall Street Journal wrote a very similar article with the headline “Private Equity World Engulfed by Perfect Storm” - closing with a quote that reads:
““We already thought 2025 was going to be a challenging year for distributions. It’s going to be even harder than we thought.”
With that, let’s get back to work.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://krebsonsecurity.com/2025/04/trump-revenge-tour-targets-cyber-leaders-elections/
https://www.npr.org/2025/04/15/nx-s1-5355895/doge-musk-nlrb-takeaways-security
https://www.theregister.com/2025/04/16/homeland_security_funding_for_cve/
https://www.ft.com/content/478c1c64-8923-4ec2-858d-670b30ae44f9
https://www.ft.com/content/881caf17-b629-4eaa-817d-016c50409e24
https://www.wsj.com/finance/investing/private-equity-world-engulfed-by-perfect-storm-2a2da2ad