Beyond CVEs: Why Automotive Cyber Threat Intelligence Must Cast a Wider Net

The recent volatility of CVE funding is a wake-up call for the automotive industry to rethink its risk and threat intelligence strategy.

In the world of cybersecurity, especially for automotive and smart mobility stakeholders, the ability to anticipate and mitigate threats is everything. While CVEs have long served as a foundational element of vulnerability management, they were never meant to be the sole source of truth for cyber threat intelligence in the mobility ecosystem. Recent developments around the CVE program’s funding crisis highlight just how risky it is to rely exclusively on this single thread of intelligence. True cyber resilience demands a more expansive and adaptive approach—one that reflects the complexity and velocity of today’s threat landscape.

The recent disruption in CVE funding by the US Department of Homeland Security has sparked concern across the industry. The program, long considered a linchpin in vulnerability tracking, now faces an uncertain future. This upheaval is more than just administrative—it underscores a deeper reality: CVEs are necessary, but they are far from sufficient.

TLDR: In April 2025, the cybersecurity community faced a significant jolt when the US Department of Homeland Security (DHS) declined to renew its longstanding contract with MITRE Corporation to manage the CVE program. 

This decision threatened to abruptly halt a 25-year-old cornerstone of global cybersecurity, potentially leaving organizations worldwide without a centralized system for tracking software vulnerabilities. In response to mounting concerns, the Cybersecurity and Infrastructure Security Agency (CISA) intervened at the eleventh hour, executing an 11-month contract extension to maintain the program’s operations. 

Despite this temporary reprieve, the incident underscored the fragility of relying on a single government-funded entity for such a critical resource. It also ignited discussions about transitioning the CVE program to an independent nonprofit foundation to ensure its long-term sustainability and neutrality.

Indeed, CVE data is inherently reactive. It tracks known vulnerabilities, often long after they’ve been discovered and exploited in the wild. For the automotive industry—where vehicles are rolling software-defined IoT platforms, and attackers are increasingly sophisticated—this delay can prove costly.

Expanding the Automotive Cyber Intelligence Net into the Deep & Dark Web

Cyber resilience demands a proactive, layered approach. Here’s what that looks like:

• Deep and Dark Web Monitoring: Threat actors rarely advertise their exploits on surface web channels. Forums, marketplaces, and encrypted chat platforms in the deep and dark web are where plans are traded, credentials are sold, and zero-days are discussed. Monitoring these spaces provides early warning of targeted threats, leaked telematics data, or compromised dealership credentials.
• On-Board and Off-Board Threat Intelligence: Resilience isn’t just about knowing what vulnerabilities exist—it’s about understanding how attackers exploit them across the vehicle’s entire attack surface. Cybersecurity teams must monitor malicious activity across the entire connected vehicle ecosystem—both on-board and off-board. On-board components include critical in-vehicle systems such as ECUs, IVIs, telematics units, CAN traffic, and sensor networks. Off-board assets encompass the external touchpoints that interact with the vehicle, including mobile apps, diagnostic tools, key fobs, IoT devices, charging infrastructure, and third-party APIs. Achieving true protection requires comprehensive visibility across both sides of the digital handshake—where data flows in and out of the vehicle.
• Automotive-Specific TTPs: Generic threat intelligence doesn’t cut it for this sector. Executives need visibility into tactics, techniques, and procedures (TTPs) that are specific to vehicles, ECUs, APIs, charging infrastructure, and IoT fleet management systems.
• Telemetry and Data Correlation: Combining threat intel with internal telemetry from connected vehicle systems—such as telematics, ADAS, and OTA platforms—helps detect unusual behaviors or correlations tied to known malicious indicators.
• Collaborative Intelligence Sharing: Participating in sector-specific threat sharing communities like the Auto-ISAC or collaborating with specialized CTI providers ensures timely updates on industry-relevant threats and mitigations.

Adopting a Future-Proof Resilience Approach

As connected vehicles evolve into software-defined platforms and the EV ecosystem expands, the attack surface grows exponentially. Waiting for threats to be catalogued in CVEs is akin to locking the doors after a break-in. Automotive security leaders must empower their organizations with intelligence that is dynamic, contextual, and forward-looking.

The future of automotive cybersecurity lies not in a single source of truth, but in a mosaic of insights—where CVEs are one tile in a much broader picture. To stay ahead, OEMs, Tier-1s, and mobility service providers must embrace cyber threat intelligence strategies that are as interconnected and adaptive as the systems they protect.