diff --git a/server/vulnerabilities/nvd/cpe.go b/server/vulnerabilities/nvd/cpe.go
index 415bf5703a..9ae7d6ec28 100644
--- a/server/vulnerabilities/nvd/cpe.go
+++ b/server/vulnerabilities/nvd/cpe.go
@@ -372,6 +372,11 @@ var (
 func mutateSoftware(software *fleet.Software, logger log.Logger) {
 	for _, transformer := range softwareTransformers {
 		if transformer.matches(software) {
+			defer func() {
+				if r := recover(); r != nil {
+					level.Warn(logger).Log("msg", "panic during software mutation", "softwareName", software.Name, "softwareVersion", software.Version, "error", r)
+				}
+			}()
 			transformer.mutate(software, logger)
 			break
 		}
diff --git a/server/vulnerabilities/nvd/cpe_test.go b/server/vulnerabilities/nvd/cpe_test.go
index 8219ef101e..a439676a71 100644
--- a/server/vulnerabilities/nvd/cpe_test.go
+++ b/server/vulnerabilities/nvd/cpe_test.go
@@ -2134,7 +2134,7 @@ func TestMutateSoftware(t *testing.T) {
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			mutateSoftware(tc.s, log.NewNopLogger())
+			require.NotPanics(t, func() { mutateSoftware(tc.s, log.NewNopLogger()) })
 			require.Equal(t, tc.sanitized, tc.s)
 		})
 	}