Get a demo

What is a CVE? A comprehensive guide to CVEs

CVE information helps formalize threat intelligence for cyber security practitioners as they work to stay up to date on the vulnerabilities and threats faced by their organizations. Aside from providing valuable prioritization and remediation insights, indexing CVEs ensures that the cyber security community can work from the same data as a starting point - vital when it comes to vulnerabilities affecting common software and systems.

Orani Amroussi | March 28, 2023

The war against malicious cyber attacks is a constant challenge in cyber security. Day in and day out, bad actors attempt to exploit system weaknesses in order to compromise data. To make sense of the many threats organizations face, CVEs are uncovered and announced by security experts on a regular basis. But what is a CVE, and how does identifying and labeling them help fight cyber attacks? In this guide, we’ll address everything you need to know about CVEs and the threat intelligence community that rallies to protect computer systems around the world.

What Is a CVE?

CVE stands for “Common Vulnerability and Exposure”. CVEs are publicly shared, documented security flaws. With some notable exceptions like the Spectre vulnerability, CVEs are defined as weaknesses in widely used applications or products that can be used to breach user privacy or cause them to lose control of a computer or systems of computers. In the case of Spectre, the vulnerabilities were hardware-related.

When a CVE is discovered, security teams go through a rigorous process to prioritize and address related threats to protect computer systems against cyber attacks.

 

What is the difference between a vulnerability and an exposure?

When dealing with cyber security risks and management, two main elements are involved: vulnerability and exposure.

Vulnerability

A CVE vulnerability is about measuring the likelihood that a specific attack will cause harm to an asset.  

Exposure 

Exposure deals specifically with what can be impacted by a specific attack. It might be the location of a data center or the value that people place on one particular product, its functions, or its features.

Where vulnerability is about assessing how likely it is that the exposure to a threat will cause harm, exposure is about understanding what could be impacted and what could specifically occur if it were exposed.

White paper: Exploit maturity: an introduction

 

What are some common vulnerabilities and exposures?

Most CVEs involve one of three common scenarios:

CVEs based on configuration

Numerous CVEs affect an application or system only when using an uncommon configuration. If the majority of users use a common configuration, those who use a lesser-known setting could be targeted when that option hasn’t undergone more robust testing.

CVEs from compromised access

Servers and networks offer different forms of access to systems, and cyber attackers are constantly seeking ways to gain entry to systems that aren’t fully protected. Using multi-factor authentication helps protect computers from these kinds of CVEs; even if one vulnerability is exploited, more credentials are required to compromise the system.

CVEs that compromise perimeter controls

The rise in remote work and the use of cloud computing has led to more CVEs designed to compromise a network’s perimeter. This deals with computing that requires communication between outside sources and a physical network location. 

This means bad actors will continuously seek ways to penetrate firewalls, gateways, and the like, to compromise where data passes from servers to people across the world or when going to and from the cloud.

 

How does the CVE discovery process work?

Alerting the cyber security community of potential threats requires a system for recognizing and validating a threat, adding it to shared global databases, and discovering solutions. 

When a threat is discovered, it must be identified and isolated from other existing vulnerabilities. Once there is a known issue, it is reported, listed with other threats, and managed in global databases.

Bug bounties

Developers often offer bug bounties when rolling out new features or preparing to release a new app. Bug bounty programs are designed to encourage people to attempt to hack an app to expose its vulnerabilities and make it a secure application for the masses to use. Developers offer rewards or money to encourage people to discover vulnerabilities that can be fixed before a major release.

Bug bounties are a double-edged sword, however. While white hat hackers (or ethical hackers) are interested in earning a reward to make products safer, a bad actor may look for an exploit and choose not to report a CVE, meaning they can later use that threat to steal data or hold the developer ransom.

 

What are the main criteria for a CVE? 

There are three main elements to establishing a CVE and assigning it a number to be included in databases:

  • There has to be an established fix for the vulnerability that is unique and separate from any other issue.
  • The vendor has to recognize and acknowledge that there is a security issue.
  • The threat that is discovered can only impact a single codebase. Flaws affecting more than one product are assigned as separate CVEs.

This third criterion is important in the discovery and reporting process because vulnerabilities can impact multiple sets of code or shared libraries. When there is potential for a threat to affect multiple codebases, each one has to be separately identified and assigned a unique identifier.

What is CVSS?

CVSS stands for the Common Vulnerability Scoring System. This scoring system is designed to help security experts evaluate the severity level for every individual CVE that is discovered and documented. CVSS provides an open set of standards to measure a CVE’s impact from the lowest degree of 0.0 to the highest degree of 10.0.

What is EPSS?

EPSS stands for the Exploit Prediction Scoring System. Like  CVSS, EPSS is used to help determine the likelihood of an exploit and how high a priority it should be given. 

The EPSS uses a scoring scale from 0–100%, and it operates by focusing solely on the threat and non-environmental or compensation controls. EPSS is most effective when used in conjunction with CVSS.

While CVSS and EPSS can be valuable frameworks when it comes to prioritizing threats, but the Vulcan Cyber risk management platform uses a more sophisticated process and methodology that focuses on identifying the most pressing vulnerabilities based on unique business context. 

Try now: Vulcan Free

 

Where can I find a list of CVEs? 

CVE entries don’t include full technical data about risks and impacts, so several different databases are designed to provide a ranking system for levels of risk, along with resources for protecting systems against every listed CVE. 

The most prominent CVE listing databases are provided by MITRE and the CVE Program.

Other databases include:

  • The US National Vulnerability Database (NVD)
  • The Carnegie Mellon CERT/CC Vulnerability Notes Database
  • VulnRX
MITRE and the MITRE ATT&CK framework

As a national security-focused non-profit organization, MITRE acts as a database and an independent advisor. They use a systems-based approach through public-private partnerships in multiple industries and academia to source solutions for CVEs.

MITRE has been involved in cutting-edge technology dealing with national security since 1958 but refocused all attention to cyber security in 2020 onwards.

The MITRE ATT&CK framework is the global knowledge base of every known attack technique to provide threat models for the private sector, governments, and professionals in the cyber security industry.

The MITRE ATT&CK framework is used for:

  • Mapping defensive controls
  • Threat hunting
  • Detections and investigations
  • Referencing actors

On-demand webinar: Applying the MITRE ATT&CK Matrix to Vulnerability Management

 

Who reports on new CVEs? 

Anyone who discovers a vulnerability can report it as a CVE. Most CVEs are found within the software development and cyber security community, but CVEs are also discovered by individuals studying open-source software.

Any vendor, researcher, or general user can find a flaw and bring it to the cyber security community’s attention. 

CVE-reporting government agencies

In addition to technology companies, independent organizations, and individuals, government entities are involved in reporting and security management.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) publish findings on vulnerability exploits.

The NVD is the National Vulnerability Database, a US government repository that uses the Security Content Automation Protocol (SCAP) to assist in security processes.

What is a CNA?

A CNA is a CVE Numbering Authority. CNAs are IT vendors, security companies, and research organizations that are trusted with assigning identifiers to discovered CVEs. In addition to CNAs like IBM, Oracle, and Microsoft, CVEs are also issued directly by MITRE. There are currently over 100 CNAs.

What are the benefits of sharing CVEs?

In addition to the bug bounties mentioned before, it’s beneficial to share CVEs in the following ways:

  • Protecting systems from CVEs that already exist
  • Alerting the cyber security community of the kinds of vulnerabilities that are likely to occur in the future
  • Guiding developers to create software that is less likely to contain vulnerabilities

When an entity doesn’t disclose a known CVE, it can place millions of users at risk, as was the case when Blackberry didn’t report a known CVE that impacted many other products that did disclose the risk.

Everyone benefits when the entire tech community shares the responsibility of reporting vulnerabilities and encouraging users to use patches and safeguards.

 

What is a CVE number/identifier?

Every year, thousands of security flaws are discovered and reported. They are subsequently  included in databases, advisory boards, and bug trackers.

Every time a new CVE is found, the CNA who discovered it assigns that CVE a unique numeric ID—its CVE number. These are used to give the cyber security community a way to reliably recognize every new vulnerability. As a result, the community can work together to develop security tools and solutions to protect people’s systems from each new threat.

In order for a vulnerability to be recognized, validated, and assigned a CVE ID, there is a strict process outlined here by CVE.org.

Explore: VulnRX risk and threat intelligence database

How many CVEs are there?  

As of February 2023, CVE Details reports 196,654 known CVEs listed and ranked with the CVSS. Different databases offer slightly different numbers, but all of them are around 197,000 and rising.

What is a CWE?

CWE stands for Common Weakness Enumeration. The CWE community has developed a set of standards and descriptors to act as a shared language for describing and defining the many types of weaknesses that a CVE can attack. 

The CWE helps cyber security experts understand the technical reasons behind a vulnerability to facilitate diagnosis and resolution.

Read the blog: OWASP Top 10 vulnerabilities 2022: what we learned

What are some of the most notable CVEs?

CVEs have been used in ransomware, state-sponsored ransomware, and even as Trojan horse attacks for mining cryptocurrency. The following are several real-world examples of the threat CVEs represent.

CVE-2024-6387 – RegreSSHion

CVE-2024-6387, dubbed regreSSHion, was identified in the OpenSSH server in July 2024. This vulnerability enables remote unauthenticated attackers to execute arbitrary code on the target server, presenting a severe risk to systems that utilize OpenSSH for secure communications.

CVE-2021-44228 – Log4j

The log4j vulnerability was discovered in a Java logging package in 2021. The initial threat was so severe it led to legal actions from the Federal Trade Commission (FTC) when Equifax failed to make the required patch update, exposing personally identifiable data for millions of consumers. Equifax ended up paying $700 million in settlements as a result.

The log4j continued with its notorious reputation when the fixes revealed new vulnerabilities, each requiring federal agencies’ involvement to further protect consumers.

CVE-2022-30190

With MSDT being part of every single Windows installation, security researchers discovered that this ubiquitous vulnerability was being exploited in the wild within days of its being publicized. Attackers make use of this vulnerability to install payloads including information stealers like Qbot (also known as Pinkslipbot or Qakbot) and AsyncRAT, a variety of remote access trojan (RAT) that lets attackers take control. Alarmingly, while Follina was first discovered back in May 2022, and possibly exploited as long as a month earlier, Microsoft did not release a patch until late June.

CVE-2022-0847

Linux users used to believe they were safe from the vulnerabilities and malware affecting other operating systems. However, due to the prevalence of Linux-based application servers for critical business and government functions, the number of Linux-targeted attacks is expected to increase. Recently, a vulnerability was discovered in Linux, following closely after PwnKit. CISA has confirmed that the vulnerability is actively being exploited.

CVE-2023-23397 

CVE-2023-23397 is a critical privilege elevation vulnerability in Microsoft Outlook for Windows. It was assigned a CVSSv3 score of 9.8 and was exploited in the wild. The vulnerability can be exploited by sending a malicious email to an Outlook version that is vulnerable. It is strongly advised that the vulnerability be patched as soon as possible. 

CVE-2023-22501

CVE-2023-22501 impacts Jira Service Management Server and Data Center versions. It can allow an attacker to impersonate a user and access a Jira Service Management instance. Atlassian recommends users to patch their systems immediately. However, it’s impossible to determine if the instance has been compromised. After updating with the version-specific JAR file, users can view a list of potentially affected accounts.

CVE-2021-21974

CVE-2021-21974is a heap overflow flaw in OpenSLP, which is used in ESXi. Malicious actors in the same network segment can take advantage of it. VMware issued patches in 2019, but many ESXi servers remain unpatched and vulnerable, with ransomware campaigns taking advantage of it.

CVE-2023-25610

CVE-2023-25610 is a critical vulnerability discovered in the FortiOS and FortiProxy administrative interfaces. It can be used to execute code or cause a denial-of-service condition without requiring authentication. Fortinet’s security teams discovered the flaw internally. Fortinet has issued patches to address the problem.

 

About the Voyager18 team

Voyager18 is the in-house Vulcan Cyber team of cyber security research experts. Backed by artificial intelligence (AI) and machine learning, we map relevant techniques to specific CVEs, including their descriptions, CWE, and CVSS data, discovering patterns that indicate the tactics and techniques of different CVEs.

img

CVE data gets security practitioners on the same page - and help organizations stay secure.

Find out for yourself: What makes Vulcan Cyber vulnerability management different?

Our automation accelerates risk remediation across infrastructure, cloud, and applications. Organizations that are ready to benefit from our comprehensive enterprise management and remediation system can try it free todayIf you’re ready to protect your organization with the best cyber risk remediation, schedule a time for us to demonstrate the Vulcan Cyber enterprise solution with specific, customized functions for your security team.