Skip to content
BLOG

What is CVE (Common Vulnerabilities and Exposures)?

Andrew Pla
Andrew Pla|Updated September 24, 2024
Computer with lock over blue background
Computer with lock over blue background
Sections

CVE, AKA Common Vulnerabilities and Exposures, is a published list of reported security vulnerabilities, each uniquely assigned with a standardized ID. Used globally, the CVE list allows organizations to identify known vulnerabilities and their severity levels so that they can prioritize their remediation efforts. Here’s a CVE cheat sheet that might come in handy when you want to flex in front of the new CTO.

What’s the difference between a vulnerability and an exposure? 

A vulnerability is a flaw or weakness in IT systems, hardware, or software that can be directly exploited by bad actors for security breaches. Examples include software bugs and weak data encryption.  

An exposure is a situation that indirectly increases the risk of security exploits — but it’s not necessarily a flaw. If you leave software unpatched, which allows known vulnerabilities to persist, that’s an exposure (and a dicey move in IT).

What is the CVE Program?

Started in 1999, the CVE Program is a universal system for identifying and recording common hardware and software security vulnerabilities. The CVE Program was started by the MITRE Corporation, a nonprofit organization in the U.S. that runs government-funded research and development centers.

How are CVEs identified and recorded?

The process of identifying and publishing a CVE record includes the following steps:

  1. Discovery: A vulnerability is discovered.

  2. Reporting: Individuals/organizations report the vulnerability to a CVE numbering authority (CNA).

  3. Verification: The vulnerability is assessed to verify that it meets the qualifying criteria for vulnerabilities.

  4. CVE ID request: Once verified, a CVE identifier (CVE ID) is requested and reserved.

  5. Submission: Details of the vulnerability are submitted to the CVE Program.

  6. Publishing: When published, the CVE record or entry includes a description of the vulnerability and relevant references, like vulnerability reports or advisories.

What is a CVE Numbering Authority? 

A CVE Numbering Authority is an entity or organization with the authority to assign CVE IDs and publish CVE records related to their respective businesses or technologies. For instance, Adobe Systems Incorporated is authorized to identify and record vulnerabilities within Adobe products only.

CVE IDs

Each vulnerability is assigned a unique identifier by a CVE Numbering Authority with the following format: CVE-YYYY-NNNNNNN. For those who don’t already know, the year indicates when the CVE was published rather than when it was discovered. (That’s at least worth a point or two at the next company trivia night. You’re welcome.)

What is the Common Vulnerability Scoring System (CVSS)?

The Common Vulnerability Scoring System (CVSS) is a standardized system of scoring and categorizing vulnerabilities and their characteristics according to their severity levels.

CVSS metrics are split into four groups: Base, Threat, Environmental, and Supplemental. Most published CVSS ratings use just the Base Score. A CVSS score ranges from 0 to 10 and is measured using the CVSS calculator. CVSS scores allow organizations to determine the exploitability and potential impact of known vulnerabilities discovered in their environment so they can prioritize appropriate next steps.

Top CVE databases

Different CVE databases provide different types of vulnerability information and analyses that can enhance your vulnerability management program — from severity ratings to details of known exploits. The top CVE databases include:

Notable CVEs

There are vulnerabilities, and then there are vulnerabilities. Here are some that (despite their somewhat charming names) still plague our dreams, a cautionary reminder to never let down our guard.

How to choose a vulnerability scanner

In 2023 alone, approximately 29,000 new vulnerabilities were discovered. With this number growing each year, IT teams increasingly need to rely on security tools like vulnerability scanners to keep their environments secure (and the cold, hard fear of data breaches to a minimum).

When choosing a vulnerability scanner for your organization, here are some important features to consider.

  • Ease of use

  • Scan functionality

  • Scan coverage

  • Attack surface visibility

  • Contextualized prioritization

  • Reporting details

  • Scalability

  • Vendor reputation and support

Automate the tedious steps of vulnerability management with PDQ Connect: our end-to-end patch management solution. Let PDQ Connect inventory your software and flag vulnerabilities that you can patch in just one click. And should something go wrong with a patch (which would totally not be Microsoft’s fault, of course), use PDQ Connect’s built-in remote desktop control and access feature to get things back up and running again. Try PDQ Connect free for 14 days.

Andrew Pla
Andrew Pla

Andrew loves automation, PowerShell, and building tools that last. He has spent nearly a decade in IT with a focus on automation, infrastructure, and toolmaking. He has a passion for sharing knowledge and prefers humans to computers, and is a host of the PowerShell Podcast and a Microsoft MVP.

Related articles

PDQ Connect Secures & Supports Devices With New Vulnerability & Remote Desktop Tools

PDQ Connect secures & supports devices: New vulnerability & remote desktop tools

NEWS

What is remote desktop banner image

What is remote desktop?

GENERAL IT

PatchTuesday green

Patch Tuesday October 2024

SECURITY