enespt-br
Glossary

CVE (Common Vulnerabilities and Exposures)

A standardized identifier for publicly disclosed software vulnerabilities, assigned and tracked by the NVD (National Vulnerability Database).

Definition

A CVE (Common Vulnerabilities and Exposures) is a unique identifier for a publicly disclosed security flaw in software or hardware. CVE IDs follow the format CVE-YYYY-NNNN, where YYYY is the year of disclosure and NNNN is a sequence number.

Example: CVE-2023-12345 is a specific flaw assigned in 2023.

Why CVEs Matter

CVEs enable standardized communication about vulnerabilities:

  • Tracking – Organizations can track whether their systems are affected
  • Prioritization – Patches are released in order of severity
  • Coordination – Vendors, researchers, and defenders use the same reference
  • Intelligence – Threat intelligence can link attacks to specific CVEs

CVE Details

Each CVE includes:

  • CVE ID – Unique identifier
  • Description – What the vulnerability is and its impact
  • CVSS Score – Severity rating (0-10)
  • Affected Software – Which versions of which products are vulnerable
  • References – Links to vendor patches and technical details
  • Status – Unpatched, partially patched, or patched

CVE Lifecycle

  1. Discovery – Researcher finds a vulnerability
  2. Responsible Disclosure – Researcher contacts vendor
  3. Vendor Patch Development – Vendor develops and tests a fix
  4. CVE Assignment – CVE ID is assigned
  5. Public Disclosure – Details are released; patch becomes available
  6. Public Exploitation – Attackers develop tools to exploit the vulnerability

The time between disclosure and exploitation can range from days to months.

CVE Severity & Prioritization

Not all CVEs are equally critical:

  • CVSS 9-10 (Critical) – Immediate patching needed
  • CVSS 7-8.9 (High) – Patch within days or weeks
  • CVSS 4-6.9 (Medium) – Patch within weeks or months
  • CVSS 0-3.9 (Low) – Lower priority

However, threat context matters more than CVSS scores. A medium-severity CVE exploited by active threat actors may be more urgent than a critical CVE not yet publicly exploited.

Real-World Example

CVE-2023-34960 (Critical):

  • Vulnerability in widely used web server software
  • CVSS score: 9.8 (Critical)
  • Patch released immediately
  • Threat actors actively exploit within 48 hours
  • Organizations must patch urgently

Organizations that prioritize by CVSS alone will patch this CVE immediately—correctly.

CVE-2023-10001 (Critical):

  • Vulnerability in niche enterprise software
  • CVSS score: 9.6 (Critical)
  • Patch released
  • No threat actors developing exploits
  • Threat landscape favors other vulnerabilities

Organizations that prioritize by CVSS alone will patch this equally urgently—which wastes resources when CVE-2023-34960 is being actively exploited.

Better Prioritization: CVSS + Threat Context

Modern vulnerability management combines:

  1. CVSS score – Technical severity
  2. Threat context – Is this CVE being exploited?
  3. Asset criticality – How important is the affected system?
  4. Exploitability – How easy is it to exploit?
  5. Business impact – What would compromise of this asset cost?

This is why threats.report prioritizes CVEs not just by CVSS, but by real-world exploit activity.

See Also

Related Terms

VulnerabilityCVSS