CVE (Common Vulnerabilities and Exposures)

A CVE (Common Vulnerabilities and Exposures) is a publicly disclosed security flaw that has been assigned a unique, standardised identifier, such as CVE-2021-44228 (the Log4Shell vulnerability). The system exists so that everyone involved in security, from software vendors to penetration testers to patch management teams, can refer to the same vulnerability using the same reference.

The CVE programme is managed by MITRE Corporation and sponsored by the US Cybersecurity and Infrastructure Security Agency (CISA). When a vulnerability is discovered, it is reported to MITRE or to one of the authorised CVE Numbering Authorities (CNAs), which include major vendors like Microsoft, Google, and Apple, as well as security research organisations. The CNA assigns a CVE ID, writes a brief description of the flaw, and publishes the entry once the vendor has had an opportunity to release a fix. This process is known as coordinated disclosure.

A CVE entry itself contains relatively limited information: the unique identifier, a short description of the vulnerability, affected software versions, and references to advisories or patches. For deeper context, such as a severity score or known exploits, organisations typically cross-reference CVEs with the National Vulnerability Database (NVD), which enriches CVE data with CVSS scores , weakness classifications, and configuration details.

Not every vulnerability receives a CVE. Issues that are vendor-specific, have no security impact, or are reported through channels outside the CVE process may go unregistered. This means a CVE catalogue is a complete picture of the vulnerabilities present in a given environment.

When a CVE is published for a product you use, you have a known, documented vulnerability in your environment that is visible to attackers as well as defenders. Proof-of-concept exploit code often appears publicly within days of a CVE being published, and in many cases attackers begin scanning for unpatched systems within hours. The timeframe between disclosure and exploitation has shortened considerably in recent years with the rise of LLM-powered source code analysis.

Staying on top of CVEs relevant to your technology stack is a core part of vulnerability management. Vulnerability assessments and penetration tests will commonly reference CVE identifiers in their findings, giving your technical teams a precise and unambiguous starting point for investigating and remediating each issue.