® 
CVE
Definition
CVE (Common Vulnerabilities and Exposures) is the global standard for numbering known security flaws. Each CVE number refers to a specific, documented vulnerability in software or hardware.
CVE (Common Vulnerabilities and Exposures) is the global standard system for identifying and numbering known security vulnerabilities in software and hardware. In 2023 over 29,000 new CVEs were published, a record underscoring the explosive growth in discovered vulnerabilities.
How does CVE work?
Each discovered security flaw receives a unique CVE number in the format CVE-YEAR-SEQUENCE, for example CVE-2024-3094 (the XZ Utils backdoor). MITRE Corporation manages the CVE programme on behalf of the U.S. Department of Homeland Security. CVE Numbering Authorities (CNAs) such as Microsoft, Google and Red Hat can independently assign CVE numbers for vulnerabilities in their products. Each CVE entry contains a description of the vulnerability, affected products and references to patches or mitigations.
CVSS severity score
Each CVE receives a Common Vulnerability Scoring System (CVSS) score from 0.0 to 10.0 indicating severity. Scores of 9.0-10.0 are critical, 7.0-8.9 high, 4.0-6.9 medium and 0.1-3.9 low. The CVSS score is based on factors including exploitation complexity, required privileges, impact on confidentiality, integrity and availability, and whether user interaction is needed. Organisations use CVSS scores to prioritise which vulnerabilities to patch first.
Impact on organisations
CVE databases are the backbone of vulnerability management. Without CVE monitoring, organisations do not know which known vulnerabilities exist in their systems. Attackers often exploit known CVEs within days of publication. The Log4Shell vulnerability (CVE-2021-44228) affected millions of systems worldwide. NIS2 requires systematic vulnerability management. ISO 27001 requires a process for identifying and treating technical vulnerabilities. PCI DSS mandates patching critical vulnerabilities within 30 days.
Protection
Implement a structured vulnerability management programme integrating CVE feeds. Use vulnerability scanners that automatically check against CVE databases. Prioritise based on CVSS score, exploitability and relevance to the specific environment. Automate patching processes where possible. Monitor exploit databases such as CISA Known Exploited Vulnerabilities for actively exploited CVEs.
How DEFION helps
DEFION provides Continuous Vulnerability Management where the team continuously monitors CVE feeds and prioritises vulnerabilities based on actual risk to the specific environment. Pentests validate whether critical CVEs are practically exploitable.