What Is a CVE?
A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly known security vulnerability. Maintained by MITRE Corporation and funded by the U.S. Department of Homeland Security, the CVE system creates a standardized naming convention so that security tools, databases, and professionals can reference the same vulnerability without ambiguity.
A CVE identifier looks like this: CVE-2024-12345 — where the number after the dash is the year, followed by a sequence number.
How a CVE Gets Assigned
Not every bug gets a CVE. The process typically works like this:
- A researcher discovers a vulnerability in software or hardware.
- They report it to a CVE Numbering Authority (CNA) — which could be the affected vendor, a research organization, or MITRE directly.
- The CNA validates the report and assigns a CVE ID.
- The CVE is published in the National Vulnerability Database (NVD) at nvd.nist.gov with technical details and a severity score.
This process can take anywhere from days to months depending on responsible disclosure timelines (typically 90 days under coordinated vulnerability disclosure).
What Is CVSS?
The Common Vulnerability Scoring System (CVSS) is the industry-standard framework for rating the severity of security vulnerabilities on a scale of 0.0 to 10.0. The current version is CVSSv3.1, with CVSSv4.0 now also available.
CVSS Severity Ratings
| Score Range | Severity | Typical Action |
|---|---|---|
| 0.0 | None | No action required |
| 0.1 – 3.9 | Low | Patch in next scheduled cycle |
| 4.0 – 6.9 | Medium | Patch within 30–90 days |
| 7.0 – 8.9 | High | Patch within 7–30 days |
| 9.0 – 10.0 | Critical | Emergency patching required |
How CVSS Is Calculated
A CVSS score is made up of several metric groups:
Base Score Metrics
- Attack Vector (AV): Network, Adjacent, Local, or Physical — how is the vulnerability reached?
- Attack Complexity (AC): Low or High — how hard is it to exploit?
- Privileges Required (PR): None, Low, or High — does the attacker need an account?
- User Interaction (UI): None or Required — does a victim need to do something?
- Scope (S): Unchanged or Changed — does exploitation affect other components?
- Confidentiality, Integrity, Availability (CIA): None, Low, or High impact on each pillar
Why CVEs and CVSS Matter for Security Teams
Without a standardized vulnerability tracking system, organizations would struggle to:
- Prioritize which patches to apply first when hundreds of vulnerabilities exist
- Communicate risk levels to management and stakeholders
- Integrate threat intelligence into SIEM and vulnerability management tools
- Meet compliance requirements that mandate tracking and remediating known CVEs
Limitations of CVSS
CVSS is useful but imperfect. A 9.8 CVE in software you don't run is less urgent than a 6.5 CVE in a system exposed to the internet. Consider these factors alongside CVSS:
- Exploitability: Is public exploit code available? Check Exploit-DB and CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Asset exposure: Is the affected system internet-facing or isolated?
- Compensating controls: Do firewalls, WAFs, or network segmentation reduce real-world risk?
Key Takeaways
- CVEs are standardized identifiers for publicly known security vulnerabilities.
- CVSS scores provide a severity rating from 0 to 10 based on exploitability and impact.
- Always contextualize CVSS scores with your actual exposure and available exploits.
- Use the NVD and CISA KEV catalog as primary references for vulnerability intelligence.