What Are Common Vulnerabilities and Exposures (CVE)?

Common Vulnerabilities and Exposures (CVE) are a set of security threats that are included in a reference system that outlines publicly known risks. The CVE threat list is maintained by the MITRE Corporation, a nonprofit organization that runs federal government-sponsored research and development centers. CVE is sponsored by the U.S. Department of Homeland Security’s National Cyber Security Division (NCSD).

CVE defines vulnerabilities as a mistake within software code, which enables an attacker to gain direct unauthorized access to computer systems and networks and spread malware. This typically allows attackers to pose as system admins or superusers with full access privileges to corporate resources.

CVE defines exposure as errors in software code or configuration, which enable an attacker to gain indirect access to systems and networks. This could allow the attacker to lurk in computer networks and secretly gather sensitive data, user credentials, and customer information.

CVE’s main goal is to help organizations improve their security defenses. It does this by identifying and providing a catalog of software or firmware vulnerabilities and making it available as a free dictionary.

A vulnerability is a flaw in software code that cyber attackers can use to access a computer system and carry out unauthorized actions while posing as a legitimate user. Attackers may use vulnerabilities to execute code, gain access to system memory, install various forms of malware, and steal, delete, or alter sensitive data.

An exposure is different. It is a mistake in software code or configuration that gives an attacker access to a system or network. Data breaches, data leaks, and the sale of personally identifiable information (PII) on the dark web can all result from exposures.

The CVE list and system is maintained by the MITRE Corporation. It provides a standardized method for identifying known security vulnerabilities and exposures. CVE is designed to allow security tools and services to be compared and vulnerability databases to be linked. It provides standard IDs that enable security admins to quickly access information about specific threats.

Importantly, CVE listings only contain a vulnerability’s standard identifier number and status indicator, as well as a brief description and related references to advisories and reports. That means they do not include detailed technical information about the risk, fixes, or impact of the vulnerability. These details are listed in databases like the National Vulnerability Database (NVD) and CERT Coordination Center (CERT/CC) Vulnerability Notes Database (VND).

CVE IDs get assigned to security flaws that meet specific criteria.

A security flaw has to be fixed of other identified bugs independently.

The vendor has to acknowledge that a flaw exists and has a negative impact on organizations’ security. Alternatively, the bug reporter needs to share a vulnerability while demonstrating its negative impact and that it violates affected systems’ security policies.

Flaws that affect more than one codebase or product are given a separate, unique CVE. Those that affect shared libraries, protocols, and standards only get a single CVE if the code cannot be shared without being vulnerable.

Here are three key takeaways when it comes to CVE:

The existence of a CVE does not necessarily mean it applies to an organization’s deployment. It is key to read each CVE to understand and validate whether it applies to applications, configurations, modules, and operating systems in organizations’ unique environments.

It is crucial for organizations to constantly practice vulnerability management, which means identifying, classifying, prioritizing, mitigating, and patching vulnerabilities. This helps them understand how security risks apply to their organization and prioritize any vulnerabilities they need to address. 

CVEs will have an impact on organizations’ systems because of the effects of vulnerabilities and the downtime required to identify, fix, and mediate them. It is crucial for organizations to communicate with their internal customers and share any vulnerabilities with their risk management teams and functions.

The FortiGate next-generation firewalls (NGFWs) allow organizations to discover known vulnerabilities and emerging flaws in their systems and networks. FortiGate does this by filtering network traffic to protect against internal and external threats, as well as through features like packet filtering, Internet Protocol security (IPsec), network monitoring, and Internet Protocol (IP) mapping. 

Fortinet NGFWs also feature advanced network inspection capabilities, which enable organizations to identify and block threats. Further, they enable organizations to evolve their security defenses in line with the threat landscape, helping them protect their networks even as new threats appear.

Common Vulnerabilities and Exposures (CVE) are a set of security threats that are included in a reference system that outlines publicly known risks. 

CVE defines vulnerabilities as a mistake within software code, which enables an attacker to gain direct unauthorized access to computer systems and networks and spread malware. CVE’s main goal is to help organizations improve their security defenses.

Organizations that adopt and deploy CVE-compatible products and services benefit from secure systems and networks. CVE enables security and IT operations (SecOps) teams to improve their organizations’ security posture.