What Is a CVE? Vulnerability Identifiers and Scoring
How does the CVE system work?
The lifecycle of a CVE follows a consistent process:
1. Discovery. A security researcher, vendor, or automated tool identifies a vulnerability in a software product.
2. Reporting. Under coordinated disclosure, the researcher reports the vulnerability to the vendor privately, giving them time to develop a patch before public disclosure. The typical grace period is 90 days, though this varies by disclosure programme.
3. CVE assignment. A CVE Numbering Authority assigns a CVE ID. Major vendors (Microsoft, Google, Red Hat, Apache) are CNAs for their own products. MITRE acts as the CNA of last resort.
4. Public disclosure. The CVE is published to the CVE List with a description, affected products, and references to vendor advisories and patches.
5. NVD enrichment. The National Vulnerability Database analyses the CVE and adds CVSS scoring, CPE (Common Platform Enumeration) data listing affected product versions, and CWE (Common Weakness Enumeration) classification.
A CVE ID follows the format CVE-YYYY-NNNNN - the year of assignment followed by a sequential number. For example, CVE-2024-3094 identified the XZ Utils backdoor discovered in March 2024.
What is CVSS and how does severity scoring work?
CVSS (currently at version 4.0, though CVSS 3.1 remains widely used) evaluates vulnerabilities across several metric groups:
Base metrics (intrinsic properties of the vulnerability):
| Metric | What It Measures |
|---|---|
| Attack Vector | How the attacker reaches the target (Network, Adjacent, Local, Physical) |
| Attack Complexity | Conditions beyond the attacker’s control needed for exploitation |
| Privileges Required | Authentication level needed (None, Low, High) |
| User Interaction | Whether a victim must take action (None, Required) |
| Scope | Whether the vulnerability affects resources beyond its security scope |
| Impact (C/I/A) | Effect on Confidentiality, Integrity, and Availability |
Severity ratings derived from CVSS scores:
| Score Range | Severity | Typical Response |
|---|---|---|
| 9.0 - 10.0 | Critical | Patch within 24-72 hours |
| 7.0 - 8.9 | High | Patch within 1-2 weeks |
| 4.0 - 6.9 | Medium | Patch within 30 days |
| 0.1 - 3.9 | Low | Patch in next maintenance cycle |
CVSS scores are a starting point, not a complete risk assessment. A Critical CVE in a development environment behind a firewall may be lower priority than a High CVE on an internet-facing production server with no compensating controls.
How do you look up CVE information?
Key resources for CVE information:
- NVD (nvd.nist.gov) - the primary enriched database with CVSS scores, CPE data, and CWE classification. Searchable by CVE ID, keyword, product, or vendor.
- MITRE CVE List (cve.org) - the authoritative source for CVE identifiers and descriptions. Less detailed than the NVD but updated faster.
- CISA KEV (cisa.gov/known-exploited-vulnerabilities-catalog) - lists CVEs confirmed to be actively exploited in the wild. Essential for prioritisation.
- Vendor advisories - Microsoft, Cisco, Fortinet, and other vendors publish their own advisories with product-specific remediation guidance.
- Exploit databases - Exploit-DB and PacketStorm archive proof-of-concept exploit code, indicating how easily a CVE can be weaponised.
How SurfaceLoop handles this
SurfaceLoop maps detected software versions on your external assets against the NVD and CISA KEV catalogue. When a CVE affects software running on your infrastructure, you receive an alert with the CVE ID, CVSS score, and specific remediation steps - without needing to manually cross-reference databases.
See Known Vulnerabilities (CVEs) feature →Why is the CVE backlog a problem?
In early 2024, NIST acknowledged a significant backlog in NVD analysis. The root cause is volume: CVE publication rates have grown from approximately 18,000 per year in 2020 to over 28,000 in 2023, while NVD analysis capacity has not kept pace.
The practical impact: a CVE may be published and assigned an ID but lack a CVSS score, CPE data, or CWE classification for weeks or months. Vulnerability scanners that depend exclusively on NVD enrichment for detection or prioritisation may miss these unenriched CVEs entirely.
Mitigation strategies:
- Use multiple vulnerability data sources, not just the NVD
- Monitor vendor advisories directly for products in your environment
- Treat unscored CVEs in critical software as potentially high-severity until analysed
- Consider alternative scoring systems like EPSS (Exploit Prediction Scoring System) which estimates the probability of exploitation
Frequently asked questions
- Who assigns CVE identifiers? +
- CVE identifiers are assigned by CVE Numbering Authorities (CNAs) - organisations authorised by MITRE to assign CVE IDs within their scope. Major vendors like Microsoft, Google, and Red Hat are CNAs for their own products. MITRE acts as the CNA of last resort for vulnerabilities not covered by other CNAs.
- What is the difference between CVE and CWE? +
- A CVE is a specific vulnerability in a specific product (e.g., CVE-2021-44228 in Apache Log4j). A CWE (Common Weakness Enumeration) is a category of vulnerability type (e.g., CWE-502: Deserialization of Untrusted Data). CVEs are instances; CWEs are classes. A single CWE can have thousands of associated CVEs.
- How quickly are CVEs published after discovery? +
- The timeline varies. Under coordinated disclosure, the researcher reports to the vendor, who has a grace period (typically 90 days) to develop a patch before public disclosure. After disclosure, the CVE is published and the NVD enriches it with CVSS scoring. Emergency CVEs for actively exploited vulnerabilities may be fast-tracked.
- What does it mean when a CVE has no CVSS score yet? +
- A CVE with no CVSS score is awaiting analysis by the NVD. Due to the volume of CVEs published (80-100 per day), the NVD has a backlog. A missing score does not mean the vulnerability is low severity - it means it has not been analysed yet. Check vendor advisories for severity guidance while waiting for the official score.
Get SurfaceLoop security briefings
No spam, just findings that matter. Fortnightly.