What is CVE?

A CVE (Common Vulnerabilities and Exposures) is a standardised identifier for a publicly disclosed security vulnerability, following the format CVE-YYYY-NNNNN (e.g., CVE-2024-3094). The CVE system is maintained by the MITRE Corporation and funded by CISA.

How CVEs are assigned

CVE Numbering Authorities (CNAs) assign CVE IDs when vulnerabilities are reported. Major software vendors like Microsoft, Google, and Red Hat are CNAs for their own products. MITRE serves as the CNA of last resort for vulnerabilities not covered by other authorities.

CVE lifecycle

  1. Discovery - a researcher or vendor identifies a vulnerability
  2. Assignment - a CNA assigns a CVE ID
  3. Publication - the CVE is published to the CVE List (cve.org)
  4. Enrichment - the NVD adds CVSS scores, CPE data, and CWE classification

Why CVEs matter for attack surface management

Internet-facing assets running software with known CVEs are prime targets for attackers. Automated scanners match detected software versions against CVE databases to identify exploitable weaknesses. SurfaceLoop continuously scans external assets for known CVEs and alerts when new vulnerabilities affect your infrastructure.

Map your attack surface - first scan free