A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly disclosed security vulnerability. Each CVE ID (e.g., CVE-2024-3094) references a specific flaw in a specific product, enabling security teams, vendors, and tools to discuss and track the same vulnerability unambiguously.

What is CVSS and how is it used to prioritise vulnerabilities?

CVSS (Common Vulnerability Scoring System) assigns a severity score from 0.0 to 10.0 to each CVE based on factors like attack complexity, privileges required, and impact on confidentiality, integrity, and availability. Scores map to severity levels: Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0).

How often should external assets be scanned for CVEs?

External assets should be scanned at least weekly, with critical infrastructure scanned daily. New CVEs are published at a rate of approximately 80-100 per day, and exploitation of high-severity vulnerabilities often begins within hours of public disclosure. Continuous scanning catches newly disclosed vulnerabilities before attackers find them.

What is the difference between CVE detection and penetration testing?

CVE detection identifies known vulnerabilities by matching software versions against vulnerability databases. Penetration testing goes further by attempting to exploit vulnerabilities, chain findings into attack paths, and demonstrate real-world impact. CVE detection is automated and continuous; penetration testing is manual and periodic.

Can CVE detection find zero-day vulnerabilities?

No. CVE detection only finds known, publicly disclosed vulnerabilities that have been assigned a CVE identifier. Zero-day vulnerabilities are by definition unknown to the public and not yet in vulnerability databases. Detecting zero-days requires different approaches such as anomaly detection, threat intelligence, and manual security research.

What tools are used for CVE detection on external assets?

Common tools include Nuclei (open-source scanner with thousands of CVE detection templates), Nessus (commercial vulnerability scanner), OpenVAS (open-source scanner), and EASM platforms like SurfaceLoop that combine CVE detection with asset discovery. Each tool uses different detection methods - template matching, version fingerprinting, or active probing.

CVE Detection: Finding Known Vulnerabilities

Q: How does CVE detection work for external assets?

CVE detection for external assets works by fingerprinting the software versions running on internet-facing services - web servers, VPN gateways, mail servers, APIs - and matching them against databases of known vulnerabilities. This is done without authentication, from the outside, using banner grabbing, HTTP headers, and response fingerprinting.

Key Takeaways

CVE detection identifies known vulnerabilities in internet-facing software by matching detected versions against public vulnerability databases.
CVSS scores (0.0-10.0) prioritise vulnerabilities by severity, but context matters - a Critical CVE on an isolated test server may be lower priority than a High CVE on a production API.
New CVEs are published at a rate of approximately 80-100 per day, making manual tracking impossible without automated scanning.
External CVE detection works without authentication by fingerprinting software versions through banners, HTTP headers, and response patterns.
The window between CVE disclosure and active exploitation is shrinking - for critical vulnerabilities, exploitation often begins within hours.
CVE detection is one layer of vulnerability management; it finds known issues but cannot detect zero-days, logic flaws, or misconfiguration vulnerabilities.

What is a CVE and why does it matter?

The CVE system is maintained by the MITRE Corporation and funded by the US Cybersecurity and Infrastructure Security Agency (CISA). When a security researcher discovers a vulnerability and reports it through responsible disclosure, a CVE Numbering Authority (CNA) assigns a unique identifier - for example, CVE-2024-3094, which identified the XZ Utils backdoor.

Each CVE entry contains:

CVE ID - the unique identifier (CVE-YYYY-NNNNN format)
Description - what the vulnerability is and which products are affected
References - links to vendor advisories, patches, and technical details
CVSS score - a severity rating from 0.0 to 10.0

The National Vulnerability Database (NVD), maintained by NIST, enriches CVE entries with additional metadata including CVSS scores, affected product versions (CPE data), and weakness classifications (CWE).

According to NIST’s NVD dashboard, over 28,000 CVEs were published in 2023, and the rate continues to accelerate. No security team can manually track this volume - automated CVE detection is essential.

How does CVE detection work for external assets?

The detection process follows three stages:

1. Service discovery. The scanner identifies what services are running on each IP address and port - web servers, mail servers, VPN gateways, database interfaces, API endpoints.

2. Version fingerprinting. For each service, the scanner determines the software and version. Techniques include:

Banner grabbing - reading the service identification string (e.g., Server: Apache/2.4.49)
HTTP header analysis - extracting version information from response headers
Response fingerprinting - matching unique response patterns to known software versions
Error page analysis - default error pages often reveal the server software and version
Favicon hashing - matching favicon files to known application frameworks

3. CVE matching. Detected software versions are compared against vulnerability databases (NVD, vendor advisories, exploit databases) to identify known CVEs affecting those versions. Each match produces a finding with the CVE ID, CVSS score, description, and remediation guidance.

The accuracy of external CVE detection depends on how precisely the scanner can identify software versions. Version strings in HTTP headers are reliable when present, but many organisations strip or obfuscate them as a security measure - which reduces both the attacker’s and the scanner’s ability to identify vulnerable software.

How SurfaceLoop handles this

SurfaceLoop scans all discovered assets for known CVEs using thousands of detection templates. When a vulnerable software version is identified, findings include the CVE ID, CVSS score, affected version, and specific remediation steps. Scanning runs continuously so newly disclosed CVEs are matched against your assets within hours of publication.

See Known Vulnerabilities (CVEs) feature →

How do you prioritise CVE remediation?

CVSS provides a starting point, but effective prioritisation requires additional context:

Factor	Why It Matters
CVSS score	Base severity - Critical (9.0+) and High (7.0-8.9) get immediate attention
Exploit availability	CVEs with public exploits or active exploitation are urgent regardless of CVSS
Asset exposure	Internet-facing assets are higher priority than internal-only systems
Business criticality	A CVE on a payment processing server outranks the same CVE on a dev environment
Compensating controls	A WAF blocking the attack vector may reduce effective priority
Patch availability	CVEs with available patches should be remediated faster than those requiring workarounds

CISA’s Known Exploited Vulnerabilities (KEV) catalogue is a practical prioritisation tool. It lists CVEs confirmed to be actively exploited in the wild. Any CVE on the KEV list should be treated as urgent regardless of its CVSS score - if attackers are already using it, theoretical severity is irrelevant.

According to Verizon’s 2024 Data Breach Investigations Report, exploitation of vulnerabilities as the initial access vector increased by 180% compared to 2023, driven largely by mass exploitation of internet-facing applications.

What are the most commonly exploited CVE categories?

Categories of internet-facing software most frequently targeted:

VPN and remote access gateways. Devices from Fortinet, Palo Alto Networks, Ivanti (Pulse Secure), Citrix, and Cisco are heavily targeted because they sit at the network perimeter and provide direct internal access when compromised. CVEs like CVE-2023-27997 (Fortinet FortiOS) and CVE-2024-21887 (Ivanti Connect Secure) were exploited at scale within days of disclosure.

Web application frameworks. Vulnerabilities in Apache, Nginx, IIS, and application frameworks (Spring, Laravel, WordPress) affect millions of internet-facing servers. CVE-2021-44228 (Log4Shell) demonstrated how a single library vulnerability can cascade across thousands of applications.

Email servers. Microsoft Exchange vulnerabilities (ProxyShell, ProxyLogon, ProxyNotShell) have been among the most exploited CVEs in recent years, providing attackers with both email access and often full server compromise.

Network edge devices. Firewalls, load balancers, and SD-WAN appliances from vendors like Fortinet, SonicWall, and F5 are attractive targets because they are internet-facing by design and often run outdated firmware.

What is the difference between CVE detection and vulnerability scanning?

Dimension	CVE Detection	Full Vulnerability Scanning
Scope	Known CVEs only	CVEs + misconfigurations + compliance
Method	Version fingerprinting and matching	Active probing, credentialed checks, configuration audit
Authentication	Typically unauthenticated	Best results with credentials
Depth	Identifies the vulnerability exists	May verify exploitability
Speed	Fast (pattern matching)	Slower (deeper analysis)
False positives	Version-based matches can be inaccurate	Credentialed scans are more accurate

For external attack surface management, unauthenticated CVE detection is the primary method because credentials are not available from outside the network. The trade-off is that version-based detection may produce false positives (the software version matches but the specific vulnerable code path may be patched or disabled) and false negatives (version strings are hidden or obfuscated).

How do you set up continuous CVE monitoring?

A practical CVE monitoring programme for external assets includes:

1. Complete asset inventory. You cannot scan what you do not know exists. Start with EASM discovery to build a complete inventory of internet-facing assets, including forgotten subdomains, shadow IT, and services deployed outside the security team’s visibility.

2. Automated scanning. Configure scanning to run at least weekly. Critical assets (VPN gateways, email servers, customer-facing APIs) should be scanned daily. Each scan fingerprints software versions and matches against the latest CVE databases.

3. Alerting on new CVEs. When a new CVE is published that affects software detected on your assets, you need to know immediately - not at the next scheduled scan. EASM platforms that ingest CVE feeds in near-real-time can alert within hours of disclosure.

4. Integration with remediation workflows. CVE findings should flow into the same ticketing and alerting systems your team already uses (Jira, ServiceNow, Slack, PagerDuty). This reduces the gap between detection and action.

5. Tracking remediation progress. Monitor time-to-remediation metrics. According to the Qualys TruRisk Research Report 2024, the average time to remediate critical vulnerabilities is 30.6 days - but exploitation often begins within hours. Closing this gap is the primary goal of continuous monitoring.