CVE — Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures (CVE) is a standardized catalog of publicly disclosed cybersecurity vulnerabilities, each identified by a unique identifier in the format CVE-YEAR-NUMBER. Maintained by the MITRE Corporation and funded by CISA, CVE provides a universal reference system that allows security teams, vendors, and researchers to discuss specific vulnerabilities without ambiguity.

How CVE Works

When a security vulnerability is discovered and responsibly disclosed, a CVE Numbering Authority (CNA) assigns it a unique CVE ID. The CVE entry includes a brief description of the vulnerability, the affected product and versions, and references to vendor advisories and patches. The National Vulnerability Database (NVD) enriches CVE entries with CVSS scores, CWE classifications, and additional technical details. This two-layer system -- CVE for identification, NVD for enrichment -- provides both universal naming and detailed technical analysis.

CVE in Incident Response

During an incident investigation, identifying which CVE the attacker exploited is a critical step in the analysis phase. The CVE ID enables the response team to quickly look up the vulnerability details, understand the attack mechanism, find available patches, and determine whether other systems in the environment are also vulnerable. In the after-action review, the exploited CVE becomes a key data point for remediation recommendations and for demonstrating to regulators that the organization understood the technical root cause.

CVE and Vulnerability Management

Beyond incident response, CVE identifiers are the backbone of vulnerability management programs. Scanning tools report findings using CVE IDs. Patch management systems track remediation by CVE. Compliance frameworks reference CVEs in their control requirements. Regulatory bodies like CISA maintain the Known Exploited Vulnerabilities (KEV) catalog, which lists CVEs that are actively being exploited and mandates federal agencies to remediate them within specific timeframes.

Zero-Day vs Known CVE

A zero-day vulnerability has no CVE ID because it has not yet been publicly disclosed. Once the vulnerability is identified and disclosed, it receives a CVE ID and enters the standard vulnerability management lifecycle. Incidents caused by zero-day exploitation are particularly challenging because there is no existing patch, no detection signature, and no documented remediation guidance at the time of the attack.