CVE
CVE is a standardized system that assigns unique identifiers to publicly disclosed cybersecurity vulnerabilities.
What is a CVE?
CVE (Common Vulnerabilities and Exposures) is a global identification system used to uniquely reference publicly known security vulnerabilities. Each CVE ID represents one specific vulnerability, allowing vendors, security teams, and tools to talk about the same issue using a shared identifier.
The CVE program is operated by MITRE and supported by the global security community.
Why CVEs matter
CVEs are essential because they:
- Provide a universal language for vulnerabilities
- Enable correlation across vendors and tools
- Support vulnerability scanning and patch management
- Allow consistent tracking over time
- Improve communication during incidents
Without CVEs, vulnerability management would be fragmented and error-prone.
CVE ID format
A CVE identifier follows this structure:
CVE-YYYY-NNNNN
Where:
- YYYY = year the CVE was assigned
- NNNNN = unique numeric identifier
Example: CVE-2025-12345
The ID itself does not imply severity or impact.
What a CVE includes
A CVE entry typically provides:
- A brief vulnerability description
- Affected product(s) and versions
- References to advisories or research
- Links to patches or mitigations (when available)
Severity scoring is handled separately.
CVE vs CVSS
| Term | Purpose |
|---|---|
| CVE | Identifies what the vulnerability is |
| CVSS | Scores how severe it is |
A CVE can exist without a CVSS score, especially early in disclosure.
CVE vs vulnerability
| Concept | Meaning |
|---|---|
| Vulnerability | The actual security weakness |
| CVE | The identifier referencing that weakness |
Not all vulnerabilities receive a CVE (e.g. misconfigurations).
CVE lifecycle (simplified)
- Vulnerability is discovered
- CVE ID is requested and assigned
- Details are published or updated
- Vendor releases a patch or mitigation
- Exploits may appear in the wild
- Security teams remediate and monitor
CVE entries may evolve as new information emerges.
CVEs in enterprise security
In organizations, CVEs are used to:
- Prioritize patching and remediation
- Drive vulnerability scans
- Trigger SOC alerts and workflows
- Support compliance and audits
- Assess exposure and risk
CVEs are a core input to security operations.
CVEs and active exploitation
Some CVEs are flagged as:
- Actively exploited
- Zero-day
- Critical (high CVSS)
These typically require immediate action.
Common misconceptions
- "A CVE is the exploit"
- "All CVEs are critical"
- "No CVE means no risk"
- "CVEs automatically mean compromise"