What is CVE? Common Vulnerabilities and Exposures Explained

What is CVE? Common Vulnerabilities and Exposures Explained

Abi Tyas Tunggal
Abi Tyas Tunggal
updated Sep 14, 2021

Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed information security vulnerabilities and exposures.

CVE was launched in 1999 by the MITRE corporation to identify and categorize vulnerabilities in software and firmware. CVE provides a free dictionary for organizations to improve their cyber security. MITRE is a nonprofit that operates federally funded research and development centers in the United States.

What is a Vulnerability?

vulnerability is a weakness which can be exploited in a cyber attack to gain unauthorized access to or perform unauthorized actions on a computer system. Vulnerabilities can allow attackers to run code, access system memory, install different types of malware and steal, destroy or modify sensitive data

What is an Exposure?

An exposure is a mistake that gives an attacker access to a system or network. Exposures can lead to data breachesdata leaks and personally identifiable information (PII) being sold on the dark web. In fact, some of the biggest data breaches were caused by accidental exposure rather than sophisticated cyber attacks.

What is the Goal of CVE?

The goal of CVE is to make it easier to share information about known vulnerabilities across organizations. 

CVE does this by creating a standardized identifier for a given vulnerability or exposure. CVE identifiers or CVE names allow security professionals to access information about specific cyber threats across multiple information sources using the same common name.

For example, UpGuard is a CVE compatible product and its reports reference CVE IDs. This allows you to find fix information on any CVE compatible vulnerability database.

What are the Benefits of CVE?

CVE allows organizations to set a baseline for evaluating the coverage of their security tools. CVE's common identifiers allow organizations to see what each tool covers and how appropriate they are for your organization. 

CVE means security advisories that can for vulnerabilities and check for threats can use CVE information to search for known attack signatures to identify particular vulnerability exploits as part of any digital forensics process. 

Look for security tools with CVE compatibility rather than proprietary vulnerability assessments, it's a great way to reduce your organization's cybersecurity risk.

Who Manages CVE?

MITRE maintains the CVE dictionary and CVE website, as well as the CVE Compatibility Program. The CVE Compatibility Program promotes the use of standard CVE identifiers issued by authorized CVE numbering authorities (CNAs).

Who Sponsors CVE?

CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and US-CERT.

Can Anyone Use CVE?

Yes, CVE is free to use and publicly accessible. CVE is designed to allow anyone to correlate data between different vulnerabilities, security tools, repositories and services. 

Anyone can search, download, copy, redistribute, reference and analyze CVE as long as they don't modify any information.

What is a CVE Entry?

A CVE entry describes a known vulnerability or exposure.

Each CVE entry contains a standard identifier number with status indicator (i.e. "CVE-1999-0067", "CVE-2014-12345", "CVE-2016-7654321"), a brief description and references related vulnerability reports and advisories. 

Each CVE ID is formatted as CVE-YYYY-NNNNN. The YYYY portion is the year the CVE ID was assigned or the year the vulnerability was made public. 

Unlike vulnerability databases, CVE entries do not include risk, impact fix or other technical information.

Is CVE a Vulnerability Database?

CVE isn't a vulnerability database. CVE is designed to allow vulnerability databases and other tools to be linked together. It also facilitates comparisons between security tools and services. 

Check out the US National Vulnerability Database (NVD) that uses the CVE list identifiers and includes fix information, scoring and other information.

Can Hackers Use CVE to Attack My Organization?

The short answer is yes but many cybersecurity professionals believe the benefits of CVE outweigh the risks:

  • CVE is restricted to publicly known vulnerabilities and exposures.
  • It improves the shareability of vulnerabilities and exposures within the cybersecurity community.
  • Organizations need to protect themselves and their networks by fixing all potential vulnerabilities and exposures while an attacker only needs to find a single vulnerability and exploit it to gain unauthorized access. This is why a list of known vulnerabilities is so valuable and an important part of network security.
  • The growing agreement for the cybersecurity community to share information is reducing the attack vector of many cyber attacks. This is reflected in widespread acceptance that the CVE Board and CVE Numbering Authorities (CNAs) are key organizations in cybersecurity.

As a concrete example, many believe the ransomware WannaCry, which spread through the EternalBlue vulnerability, would have had less impact if the vulnerability was publicly shared.

What is the CVE Board?

The CVE Board is comprised of cybersecurity organizations including security tool vendors, academia, research institutions, government departments and agencies,  security experts and end-users of vulnerability information. 

The CVE Board provides critical input regarding data sources, product coverage, coverage goals, operating structure and strategic direction of the CVE program. 

All CVE Board discussions can be found via their email discussion archives and meeting archives. The CVE Board Character is also publicly accessible. 

What are CNAs?

CVE Numbering Authorities (CNAs) are organizations that identify and distribute CVE id numbers to researchers and vendors for inclusion in public announcements of new vulnerabilities. CNAs include software vendors, open source projects, coordination centers, bug bounty service providers and research groups.

CNAs are a federated systems that helps identify vulnerabilities and assigns them an ID without directly involving MITRE which is the primary CNA.

Who are CNAs?

There are currently 104 CNAs in 18 countries including many household names like Microsoft, Adobe, Apple, Cisco, Google, Hewlett Packard Enterprise, Huawei, IBM, Intel, Mozilla, Oracle, Red Hat, Siemens, Symantec, VMWare, Atlassian, Autodesk, Cloudflare, Elastic, GitHub, Kubernetes, Netflix and Salesforce. You can see the full list of CVE numbering authorities here.

What is a Root CNA?

MITRE serves as the primary CNA while root CNAs cover a certain area or niche.

In many cases, a root CNA is a major company like Apple who posts vulnerabilities about its own products. In other cases, the root CNA may be focused on open source vulnerabilities. 

Where is the Latest Version of the CVE list?

The latest version of the CVE list can always be found on While the CVE list is free, it can be hard to know which vulnerabilities affect your organization without additional tools. This is why many organizations now use tools that monitor for changes in the CVE list that affect them. 

New CVE identifiers are added daily. Look for sophisticated tools that automatically monitor you and your vendors for vulnerabilities. Managing third-party risks and fourth-party risks is a fundamental part of information risk management and your information security policy. Make vulnerability management part of your vendor risk managementthird-party risk management framework and cyber security risk assessment processes.

How is a Vulnerability or Exposure Added to CVE?

CVEs are added when a researcher finds a flaw or design oversight in software or firmware. The vendor does not have to see it as a vulnerability for it to be listed as a CVE. That said, the researcher may be required to provide evidence of how it could be used as part of an exploit.

The stronger the claim, the more likely it will be added to CVE and the more likely it will have a high Common Vulnerability Scoring System score in vulnerability databases.  

Potential CVEs reported by established vendors or other trusted parties will generally be added to the CVE list quickly.

Does CVE List All Known Vulnerabilities and Exposures?

CVE does not list all known vulnerabilities and exposures. The goal of CVE is to be comprehensive and it is. Given the scale of vulnerabilities and exposures, it's likely an impossible task for one system to contain everything. 

What is the Common Vulnerability Scoring System (CVSS)?

The Common Vulnerability Scoring System (CVSS) is a set of open standards for assigning a number to a vulnerability to assess its severity. CVSS scores are used by the NVD, CERT, UpGuard and others to assess the impact of a vulnerability.

CVSS scores range from 0.0 to 10.0. The higher the number the higher degree of severity.

Where to Learn More About CVE

For an exhaustive list of answers to your CVE related questions, we recommend reading the CVE's Frequently Asked Questions

How UpGuard Can Help Protect Your Organization from Vulnerabilities

UpGuard helps companies like Intercontinental ExchangeTaylor FryThe New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA protect their data and prevent data breaches.

Our data breach research has been featured in the New York TimesBloombergWashington PostForbes and Techcrunch.

UpGuard can monitor your organization's and its vendor's websites for issues relating to DNSSECSSLemail spoofingtyposquattingman-in-the-middle attacks and vulnerabilities.

UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection. 

We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and fourth-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure. Helping you scale your vendor risk managementthird-party risk management and cyber security risk assessment processes.

Cybersecurity is becoming more important than ever before.

Book a demo today.


UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape