Ruslan Rakhmetov, Security Vision
Even though the continuous evolution of cyber threats leads to a change in the techniques and tools for attacks, year after year the main methods of attackers remain the same – the use of malware, social engineering (phishing), and exploitation of vulnerabilities in popular software. The number of vulnerabilities is growing continuously and non-linearly, and their accounting is complicated by the need to recheck information and the involvement of many stakeholders. When managing vulnerabilities in a company, it is important to build a process that includes a source of reliable information about vulnerabilities and methods of elimination. We will talk about such a source today – it's about the CVE information security vulnerability database.
CVE (Common Vulnerabilities and Exposures) is a system (registry, database) for recording and classifying vulnerabilities. The first entry was appeared in September 1999, and by the end of 2000 it already contained information about almost two thousand vulnerabilities. In time, the speed of software development has increased along with the demand for automation and information technology, so the volume of the code base grew continuously worldwide, and the number of vulnerabilities grew along with it. For example, in 2005, almost 7 thousand vulnerabilities were added to the CVE registry, in 2017 - 14 and a half thousand, and in 2024 as many as 40 thousand were added. As a result, the CVE database currently contains more than 270 thousand records of known vulnerabilities. Working with such a large amount of information requires significant resources, so the CVE Registry, which started as a research project of MITRE Corporation, over time began to receive funding from various U.S. government agencies and is now sponsored by Cybersecurity and Infrastructure Security Agency, CISA. At the same time, work on accounting for vulnerabilities presupposes international cooperation - CNA organizations (CVE Numbering Authorities, authorized organizations for assigning unique identifiers to vulnerabilities) from all over the world make entries in the register. Now in the list of CNA organizations there are already 447 partners from 40 countries of the world, but in 2016 there were only 24, and in 2020 - 144. In the list of CNA organizations, Russia is represented by Kaspersky and Yandex. The structure of the organizations participating in the CVE system consists of a steering committee (CVE Board), which includes experts from various commercial companies, research institutions and associations, working groups and a secretariat managed by MITRE. At the same time, organizations such as TL-Root (Top-Level Root, upper-level root organization) play a key role in the work of the CVE registry - MITRE and CISA, which is also the only ADP in the CVE structure (Authorized Data Publisher, authorized data publisher). Organizations such as TL-Root report to the CVE steering committee and have the authority to manage the hierarchy of subordinate CNA organizations in their area of responsibility. Organization like ADP has the authority to enrich CVE vulnerability records, but cannot change the original data reported about the vulnerability by the CNA partner. CNA organizations such as CNA-LR are also present in the structure of the CVE system (CVE Numbering Authority of Last Resort, CNA "on emergency"), which can be contacted if it was not possible to find a suitable CNA organization that receives reports of discovered vulnerabilities - partners such as CNA-LR are CISA (for vulnerabilities in APCS systems and medical equipment) and MITRE (for all types of vulnerabilities, including vulnerabilities in Open Source products).
In this case, work with the CVE registry for researchers looking for vulnerabilities is set up as follows:
1. After the vulnerability is discovered, the person or organization contacts the CVE registry partner.
2. A CVE partner can be an organization like CNA or CNA-LR - it can be software companies, vulnerability research companies, Open Source solution developers, CERT groups, cloud service providers, Bug Bounty program providers or a consortium of organizations.
3. To register the vulnerability number in the CVE registry, you should familiarize yourself with the data disclosure policy of the CNA organization to which the appeal will be sent, and its contact details can be taken from the general list of partners. At the same time, CNA partners follow the established rules, and in order to become a CVE partner, you must fulfill a number of conditions and apply.
4. After receiving the information from the researcher, the CNA organisation reserves a specific CVE ID and begins the process of verifying the information reported by the researcher. The CVE ID is a CVE-YYYYYY-NNNNNNNNNNNN entry, where YYYYY is the year the vulnerability was discovered and NNNNNNNNNNNN is its sequence number.
5. If the vulnerability information is confirmed, a record of the vulnerability is published by the CNA organisation in the general CVE register.
Consider as an example a vulnerability record with CVE-2025-1316 ID:
1. The vulnerability page contains a textual description of the vulnerability and a link to a JSON-formatted description that contains more detailed information.
2. At the top of the page, you can see the date of publication of the vulnerability information and a brief description (Edimax IC-7100 IP camera has a remote code execution vulnerability due to lack of incoming request cleansing), as well as the name of the CNA organisation that entered this information into the CVE registry.
3. CVSS (Common Vulnerability Scoring System) metrics for versions 4.0 and 3.1 with vector decomposition (e.g., AV:N indicates that the vulnerability can be exploited remotely, AC:L indicates that the attack complexity is low, and PR:N indicates that no privileges are required for the attack).
4. The bottom block of the vulnerability card contains information from the ADP organisation CISA, which included the vulnerability in the KEV (Known Exploited Vulnerabilities) list and classified the vulnerability using the SSVC (Stakeholder-Specific Vulnerability Categorization) methodology.
5. In addition, the vulnerability page includes a link to the MITRE CWE (Common Weakness Enumeration) catalogue entry that describes the root cause of the vulnerability in question - in this case, it is CWE-78 "Incorrect neutralisation of special characters when passing commands to the operating system" ("OS Command Injection").
The CWE classifier is worth paying attention to - it is the one that keeps a record of errors commonly made in software and hardware development that eventually lead to vulnerabilities. In addition to the description of the error itself with examples, the CWE registry maintains a hierarchy that helps to understand the nature of different types of common errors - for example, the specified CWE-78 ("Injection of OS commands") is a child of CWE-77 ("Command injection"), which in turn is a child of a more general type of errors with identifiers CWE-74 ("Injection") and CWE-707 ("Invalid neutralisation"). In addition, at the end of the year, the MITRE CWE project generates a list of the most dangerous errors "CWE Top 25".
Another MITRE project related to CVEs and CWEs is the CAPEC (Common Attack Pattern Enumeration and Classification) registry. CAPEC is a knowledge base of methods for exploiting software flaws (by CWE registry) and vulnerabilities (by CVE registry). For example, a bug like CWE-78 ("OS Command Injection"), already described above, can be exploited by an attack like CAPEC-88 ("OS Command Injection"), for which the sequence of steps performed by an attacker to implement the attack (Explore - Experiment - Exploit) is described. Furthermore, for some patterns from the CAPEC registry, a link to the MITRE ATT&CK matrix describing the attackers' tactics, techniques and procedures is given. For example, for CAPEC-21 ("Exploitation of trusted identifiers"), the relationship with techniques T1134 ("Access token manipulation"), T1528 ("Application access token theft"), T1539 ("Web session cookie theft") is given.
.jpg)
.jpg)
.jpg)
.jpg)
