Common Vulnerabilities and Exposures: What They Are, and Notable CVEs to Be Aware Of

As organizations and individuals rely more and more on technology for many aspects of their lives, the security of digital assets is of increasing concern. From personal data to critical infrastructure, the digital landscape is rife with potential vulnerabilities that can be exploited by malicious actors. Cybersecurity has become a mainstream imperative as breaches and cyber threats continue to escalate.

Common Vulnerabilities and Exposures (CVEs) are the foundation of vulnerability management, playing a pivotal role in the understanding, categorization, and remediation of software vulnerabilities. This guide explores the concept of CVEs, what they are, how they are structured, and how they contribute to the management of security issues. 

What is a CVE?

A CVE is a standardized identifier assigned to a specific software vulnerability. It provides a unique reference point for cybersecurity professionals, vendors, and researchers to discuss, share, and mitigate vulnerabilities across diverse systems and platforms. CVEs provide a common language for exploring and managing vulnerabilities.

Let’s consider some examples to grasp the practical application of CVE. In 2017 the infamous CVE-2017-0144, also known as EternalBlue, exposed vulnerabilities in Microsoft’s SMB protocol, leading to the global WannaCry ransomware attack.

Another example is CVE-2014-0160, the Heartbleed bug of 2014, which affected the OpenSSL cryptographic software library. These examples highlight the critical role CVEs play in understanding and addressing vulnerabilities on a global scale.

What qualifies as a CVE?

The CVE Numbering Authority (CNA) is an entity that oversees reported vulnerabilities. They are typically composed of tech organizations authorized to assign CVE IDs to vulnerabilities within their own products, or for products within a defined scope. To standardize the identification of CVEs, CNA has set operational rules that dictate what qualifies as a CVE. Here are their criteria:

Must be independently fixable

This criterion states that the flaw should be fixable on its own, separate from other vulnerabilities. It also says that the patches for the flaw should not be inherently tied to fixing other bugs.

Must be acknowledged by the vendor and documented

The rule refers to the software developer/vendor’s acknowledgement that the flaw exists and has a negative impact. The software developer/vendor should also have detailed documentation or a vulnerability report that showcases any security violations the flaw demonstrates.

Must be affecting one codebase

A flaw can be identified as a CVE if it only affects a single codebase, product, or protocol. If the flaw affects multiple codebases, products, or protocols, each flaw will be assigned a separate CVE identifier.

Note: In cases where the same vulnerability affects multiple vendors but stems from the same underlying codebase (for example, a shared open-source library), it may still be assigned a single CVE identifier. Conversely, if the flaw manifests differently across products, multiple CVEs may be issued.

What is a CVE identifier?

CVE identifiers (or CVE IDs) are a structured format given to Common Vulnerabilities and Exposures so they can be referenced easily. The identifier begins with the prefix “CVE-” followed by the year of assignment and a unique sequential number. This structured format allows for chronological tracking and referencing of vulnerabilities over time. For example:

“CVE-2022-1234” 

• 2022: signifies a vulnerability assigned in the year 2022
• 1234: indicates the sequential number of the CVE assigned that year.

In addition to CVE numbers, vulnerabilities are often associated with the Common Vulnerability Scoring System, or CVSS. These scores provide a quantitative measure of the severity of a vulnerability, considering factors such as exploitability, impact, and complexity. Ranging from 0 to 10, a higher CVSS score indicates a more severe vulnerability.

CVEs are managed by the CNA, and the central repository for CVEs is the MITRE CVE database. CNAs are organizations or entities authorized to assign CVE identifiers to vulnerabilities within their scope. MITRE, a not-for-profit organization, acts as the primary coordinator for the CVE program, maintaining the database and ensuring the integrity and uniqueness of assigned identifiers. This process ensures that each vulnerability has a distinct identifier for accurate tracking and communication.

When a vulnerability is discovered, the CNA responsible for the affected product or system requests a CVE identifier from MITRE. Once assigned, the CVE is published in the MITRE CVE database, providing a centralized and accessible repository for cybersecurity professionals.

It’s worth noting that while CVSS provides a quantitative severity score, organizations should also consider factors such as exploit availability, active exploitation reports, and business impact when prioritizing patching. Two vulnerabilities with the same CVSS score may pose very different risks in practice.

Who reports CVEs?

While anyone can report a CVE by submitting a report to CNA, most reports come from people involved in cybersecurity. They include cybersecurity researchers, ethical hackers, and vendors themselves. Some reports may also come from bug bounty programs organized by companies that offer rewards to IT professionals who find and report vulnerabilities in their systems.

What is the CVE lifecycle?

The CVE lifecycle refers to the process that a Common Vulnerability and Exposure goes through. This involves the following steps:

1. Flaw discovery: The stage when the vulnerability is identified.
2. Flaw reporting: Pertains to the process of submitting reports detailing the complications of the discovered flaw to either the vendor, CNA, or vulnerability coordination center.
3. ID requesting and reservation: Establishes the initial state of the CVE record, starting from the CVE program partner’s assignment and reservation of the CVE ID.
4. Documentation submission: A critical stage where comprehensive information about the vulnerability is gathered and documented.
5. Publication of CVE: The stage where the CVEs, along with their ID and details, are publicly published on the CVE list, allowing for easy referencing of the vulnerability.

What are the benefits of CVEs?

Establishing a standardized public record of vulnerabilities has several advantages:

Streamlined patching workflows

A structured record for the most common vulnerabilities eases the operations of cybersecurity professionals by having an easily accessible resource when a CVE has been publicized.

Tool compatibility

Most vulnerability scanners are programmed to skim through CVE databases, allowing organizations to effectively assess their security posture and prioritize remediation efforts.

Integration with security platforms

While CVE records themselves typically do not include Indicators of Compromise (IoCs), many vulnerability advisories and threat intelligence platforms map CVEs to IoCs. This mapping enables security tools to integrate CVE data with detection and prevention workflows.

Compliance

Regulatory frameworks such as PCI-DSS, HIPAA, or NIST typically require CVE tracking. An endpoint security platform with this capability can help organizations enforce and maintain compliance.

What are the challenges of CVEs?

While a valuable system for cybersecurity, the CVE framework may also face some challenges that can affect its deployment. Here are some of them:

Delayed CVE assignment

The delayed assignment of CVEs may make early mitigation difficult. This can happen with critical vulnerabilities, such as those found in popular open-source libraries.

Unclear documentation

Another bottleneck for cybersecurity professionals is when the CVE records contain vague or incomplete technical details. This can hinder the fast prevention of potential vulnerability exploitation.

Multiple CVEs for the same root issue

Separate CVEs can cause confusion and be a crucial issue during remediation. This usually happens when flaws in similar components or versions exist across different platforms.

What is the significance of CVEs in cybersecurity

CVEs play a key role in proactively identifying and resolving software vulnerabilities. By providing a standardized reference, cybersecurity professionals can communicate efficiently, share threat intelligence, and collaborate on mitigating vulnerabilities before they are exploited.

CVEs become essential in incident response in the event of a cybersecurity incident. Security teams can refer to CVEs to understand the nature of vulnerabilities, assess their severity, and implement targeted measures to address the specific threats posed by the identified vulnerabilities.

Real-world incidents, such as the Equifax data breach (CVE-2017-5638) and the Apache Struts vulnerability, highlight the critical importance of CVEs. In these cases, the exploitation of known vulnerabilities led to significant data breaches, emphasizing the need for organizations to stay vigilant, patch systems promptly, and monitor CVE databases for emerging threats.

What are 5 notable CVEs that every IT team should know about?

These five notable CVEs significantly impacted digital assets, and continue to be of concern for unpatched and outdated systems. Be mindful that the threat landscape evolves rapidly, and new CVEs , such as CVE-2024-20666 and CVE-2023-5129, are emerging all the time. Always stay informed about the latest threats and vulnerabilities. For example, CVE-2024-20666 is a Windows security bypass vulnerability affecting BitLocker, and CVE-2023-5129 relates to a buffer overflow issue in the WebP image library that impacted multiple applications. Including recent CVEs underscores how quickly the threat landscape evolves.

1) CVE-2017-5638 (Apache Struts/S2-045 – Equifax Breach): This critical vulnerability in Apache Struts allowed remote code execution through a crafted Content-Type header in an HTTP request. The exploitation of this vulnerability led to the infamous Equifax data breach in 2017, exposing sensitive personal information of millions of individuals.

Risk: Remote attackers could execute arbitrary code on the affected server, potentially leading to unauthorized access and data breaches.

Mitigation: Promptly applying patches and updates for Apache Struts, as well as implementing web application firewalls.

2) CVE-2017-0144 (EternalBlue – WannaCry Ransomedware): EternalBlue was an exploit leaked from the NSA that targeted a vulnerability in Microsoft’s SMB protocol. It was famously used in the WannaCry ransomware attack in 2017, affecting hundreds of thousands of computers globally.

Risk: This vulnerability allowed the rapid spread of ransomware across networks, encrypting files and demanding ransom payments.

Mitigation: Applying Microsoft’s security updates and disabling the outdated SMBv1 protocol.

3) CVE-2019-0708 (BlueKeep): BlueKeep was a critical remote code execution vulnerability in Microsoft’s Remote Desktop Protocol (RDP). It could allow an attacker to execute arbitrary code on a target system without user interaction.

Risk: Similar to EternalBlue, exploitation could lead to widespread attacks and potential compromise of unpatched systems.

Mitigation: Applying Microsoft’s security updates and disabling RDP on systems where it is not needed.

4) CVE-2020-1472 (Zerologon): Zerologon targeted a vulnerability in the Netlogon Remote Protocol (MS-NRPC) used by Windows domain controllers. Successful exploitation could allow an attacker to impersonate any computer, including the domain controller.

Risk: Attackers could potentially take control of a domain controller, leading to unauthorized access and network compromise.

Mitigation: Applying Microsoft’s security updates and enforcing secure Netlogon configurations.

5) CVE-2021-34527 (PrintNightmare): PrintNightmare was a vulnerability in the Windows Print Spooler service that allowed remote code execution. It received widespread attention due to its critical nature and the potential for exploitation.

Risk: Successful exploitation could allow an attacker to execute arbitrary code with system-level privileges.

Mitigation: Applying Microsoft’s security updates and implementing workarounds to disable the Print Spooler service where it’s not needed.

Stay one step ahead of hackers by understanding everyday security threats. Watch common vulnerabilities and exposures to protect your systems today.

Use CVEs for proactive cybersecurity

As we have discussed, CVEs provide a foundation for vulnerability management. Adopting a standardized language for identifying, cataloging, and mitigating vulnerabilities promotes collaboration and communication among cybersecurity professionals worldwide.

Staying informed of the latest CVEs is critical to an efficient and proactive cybersecurity strategy. Organizations and individuals alike should regularly monitor CVE databases, apply patches promptly, and collaborate with the broader cybersecurity community to enhance collective resilience against emerging threats.

For NinjaOne users, accessing CVE information is streamlined through the platform and information on zero-day exploits and mitigations being published in advance of vendor patch availability. Users can conveniently view CVE and CVSS scores directly from the platform, allowing for seamless integration of vulnerability management into their overall cybersecurity strategy. This integration enhances visibility, enabling IT teams to prioritize and address vulnerabilities efficiently. 

NinjaOne provides users with the tools to manage endpoint security to achieve zero trust, with role-based access controls, monitoring and management of drive encryption and antivirus, and credential management for scripting, patching, and remote access.