Every piece of software has bugs. Some of those bugs are security vulnerabilities — flaws that attackers can exploit to compromise systems. Understanding how vulnerabilities are tracked, scored, and managed is essential knowledge for anyone in cybersecurity.
What Is a CVE?
CVE stands for Common Vulnerabilities and Exposures. It’s a public database of known security vulnerabilities, maintained by MITRE and sponsored by the US government. Each CVE entry gets a unique identifier like CVE-2021-44228 (Log4Shell).
# CVE identifier format:
CVE-[YEAR]-[NUMBER]
# Examples of famous CVEs:
CVE-2017-0144 # EternalBlue / WannaCry (Windows SMB vulnerability)
CVE-2014-0160 # Heartbleed (OpenSSL vulnerability)
CVE-2021-44228 # Log4Shell (Apache Log4j)
CVE-2021-34527 # PrintNightmare (Windows Print Spooler)
CVE-2023-44487 # HTTP/2 Rapid Reset Attack
# Check any CVE at:
# nvd.nist.gov (National Vulnerability Database)
# cve.mitre.orgCVSS: How Vulnerabilities Are Scored
The Common Vulnerability Scoring System (CVSS) assigns each vulnerability a score from 0-10 based on severity. Understanding these scores helps you prioritize which vulnerabilities to patch first.
# CVSS v3.1 severity ranges:
0.0 = None
0.1 – 3.9 = Low
4.0 – 6.9 = Medium
7.0 – 8.9 = High
9.0 – 10.0 = Critical
# Log4Shell (CVE-2021-44228): CVSS 10.0 — Critical
# Why 10.0? Because:
# - Exploitable remotely (no physical access needed)
# - No authentication required
# - No user interaction required
# - Complete system compromise possible
# - Log4j was embedded in thousands of productsHow the Vulnerability Lifecycle Works
# 1. Discovery
# Security researcher or attacker finds a vulnerability
# 2. Responsible Disclosure (ideally)
# Researcher reports to vendor privately
# Vendor gets 90 days to patch (Google Project Zero's standard)
# 3. CVE Assignment
# Researcher or vendor requests a CVE ID from MITRE
# CVE is assigned and held in "reserved" state
# 4. Patch Released + CVE Published
# Vendor releases fix
# CVE details published publicly
# 5. Active Exploitation
# Attackers now have public vulnerability details
# Race between admins patching and attackers exploiting
# 6. Zero-Day
# If attackers find and exploit BEFORE a patch exists
# Zero-day exploits are the most dangerous (no defense until patch)Scanning for Vulnerabilities
OpenVAS (Free, Open Source)
# OpenVAS: Comprehensive vulnerability scanner
# Part of the Greenbone Vulnerability Management (GVM) framework
# Install on Ubuntu:
sudo apt install gvm
sudo gvm-setup
sudo gvm-start
# Access web UI at: https://localhost:9392
# Create a scan:
# 1. Scans > Tasks > New Task
# 2. Set target IP range
# 3. Select scan config (Full and fast recommended)
# 4. Run scan
# Or use command line:
openvas-cli -h localhost --username admin --password admin --xml "Scan 192.168.1.0/24 Trivy (Containers and Code)
# Trivy scans containers, code, and infrastructure for CVEs
# Install:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
# Scan a container image:
trivy image nginx:latest
# Sample output:
# nginx:latest (debian 12.5)
# ─────────────────────────────────────────────────────────────────
# Library Vulnerability Severity Fixed Version
# ─────────────────────────────────────────────────────────────────
# libssl3 CVE-2023-5678 HIGH 3.0.12-1~deb12u1
# zlib1g CVE-2023-45853 CRITICAL none
# Scan your code for vulnerable dependencies:
trivy fs /path/to/your/project
# Scan a specific language's dependency file:
trivy fs --scanners vuln requirements.txt # Python
trivy fs --scanners vuln package.json # Node.jsNuclei (Fast Template-Based Scanner)
# Nuclei: Community-driven vulnerability scanner with thousands of templates
# Install:
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Or: nuclei -update (after first install)
# Update templates:
nuclei -update-templates
# Scan a web application:
nuclei -u https://targetsite.com
# Scan for specific CVEs:
nuclei -u https://targetsite.com -t cves/
# Scan your own network:
nuclei -l hosts.txt -t network/Vulnerability Management Process
# A simple vulnerability management workflow:
# 1. Inventory (what do you have?)
# - List all systems, applications, and dependencies
# - Include containers, cloud resources, endpoints
# 2. Scan (what vulnerabilities exist?)
# - Weekly automated scans with Trivy or OpenVAS
# - Integrate into CI/CD pipeline
# 3. Prioritize (what to fix first?)
# Priority = Severity × Exploitability × Asset Criticality
# CVSS 10.0 + known exploit in wild + production server = PATCH TODAY
# CVSS 4.0 + no known exploit + dev test system = patch next cycle
# CISA KEV (Known Exploited Vulnerabilities) Catalog:
# https://www.cisa.gov/known-exploited-vulnerabilities-catalog
# Vulnerabilities being actively exploited in the wild
# If your system has a KEV entry, patch immediately
# 4. Remediate (patch, mitigate, or accept risk)
# Patch: install the fix
# Mitigate: compensating control (e.g., disable the feature until patched)
# Accept: document the risk decision for low-impact, low-exploitability vulns
# 5. Verify (confirm fix worked)
# Re-scan after patching to confirm vulnerability is goneKeeping Up with New Vulnerabilities
- Subscribe to CVE alerts: nvd.nist.gov/vuln/search — set up email alerts for your products
- CISA Alerts: cisa.gov/news-events/cybersecurity-advisories
- Vendor security bulletins: Microsoft Patch Tuesday (2nd Tuesday monthly), Adobe, Apache, etc.
- Exploit Database: exploit-db.com — shows publicly available exploits
- Twitter/X: Follow @CVEnew, @CISA_Cyber, @GreenBoneNet
Wrap Up
Vulnerability management is a continuous process, not a one-time project. Inventory your systems, scan regularly, prioritize by severity and exploitability, patch promptly — especially for CISA KEV entries. The organizations that patch quickly are rarely the ones that make the breach headlines.