Why CVE Management as a Primary Strategy Doesn't Work
With only about 15% of vulnerabilities actually exploitable, patching every vulnerability is not an effective use of time.
Stay informed on the latest CVE entries. Explore critical vulnerabilities and exposures to safeguard your systems from cyber threats and attacks.
Search across headline titles and summaries.
Background for this topic.
CVE is a global system of standardized identifiers for publicly known cybersecurity vulnerabilities. Each record, typically written as CVE-YYYY-NNNN, gives a vulnerability a stable reference and usually includes a description, affected products or versions, and links to advisories or fixes. The CVE Program coordinates the assignment and publication of records through authorized organizations, allowing researchers, vendors, security tools, and defenders to discuss the same flaw without relying on different names.
Practitioners use CVE identifiers to match vulnerabilities across asset inventories, scanners, patch advisories, and threat-intelligence reports. A CVE is an identity, not a severity score or proof that a system is exploitable: prioritization should also consider the affected configuration, exposure, available mitigations, exploit activity, and business impact. Delays in identifying vulnerable versions can leave internet-facing services or embedded components exposed, while incomplete product-to-CVE mapping can cause missed remediation. Security teams should verify the affected versions and vendor guidance before patching or applying workarounds.
With only about 15% of vulnerabilities actually exploitable, patching every vulnerability is not an effective use of time.
This blog entry details our investigation of CVE-2019-8561, a vulnerability that exists in the macOS PackageKit framework, a component used to install software installer packages (PKG files).
Google has resolved a high-severity security issue affecting all Pixel smartphones that could be trivially exploited to unlock the devices
Cybersecurity researchers have disclosed details of a new vulnerability in a system used across oil and gas organizations that could be exploited by an attacker to inject and execute arbitrary code
VMware has patched five security flaws affecting its Workspace ONE Assist solution, some of which could be exploited to bypass authentication and obtain elevated permissions