FAQ

No, CVEs do not only concern software. They can also cover vulnerabilities in hardware, firmware, IoT components, operating systems, and even certain dangerous default configurations. For example, flaws in routers, processors, or industrial equipment can also receive CVE identifiers.

This broad coverage allows for the consideration of different attack vectors in a modern information system. The key is that the vulnerability is documented, confirmed, and publicly reported to be included in the CVE program. This way, security teams can assess risks across the entire infrastructure.

The process of publishing a CVE generally begins with the submission of a vulnerability report to a CNA or directly to MITRE. If the flaw is recognized as legitimate, a CVE identifier is reserved. At this stage, the CVE may remain "reserved" for some time, pending technical validation, agreement from the parties involved, or the availability of a fix.

Once all information has been verified, the CVE is made public via the official MITRE website (cve.org) and other platforms such as NVD (National Vulnerability Database) or CVE Find. It includes a short technical description of the vulnerability, the publication date, the affected products, and sometimes references to patches or security advisories.

To determine if a CVE is actively exploited, several information sources can be consulted. The most reliable is the KEV (Known Exploited Vulnerabilities) database maintained by the CISA, which lists CVEs whose exploitation has been confirmed in the wild. It is updated regularly and often used to establish remediation priorities. This information is directly accessible on our website CVE Find.

You can also rely on the EPSS score, which estimates the probability of a CVE being exploited within 30 days of its publication, based on real data. Finally, threat intelligence tools, CERT reports, or vendor security bulletins can also indicate whether a vulnerability is currently being used by attackers.

CVE identifiers are assigned by a US non-profit organization called the MITRE Corporation, which manages the CVE program on behalf of the Cybersecurity and Infrastructure Security Agency (CISA). MITRE does not distribute all identifiers alone: it relies on a network of partners called CNAs (CVE Numbering Authorities).

A CNA can be a software publisher, a security vendor, a CERT, or an organization specializing in vulnerabilities. Each CNA is authorized to assign CVE identifiers for vulnerabilities discovered in its own products or within its scope. This system accelerates the reporting of vulnerabilities while maintaining a centralized structure via MITRE.