FAQ

To determine if a CVE is actively exploited, several information sources can be consulted. The most reliable is the KEV (Known Exploited Vulnerabilities) database maintained by the CISA, which lists CVEs whose exploitation has been confirmed in the wild. It is updated regularly and often used to establish remediation priorities. This information is directly accessible on our website CVE Find.

You can also rely on the EPSS score, which estimates the probability of a CVE being exploited within 30 days of its publication, based on real data. Finally, threat intelligence tools, CERT reports, or vendor security bulletins can also indicate whether a vulnerability is currently being used by attackers.

CISA (Cybersecurity and Infrastructure Security Agency) is a U.S. government agency. It is responsible for protecting the United States' critical infrastructure from cyber and physical threats by providing support, tools, and recommendations to government agencies, businesses, and the public.

In the field of cybersecurity, CISA acts as a coordination center to prevent cyberattacks, respond to incidents, share threat information, and promote security best practices. Although American, its role and resources influence cybersecurity practices globally due to its transparency and leadership.

CISA plays a central role in managing vulnerabilities on a large scale. It actively identifies, assesses, and communicates about security flaws that could affect critical infrastructure, including government services, operators of essential services, and large enterprises. It often works in collaboration with MITRE, publishers, security researchers, and other international agencies.

Among its responsibilities, it publishes security bulletins, coordinates responses to certain major vulnerabilities, and sometimes imposes, through federal directives (BODs), mandatory remediation deadlines for certain flaws in public entities. Its goal is to reduce the time between the discovery of a vulnerability and its effective remediation in the field.

A CVE is simply a public declaration that a flaw exists in a given product, while an exploited vulnerability means that an attacker is actively using this flaw to compromise systems. In other words, not all CVEs are exploited in real-world conditions: some may remain theoretical or technical.

Conversely, a vulnerability can be exploited without yet having received a CVE - this is what is called a zero-day. To assess the real danger of a CVE, it is necessary to consult additional information such as the CISA's KEV data or the EPSS score, which indicate whether the flaw is actively used in cyberattacks. This information is available directly from our website CVE Find.

CVE identifiers are assigned by a US non-profit organization called the MITRE Corporation, which manages the CVE program on behalf of the Cybersecurity and Infrastructure Security Agency (CISA). MITRE does not distribute all identifiers alone: it relies on a network of partners called CNAs (CVE Numbering Authorities).

A CNA can be a software publisher, a security vendor, a CERT, or an organization specializing in vulnerabilities. Each CNA is authorized to assign CVE identifiers for vulnerabilities discovered in its own products or within its scope. This system accelerates the reporting of vulnerabilities while maintaining a centralized structure via MITRE.

The KEV (Known Exploited Vulnerabilities) list published by CISA identifies vulnerabilities that are actively exploited in the wild, meaning they are already being used in real-world cyberattacks. The purpose of this list is to help organizations prioritize their remediation efforts by focusing on vulnerabilities that pose an immediate threat.

By publishing this list, CISA provides a very practical risk management tool: it identifies not only known vulnerabilities, but also the most critical and urgent ones. For U.S. federal agencies, patching these vulnerabilities is mandatory within strict deadlines. But beyond the United States, the KEV is widely consulted by cybersecurity professionals worldwide to guide their patch management strategy.