It seems like new vulnerabilities enter the mainstream every day. With the recent Log4Shell bug attracting significant attention as one of the worst vulnerabilities known to cybersecurity, many businesses are scrambling to understand their exposure and how the cybersecurity industry is responding. One way to understand these vulnerabilities is to look at security databases and classifications. Two of the most widespread frameworks for classifying and ranking vulnerabilities are the Common Vulnerabilities Exposures and Common Vulnerability Scoring Systems.
What Are Common Vulnerabilities and Exposures?
The Common Vulnerabilities and Exposures (CVE) list computer security flaws made public to catalog these threats publicly and support common cybersecurity responses.
The MITRE Corporation oversees the CVE. This not-for-profit organization operates through funding from the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security (DHS).
This list does not include details regarding the flaws themselves. Instead, the index provides a way to identify and catalog these vulnerabilities to provide a common vocabulary. This is accomplished with identifying numbers provided through the CVE Numbering Authority (CNA). CNAs are some of the top technology companies globally, including IBM, Cisco, Microsoft, Red Hat Linux, and others, and are given authority to apply numbers to CVEs as they arise.
CVE identification numbers follow a basic format:
“CVE” + The Year of Discovery + Unique Serial Number
For example, the recent Log4Shell vulnerability discovered in the Log4j logging utility was given the CVE identification number “CVE-2021-44228”.
While the CVE doesn’t provide a repository for correcting flaws, it does help programmers, security specialists and white-hat hackers surface previously unknown vulnerabilities and provide visibility for these issues. In order to qualify as a CVE, however, a flaw must meet certain criteria. These include:
- Vendor Acknowledgement: Part of CVE assignment is that the creator of a given piece of software or a platform admits to knowing about the flaw and that it introduces negative impacts on security. To avoid conflicts of interest, this requirement can also be satisfied by the reporter of the vulnerability demonstrating the bug and that it violates the vendor’s security policies.
- Singular Codebases: A single CVE receives a single CVE number when it affects a single codebase. If the bug impacts multiple products, code libraries or other protocols, it will obtain a CVE number for each flaw.
- Independence: The flaw is autonomous and independent in that it can be fixed without having to rely on other bug fixes related to other vulnerabilities.
Documented CVEs with an identifier will appear in several databases for record keeping and reporting purposes. Two of the most important databases where CVEs appear are the U.S. National Vulnerability Database (NVD) and the CERT/CC Vulnerability Notes Database. While the numbers and naming of vulnerabilities will sync across the MITRE CVE listings and these databases, NVD and CERT/CC will typically add more information to describe vulnerabilities.
What Is the Common Vulnerability Scoring System?
While CVEs don’t specify much about the actual vulnerabilities themselves, they do provide visibility so that security experts can respond to issues. There is, however, a related rating system to help security experts understand the severity of a flaw. The Common Vulnerability Scoring System (CVSS) provides open standards for determining the impact of a CVE.
CVSS scores operate on a scale of 0.0 to 10.0, with higher numbers representing more severe threats. Databases like the NVD use these scores to demonstrate vulnerability importance and aid in searching. The NVD website lists the ratings following a specific tier ranking system:
| CVSS Score Range | Severity Ranking |
| 0.0 | None |
| 0.1 – 3.9 | Low |
| 4.0 – 6.9 | Medium |
| 7.0 – 8.9 | High |
| 9.0 – 10.0 | Critical |
CVSS metrics are broken into three groups:
- Base Metric Group: This group represents facets of the vulnerabilities that don’t change over time or the environment. These include individual metrics like attack vector and complexity, privileges, scope and impact to system confidentiality, integrity and availability.
- Temporal Metric Group: This metric group covers features of a vulnerability that may change over time, but not across different environments. This can include metrics like the maturity of the exploit code or the levels of remediation that have been put into practice.
- Environmental Metric Group: This metric group is relevant to specific environments. This can include environment-specific security controls or the system’s relationship with surrounding IT infrastructure.
Different aspects of these metric groups can raise or lower the CVSS score. For example, a zero-day vulnerability with a novel code injection might have a high CVSS number, but if the vendor releases a patch for their platform, it could significantly reduce the CVSS.
Why Are CVE and CVSS Important?
Generally speaking, hundreds of vulnerabilities show up every year. Following this fact, many open security vulnerability databases exist–some that adopt CVE numbering and some that do not. However, the critical job of systems like CVE and CVSS is to provide a common nomenclature around vulnerabilities as they arise.
It’s important to note that while CVE as an organizational tool is relatively uncontroversial, CVSS has been met with its fair share of criticisms. One of the primary criticisms is how decisions related to metrics are made, the knowledge needed to apply scores (especially with new, unknown vulnerabilities) and a lack of metric granularity.
CVSS scores aren’t legally binding designations, but they are created and maintained by government-supported organizations invested in combatting cybersecurity. However, even without knowledge of CVE or CVSS, it’s essential to understand that security experts, and even some compliance frameworks, use CVSS scores as a starting point. PCI DSS, for example, requires regular vulnerability scans. Requirements note that any scan that shows a CVE vulnerability with a CVSS score higher than 4.0.
Align Security and Compliance with Lazarus Alliance
Whether it’s understanding your vulnerability profile, getting real insights into modern security threats or developing risk and compliance strategies that suit both regulations and your business goals, Lazarus Alliance can help. We have the capabilities to offer audits and certifications (where relevant) under frameworks such as FedRAMP, PCI DSS and ISO 17021.
Call Lazarus Alliance at 1-888-896-7580 or fill our this form.
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts