Beyond Vulnerability Management – Can You CVE What I CVE?

The Vulnerability Treadmill

The reactive nature of vulnerability administration, mixed with delays from coverage and course of, strains safety groups. Capability is proscribed and patching all the things instantly is a wrestle. Our Vulnerability Operation Middle (VOC) dataset evaluation recognized 1,337,797 distinctive findings (safety points) throughout 68,500 distinctive buyer property. 32,585 of them have been distinct CVEs, with 10,014 having a CVSS rating of 8 or greater. Amongst these, exterior property have 11,605 distinct CVEs, whereas inner property have 31,966. With this quantity of CVEs, it is no shock that some go unpatched and result in compromises.

Why are we caught on this state of affairs, what might be completed, and is there a greater method on the market?

We’ll discover the state of vulnerability reporting, how one can prioritize vulnerabilities by risk and exploitation, look at statistical possibilities, and briefly talk about threat. Lastly, we’ll contemplate options to reduce vulnerability influence whereas giving administration groups flexibility in disaster response. This could give impression, however in order for you the total story you will discover it in our annual report, the Security Navigator.

Can You CVE What I CVE?

Western nations and organizations use the Frequent Vulnerability Enumeration (CVE) and Frequent Vulnerability Scoring System (CVSS) to trace and fee vulnerabilities, overseen by US government-funded packages like MITRE and NIST. By September 2024, the CVE program, energetic for 25 years, had revealed over 264,000 CVEs, and by 15 April 2025, the variety of complete CVEs elevated to roughly 290,000 CVEs together with “Rejected” or “Deferred”.

NIST’s Nationwide Vulnerability Database (NVD) depends on CVE Numbering Authorities (CNAs) to file CVEs with preliminary CVSS assessments, which helps scale the method but in addition introduces biases. The disclosure of great vulnerabilities is sophisticated by disagreements between researchers and distributors over influence, relevance, and accuracy, affecting the broader neighborhood ^{[1, 2]}.

By April 2025, a backlog of greater than 24,000 unenriched CVEs collected on the NVD ^{[3, 4]} attributable to bureaucratic delays that occurred in March 2024. Quickly halting CVE enrichment regardless of ongoing vulnerability experiences, and dramatically illustrating the fragility of this method. The short-term pause resulted on this backlog that’s but to be cleared.

On 15 April 2025, MITRE introduced that the US Division of Homeland Safety won’t be renewing its contract with MITRE, impacting the CVE program instantly^[15]. This created lots of uncertainty about the way forward for CVEs and the way it will influence cybersecurity practitioners. Luckily, funding for the CVE program was prolonged as a result of robust neighborhood and business response^[16].

CVE and the NVD should not the only real sources of vulnerability intelligence. Many organizations, together with ours, develop impartial merchandise that observe way more vulnerabilities than the MITRE’s CVE program and NIST NVD.

Since 2009, China has operated its personal vulnerability database, CNNVD ^[5], which could possibly be a priceless technical useful resource ^{[6, 7]}, although political boundaries make collaboration unlikely. Furthermore, not all vulnerabilities are disclosed instantly, creating blind spots, whereas some are exploited with out detection—so-called 0-days.

In 2023, Google’s Menace Evaluation Group (TAG) and Mandiant recognized 97 zero-day exploits, primarily affecting cellular units, working programs, browsers, and different functions. In the meantime, solely about 6% of vulnerabilities within the CVE dictionary have ever been exploited ^[8], and research from 2022 present that half of organizations patch simply 15.5% or fewer vulnerabilities month-to-month ^[9].

Whereas CVE is essential for safety managers, it is an imperfect, voluntary system, neither globally regulated nor universally adopted.

This weblog additionally goals to discover how we would cut back reliance on it in our day by day operations.

Menace Knowledgeable

Regardless of its shortcomings, the CVE system nonetheless supplies priceless intelligence on vulnerabilities that might influence safety. Nevertheless, with so many CVEs to handle, we should prioritize these most definitely to be exploited by risk actors.

The Exploit Prediction Scoring System (EPSS), developed by the Discussion board of Incident Response and Safety Groups (FIRST) SIG ^[10], helps predict the chance of a vulnerability being exploited within the wild. With EPSS intelligence, safety managers can both prioritize patching as many CVEs as attainable for broad protection or concentrate on vital vulnerabilities to maximise effectivity and stop exploitation. Each approaches have execs and cons.

To show the tradeoff between protection and effectivity, we’d like two datasets: one representing potential patches (VOC dataset) and one other representing actively exploited vulnerabilities, which incorporates CISA KEV ^[10], moral hacking findings, and information from our CERT Vulnerability Intelligence Watch service ^[12].

The EPSS threshold is used to pick out a set of CVEs to patch, based mostly on how probably they’re to be exploited within the wild. The overlap between the remediation set and the exploited vulnerability set can be utilized to calculate the Effectivity, Protection, and Effort of a specific technique.

EPSS predicts the chance of a vulnerability being exploited someplace within the wild, not on any particular system. Nevertheless, possibilities can “scale.” For instance, flipping one coin offers a 50% probability of heads, however flipping 10 cash raises the prospect of no less than one head to 99.9%. This scaling is calculated utilizing the complement rule ^[13], which finds the likelihood of the specified consequence by subtracting the prospect of failure from 1.

As FIRST explains, “EPSS predicts the likelihood of a particular vulnerability being exploited and might be scaled to estimate threats throughout servers, subnets, or complete enterprises by calculating the likelihood of no less than one occasion occurring.”^{[14, 15]}

With EPSS, we are able to equally calculate the chance of no less than one vulnerability being exploited from an inventory by utilizing the complement rule.

To show, we analyzed 397 vulnerabilities from the VOC scan information of a Public Administration sector consumer. Because the chart under illustrates, most vulnerabilities had low EPSS scores till a pointy rise at place 276. Additionally proven on the chart is the scaled likelihood of exploitation utilizing the complement rule, which successfully reaches 100% when solely the primary 264 vulnerabilities are thought-about.

Because the scaled EPSS curve (left) on the chart signifies, as extra CVEs are thought-about, the scaled likelihood that certainly one of them shall be exploited within the wild will increase very quickly. By the point there are 265 distinct CVEs into consideration, the likelihood that certainly one of them shall be exploited within the wild is greater than 99%. This stage is reached earlier than any particular person vulnerabilities with excessive EPSS come into consideration. When the scaled EPSS worth crosses 99% (Place 260) the utmost EPSS remains to be beneath 11% (0.11).

This instance, based mostly on precise consumer information on vulnerabilities uncovered to the Web, exhibits how tough prioritizing vulnerabilities turns into because the variety of programs will increase.

EPSS offers a likelihood {that a} vulnerability shall be exploited within the wild, which is useful for defenders, however we have proven how shortly this likelihood scales when a number of vulnerabilities are concerned. With sufficient vulnerabilities, there’s a actual likelihood that one will get exploited, even when the person EPSS scores are low.

Like a climate forecast predicting a “probability of rain,” the bigger the realm, the larger the chance of rain someplace. Likewise, it’s probably not possible to scale back the likelihood of exploitation even nearer all the way down to zero.

Attacker Odds

We have recognized three vital truths that should be built-in into our examination of the vulnerability administration course of:

• Attackers aren’t targeted on particular vulnerabilities; they purpose to compromise programs.
• Exploiting vulnerabilities is not the one path to compromise.
• Attackers’ ability and persistence ranges fluctuate.

These elements permit us to increase our evaluation of EPSS and possibilities to contemplate the chance of an attacker compromising some arbitrary system, then scaling that to find out the likelihood of compromising some system inside a community that grants entry to the remainder.

We will assume every hacker has a sure “likelihood” of compromising a system, with this likelihood rising based mostly on their ability, expertise, instruments, and time. We will then proceed making use of likelihood scaling to evaluate attacker success towards a broader pc atmosphere.

Given a affected person, undetected hacker, what number of makes an attempt are statistically required to breach a system granting entry to the graph? Answering this requires making use of a reworked binomial distribution within the type of this equation ^{[16, 17]}:

Utilizing this equation, we are able to estimate what number of makes an attempt an attacker of a sure ability stage would want. As an example, if attacker A1 has a 5% success fee (1 in 20) per system, they would want to focus on as much as 180 programs to be 99.99% positive of success.

One other attacker, A2, with a ten% success fee (1 in 10), would want about 88 targets to make sure no less than one success, whereas a extra expert attacker, A3, with a 20% success fee (1 in 5), would solely want round 42 targets for a similar likelihood.

These are possibilities—an attacker may succeed on the primary strive or require a number of makes an attempt to succeed in the anticipated success fee. To evaluate real-world influence, we surveyed senior penetration testers in our enterprise, who estimated their success fee towards arbitrary internet-connected targets to be round 30%.

Assuming a talented attacker has a 5% to 40% probability of compromising a single machine, we are able to now estimate what number of targets could be wanted to just about assure one profitable compromise.

The implications are placing: with simply 100 potential targets, even a reasonably expert attacker is sort of sure to succeed no less than as soon as. In a typical enterprise, this single compromise typically supplies entry to the broader community, and enterprises sometimes have 1000’s of computer systems to contemplate.

Reimagining Vulnerability Administration

For the long run, we have to conceive an atmosphere and structure that’s proof against compromise from a person system. Within the brief time period, we argue that our method to vulnerability administration wants to vary.

The present method to vulnerability administration is rooted in its title: specializing in “vulnerabilities” (as outlined by CVE, CVSS, EPSS, misconfiguration, errors, and so forth) and their “administration.” Nevertheless, now we have no management over the amount, pace, or significance of CVEs, main us to consistently react to chaotic new intelligence.

EPSS helps us prioritize vulnerabilities prone to be exploited within the wild, representing actual threats, which forces us right into a reactive mode. Whereas mitigation addresses vulnerabilities, our response is actually about countering threats—therefore, this course of needs to be known as Menace Mitigation.

As mentioned earlier, it is statistically not possible to successfully counter threats in massive enterprises by merely reacting to vulnerability intelligence. Danger Discount is about the very best we are able to do. Cyber threat outcomes from a risk concentrating on a system’s property, leveraging vulnerabilities, and the potential influence of such an assault. By addressing threat, we open up extra areas beneath our management to handle and mitigate.

Menace Mitigation

Menace Mitigation is a dynamic, ongoing course of that includes figuring out threats, assessing their relevance, and taking motion to mitigate them. This response can embody patching, reconfiguring, filtering, including compensating controls, and even eradicating weak programs. EPSS is a priceless device that enhances different sources of risk and vulnerability intelligence.

Nevertheless, the scaling nature of possibilities makes EPSS much less helpful in massive inner environments. Since EPSS focuses on vulnerabilities prone to be exploited “within the wild,” it’s most relevant to programs instantly uncovered to the web. Due to this fact, Menace Mitigation efforts ought to primarily goal these externally uncovered programs.

Danger Discount

Cyber threat is a product of Menace, Vulnerability, and Influence. Whereas the “Menace” is basically past our management, patching particular vulnerabilities in massive environments does not considerably decrease the chance of compromise. Due to this fact, threat discount ought to concentrate on three key efforts:

1. Decreasing the assault floor: Because the likelihood of compromise will increase with scale, it may be decreased by shrinking the assault floor. A key precedence is figuring out and eradicating unmanaged or pointless internet-facing programs.
2. Limiting the influence: Lambert’s legislation advises limiting attackers’ means to entry and traverse the “graph.” That is achieved by segmentation in any respect ranges—community, permissions, functions, and information. The Zero Belief structure supplies a sensible reference mannequin for this aim.
3. Enhancing the baseline: As an alternative of specializing in particular vulnerabilities as they’re reported or found, systematically lowering the general quantity and severity of vulnerabilities lowers the chance of compromise. This method prioritizes effectivity and Return on Funding, ignoring present acute threats in favor of long-term threat discount.

By separating Menace Mitigation from Danger Discount, we are able to break away from the fixed cycle of reacting to particular threats and concentrate on extra environment friendly, strategic approaches, liberating up sources for different priorities.

An Environment friendly Strategy

This method might be pursued systematically to optimize sources. The main target shifts from “managing vulnerabilities” to designing, implementing, and validating resilient architectures and baseline configurations. As soon as these baselines are set by safety, IT can take over their implementation and upkeep.

The important thing right here is that the “set off” for patching inner programs is a predefined plan, agreed with system homeowners, to improve to a brand new, permitted baseline. This method is definite to be a lot much less disruptive and extra environment friendly than consistently chasing the newest vulnerabilities.

Vulnerability Scanning stays necessary for creating an correct asset stock and figuring out non-compliant programs. It may well assist present standardized processes, as an alternative of triggering them.

Shaping the Future

The overwhelming barrage of randomly found and reported vulnerabilities as represented by CVE, CVSS and EPSS are stressing our folks, processes and know-how. We have successfully been approaching vulnerability administration the identical manner for over twenty years, with reasonable success.

It is time to reimagine how we design, construct, and keep programs.

There may be extra to this. That is simply an excerpt of our protection of vulnerabilities within the Safety Navigator 2025. To seek out out extra on how we are able to take again management, how totally different industries evaluate in our vulnerability screening operations and the way elements like Generative AI influence cyber safety I warmly suggest heading over to the download page and getting the total report!

Observe: This text was expertly written and contributed by Wicus Ross, Senior Safety Researcher at Orange Cyberdefense.