Past Vulnerability Administration – Can You CVE What I CVE?

The Vulnerability Treadmill

The reactive nature of vulnerability administration, mixed with delays from coverage and course of, strains safety groups. Capability is restricted and patching every part instantly is a wrestle. Our Vulnerability Operation Heart (VOC) dataset evaluation recognized 1,337,797 distinctive findings (safety points) throughout 68,500 distinctive buyer property. 32,585 of them have been distinct CVEs, with 10,014 having a CVSS rating of 8 or increased. Amongst these, exterior property have 11,605 distinct CVEs, whereas inner property have 31,966. With this quantity of CVEs, it is no shock that some go unpatched and result in compromises.

Why are we caught on this scenario, what could be achieved, and is there a greater method on the market?

We’ll discover the state of vulnerability reporting, how one can prioritize vulnerabilities by menace and exploitation, look at statistical chances, and briefly talk about danger. Lastly, we’ll contemplate options to reduce vulnerability influence whereas giving administration groups flexibility in disaster response. This could give an excellent impression, however if you need the total story you could find it in our annual report, the Safety Navigator.

Can You CVE What I CVE?

Western nations and organizations use the Widespread Vulnerability Enumeration (CVE) and Widespread Vulnerability Scoring System (CVSS) to trace and fee vulnerabilities, overseen by US government-funded applications like MITRE and NIST. By September 2024, the CVE program, energetic for 25 years, had revealed over 264,000 CVEs, and by 15 April 2025, the variety of complete CVEs elevated to roughly 290,000 CVEs together with “Rejected” or “Deferred”.

NIST’s Nationwide Vulnerability Database (NVD) depends on CVE Numbering Authorities (CNAs) to report CVEs with preliminary CVSS assessments, which helps scale the method but additionally introduces biases. The disclosure of great vulnerabilities is sophisticated by disagreements between researchers and distributors over influence, relevance, and accuracy, affecting the broader neighborhood ^{[1, 2]}.

By April 2025, a backlog of greater than 24,000 unenriched CVEs accrued on the NVD ^{[3, 4]} on account of bureaucratic delays that occurred in March 2024. Briefly halting CVE enrichment regardless of ongoing vulnerability studies, and dramatically illustrating the fragility of this method. The momentary pause resulted on this backlog that’s but to be cleared.

On 15 April 2025, MITRE introduced that the US Division of Homeland Safety is not going to be renewing its contract with MITRE, impacting the CVE program immediately^[15]. This created a whole lot of uncertainty about the way forward for CVEs and the way it will influence cybersecurity practitioners. Luckily, funding for the CVE program was prolonged as a result of robust neighborhood and trade response^[16].

CVE and the NVD are usually not the only real sources of vulnerability intelligence. Many organizations, together with ours, develop impartial merchandise that observe way more vulnerabilities than the MITRE’s CVE program and NIST NVD.

Since 2009, China has operated its personal vulnerability database, CNNVD ^[5], which might be a helpful technical useful resource ^{[6, 7]}, although political boundaries make collaboration unlikely. Furthermore, not all vulnerabilities are disclosed instantly, creating blind spots, whereas some are exploited with out detection—so-called 0-days.

In 2023, Google’s Risk Evaluation Group (TAG) and Mandiant recognized 97 zero-day exploits, primarily affecting cellular gadgets, working methods, browsers, and different functions. In the meantime, solely about 6% of vulnerabilities within the CVE dictionary have ever been exploited ^[8], and research from 2022 present that half of organizations patch simply 15.5% or fewer vulnerabilities month-to-month ^[9].

Whereas CVE is essential for safety managers, it is an imperfect, voluntary system, neither globally regulated nor universally adopted.

This weblog additionally goals to discover how we would scale back reliance on it in our each day operations.

Risk Knowledgeable

Regardless of its shortcomings, the CVE system nonetheless gives helpful intelligence on vulnerabilities that would influence safety. Nevertheless, with so many CVEs to handle, we should prioritize these most probably to be exploited by menace actors.

The Exploit Prediction Scoring System (EPSS), developed by the Discussion board of Incident Response and Safety Groups (FIRST) SIG ^[10], helps predict the chance of a vulnerability being exploited within the wild. With EPSS intelligence, safety managers can both prioritize patching as many CVEs as doable for broad protection or deal with essential vulnerabilities to maximise effectivity and forestall exploitation. Each approaches have execs and cons.

To exhibit the tradeoff between protection and effectivity, we want two datasets: one representing potential patches (VOC dataset) and one other representing actively exploited vulnerabilities, which incorporates CISA KEV ^[10], moral hacking findings, and knowledge from our CERT Vulnerability Intelligence Watch service ^[12].

The EPSS threshold is used to pick a set of CVEs to patch, based mostly on how seemingly they’re to be exploited within the wild. The overlap between the remediation set and the exploited vulnerability set can be utilized to calculate the Effectivity, Protection, and Effort of a particular technique.

EPSS predicts the chance of a vulnerability being exploited someplace within the wild, not on any particular system. Nevertheless, chances can “scale.” For instance, flipping one coin offers a 50% probability of heads, however flipping 10 cash raises the possibility of no less than one head to 99.9%. This scaling is calculated utilizing the complement rule ^[13], which finds the chance of the specified end result by subtracting the possibility of failure from 1.

As FIRST explains, “EPSS predicts the chance of a particular vulnerability being exploited and could be scaled to estimate threats throughout servers, subnets, or total enterprises by calculating the chance of no less than one occasion occurring.”^{[14, 15]}

With EPSS, we will equally calculate the chance of no less than one vulnerability being exploited from an inventory by utilizing the complement rule.

To exhibit, we analyzed 397 vulnerabilities from the VOC scan knowledge of a Public Administration sector consumer. Because the chart beneath illustrates, most vulnerabilities had low EPSS scores till a pointy rise at place 276. Additionally proven on the chart is the scaled chance of exploitation utilizing the complement rule, which successfully reaches 100% when solely the primary 264 vulnerabilities are thought of.

Because the scaled EPSS curve (left) on the chart signifies, as extra CVEs are thought of, the scaled chance that considered one of them might be exploited within the wild will increase very quickly. By the point there are 265 distinct CVEs into account, the chance that considered one of them might be exploited within the wild is greater than 99%. This degree is reached earlier than any particular person vulnerabilities with excessive EPSS come into consideration. When the scaled EPSS worth crosses 99% (Place 260) the utmost EPSS remains to be underneath 11% (0.11).

This instance, based mostly on precise consumer knowledge on vulnerabilities uncovered to the Web, exhibits how troublesome prioritizing vulnerabilities turns into because the variety of methods will increase.

EPSS offers a chance {that a} vulnerability might be exploited within the wild, which is useful for defenders, however we have proven how rapidly this chance scales when a number of vulnerabilities are concerned. With sufficient vulnerabilities, there’s a actual chance that one will get exploited, even when the person EPSS scores are low.

Like a climate forecast predicting a “probability of rain,” the bigger the world, the larger the chance of rain someplace. Likewise, it’s seemingly inconceivable to scale back the chance of exploitation even nearer right down to zero.

Attacker Odds

We have recognized three essential truths that should be built-in into our examination of the vulnerability administration course of:

• Attackers aren’t centered on particular vulnerabilities; they purpose to compromise methods.
• Exploiting vulnerabilities is not the one path to compromise.
• Attackers’ ability and persistence ranges fluctuate.

These elements permit us to increase our evaluation of EPSS and chances to contemplate the chance of an attacker compromising some arbitrary system, then scaling that to find out the chance of compromising some system inside a community that grants entry to the remainder.

We are able to assume every hacker has a sure “chance” of compromising a system, with this chance rising based mostly on their ability, expertise, instruments, and time. We are able to then proceed making use of chance scaling to evaluate attacker success in opposition to a broader laptop surroundings.

Given a affected person, undetected hacker, what number of makes an attempt are statistically required to breach a system granting entry to the graph? Answering this requires making use of a reworked binomial distribution within the type of this equation ^{[16, 17]}:

Utilizing this equation, we will estimate what number of makes an attempt an attacker of a sure ability degree would want. As an example, if attacker A1 has a 5% success fee (1 in 20) per system, they would want to focus on as much as 180 methods to be 99.99% positive of success.

One other attacker, A2, with a ten% success fee (1 in 10), would want about 88 targets to make sure no less than one success, whereas a extra expert attacker, A3, with a 20% success fee (1 in 5), would solely want round 42 targets for a similar chance.

These are chances—an attacker may succeed on the primary strive or require a number of makes an attempt to succeed in the anticipated success fee. To evaluate real-world influence, we surveyed senior penetration testers in our enterprise, who estimated their success fee in opposition to arbitrary internet-connected targets to be round 30%.

Assuming a talented attacker has a 5% to 40% probability of compromising a single machine, we will now estimate what number of targets can be wanted to just about assure one profitable compromise.

The implications are putting: with simply 100 potential targets, even a reasonably expert attacker is sort of sure to succeed no less than as soon as. In a typical enterprise, this single compromise usually gives entry to the broader community, and enterprises usually have 1000’s of computer systems to contemplate.

Reimagining Vulnerability Administration

For the longer term, we have to conceive an surroundings and structure that’s proof against compromise from a person system. Within the quick time period, we argue that our method to vulnerability administration wants to alter.

The present method to vulnerability administration is rooted in its identify: specializing in “vulnerabilities” (as outlined by CVE, CVSS, EPSS, misconfiguration, errors, and so forth) and their “administration.” Nevertheless, we’ve no management over the amount, pace, or significance of CVEs, main us to always react to chaotic new intelligence.

EPSS helps us prioritize vulnerabilities more likely to be exploited within the wild, representing actual threats, which forces us right into a reactive mode. Whereas mitigation addresses vulnerabilities, our response is really about countering threats—therefore, this course of needs to be known as Risk Mitigation.

As mentioned earlier, it is statistically inconceivable to successfully counter threats in massive enterprises by merely reacting to vulnerability intelligence. Threat Discount is about the most effective we will do. Cyber danger outcomes from a menace focusing on a system’s property, leveraging vulnerabilities, and the potential influence of such an assault. By addressing danger, we open up extra areas underneath our management to handle and mitigate.

Risk Mitigation

Risk Mitigation is a dynamic, ongoing course of that entails figuring out threats, assessing their relevance, and taking motion to mitigate them. This response can embrace patching, reconfiguring, filtering, including compensating controls, and even eradicating weak methods. EPSS is a helpful software that enhances different sources of menace and vulnerability intelligence.

Nevertheless, the scaling nature of chances makes EPSS much less helpful in massive inner environments. Since EPSS focuses on vulnerabilities more likely to be exploited “within the wild,” it’s most relevant to methods immediately uncovered to the web. Subsequently, Risk Mitigation efforts ought to primarily goal these externally uncovered methods.

Threat Discount

Cyber danger is a product of Risk, Vulnerability, and Influence. Whereas the “Risk” is basically past our management, patching particular vulnerabilities in massive environments would not considerably decrease the danger of compromise. Subsequently, danger discount ought to deal with three key efforts:

1. Decreasing the assault floor: Because the chance of compromise will increase with scale, it may be lowered by shrinking the assault floor. A key precedence is figuring out and eradicating unmanaged or pointless internet-facing methods.
2. Limiting the influence: Lambert’s regulation advises limiting attackers’ capacity to entry and traverse the “graph.” That is achieved by way of segmentation in any respect ranges—community, permissions, functions, and knowledge. The Zero Belief structure gives a sensible reference mannequin for this aim.
3. Enhancing the baseline: As an alternative of specializing in particular vulnerabilities as they’re reported or found, systematically decreasing the general quantity and severity of vulnerabilities lowers the danger of compromise. This method prioritizes effectivity and Return on Funding, ignoring present acute threats in favor of long-term danger discount.

By separating Risk Mitigation from Threat Discount, we will break away from the fixed cycle of reacting to particular threats and deal with extra environment friendly, strategic approaches, liberating up assets for different priorities.

An Environment friendly Method

This method could be pursued systematically to optimize assets. The main target shifts from “managing vulnerabilities” to designing, implementing, and validating resilient architectures and baseline configurations. As soon as these baselines are set by safety, IT can take over their implementation and upkeep.

The important thing right here is that the “set off” for patching inner methods is a predefined plan, agreed with system house owners, to improve to a brand new, authorized baseline. This method is definite to be a lot much less disruptive and extra environment friendly than always chasing the newest vulnerabilities.

Vulnerability Scanning stays vital for creating an correct asset stock and figuring out non-compliant methods. It might probably help present standardized processes, as an alternative of triggering them.

Shaping the Future

The overwhelming barrage of randomly found and reported vulnerabilities as represented by CVE, CVSS and EPSS are stressing our individuals, processes and expertise. We have successfully been approaching vulnerability administration the identical approach for over twenty years, with average success.

It is time to reimagine how we design, construct, and keep methods.

There’s extra to this. That is simply an excerpt of our protection of vulnerabilities within the Safety Navigator 2025. To seek out out extra on how we will take again management, how totally different industries examine in our vulnerability screening operations and the way elements like Generative AI influence cyber safety I warmly suggest heading over to the obtain web page and getting the total report!

Notice: This text was expertly written and contributed by Wicus Ross, Senior Safety Researcher at Orange Cyberdefense.