Past Vulnerability Administration – Can You CVE What I CVE?

The Vulnerability Treadmill

The reactive nature of vulnerability administration, mixed with delays from coverage and course of, strains safety groups. Capability is proscribed and patching every little thing instantly is a battle. Our Vulnerability Operation Middle (VOC) dataset evaluation recognized 1,337,797 distinctive findings (safety points) throughout 68,500 distinctive buyer property. 32,585 of them have been distinct CVEs, with 10,014 having a CVSS rating of 8 or greater. Amongst these, exterior property have 11,605 distinct CVEs, whereas inside property have 31,966. With this quantity of CVEs, it is no shock that some go unpatched and result in compromises.

Why are we caught on this scenario, what will be finished, and is there a greater strategy on the market?

We’ll discover the state of vulnerability reporting, the right way to prioritize vulnerabilities by risk and exploitation, look at statistical possibilities, and briefly talk about threat. Lastly, we’ll think about options to reduce vulnerability impression whereas giving administration groups flexibility in disaster response. This could give a great impression, however in order for you the total story you’ll find it in our annual report, the Safety Navigator.

Can You CVE What I CVE?

Western nations and organizations use the Widespread Vulnerability Enumeration (CVE) and Widespread Vulnerability Scoring System (CVSS) to trace and price vulnerabilities, overseen by US government-funded packages like MITRE and NIST. By September 2024, the CVE program, energetic for 25 years, had revealed over 264,000 CVEs, and by 15 April 2025, the variety of whole CVEs elevated to roughly 290,000 CVEs together with “Rejected” or “Deferred”.

NIST’s Nationwide Vulnerability Database (NVD) depends on CVE Numbering Authorities (CNAs) to file CVEs with preliminary CVSS assessments, which helps scale the method but additionally introduces biases. The disclosure of great vulnerabilities is difficult by disagreements between researchers and distributors over impression, relevance, and accuracy, affecting the broader group ^{[1, 2]}.

By April 2025, a backlog of greater than 24,000 unenriched CVEs collected on the NVD ^{[3, 4]} on account of bureaucratic delays that occurred in March 2024. Briefly halting CVE enrichment regardless of ongoing vulnerability studies, and dramatically illustrating the fragility of this method. The short-term pause resulted on this backlog that’s but to be cleared.

CVE and the NVD aren’t the only sources of vulnerability intelligence. Many organizations, together with ours, develop impartial merchandise that monitor way more vulnerabilities than the MITRE’s CVE program and NIST NVD.

Since 2009, China has operated its personal vulnerability database, CNNVD ^[5], which could possibly be a beneficial technical useful resource ^{[6, 7]}, although political obstacles make collaboration unlikely. Furthermore, not all vulnerabilities are disclosed instantly, creating blind spots, whereas some are exploited with out detection—so-called 0-days.

In 2023, Google’s Menace Evaluation Group (TAG) and Mandiant recognized 97 zero-day exploits, primarily affecting cell gadgets, working programs, browsers, and different purposes. In the meantime, solely about 6% of vulnerabilities within the CVE dictionary have ever been exploited ^[8], and research from 2022 present that half of organizations patch simply 15.5% or fewer vulnerabilities month-to-month ^[9].

Whereas CVE is essential for safety managers, it is an imperfect, voluntary system, neither globally regulated nor universally adopted.

This weblog additionally goals to discover how we’d cut back reliance on it in our day by day operations.

Menace Knowledgeable

Regardless of its shortcomings, the CVE system nonetheless supplies beneficial intelligence on vulnerabilities that would impression safety. Nevertheless, with so many CVEs to deal with, we should prioritize these almost certainly to be exploited by risk actors.

The Exploit Prediction Scoring System (EPSS), developed by the Discussion board of Incident Response and Safety Groups (FIRST) SIG ^[10], helps predict the probability of a vulnerability being exploited within the wild. With EPSS intelligence, safety managers can both prioritize patching as many CVEs as potential for broad protection or concentrate on essential vulnerabilities to maximise effectivity and stop exploitation. Each approaches have execs and cons.

To exhibit the tradeoff between protection and effectivity, we want two datasets: one representing potential patches (VOC dataset) and one other representing actively exploited vulnerabilities, which incorporates CISA KEV ^[10], moral hacking findings, and information from our CERT Vulnerability Intelligence Watch service ^[12].

The EPSS threshold is used to pick out a set of CVEs to patch, primarily based on how doubtless they’re to be exploited within the wild. The overlap between the remediation set and the exploited vulnerability set can be utilized to calculate the Effectivity, Protection, and Effort of a particular technique.

EPSS predicts the probability of a vulnerability being exploited someplace within the wild, not on any particular system. Nevertheless, possibilities can “scale.” For instance, flipping one coin provides a 50% probability of heads, however flipping 10 cash raises the prospect of a minimum of one head to 99.9%. This scaling is calculated utilizing the complement rule ^[13], which finds the chance of the specified final result by subtracting the prospect of failure from 1.

As FIRST explains, “EPSS predicts the chance of a selected vulnerability being exploited and will be scaled to estimate threats throughout servers, subnets, or whole enterprises by calculating the chance of a minimum of one occasion occurring.”^{[14, 15]}

With EPSS, we are able to equally calculate the probability of a minimum of one vulnerability being exploited from a listing through the use of the complement rule.

To exhibit, we analyzed 397 vulnerabilities from the VOC scan information of a Public Administration sector consumer. Because the chart beneath illustrates, most vulnerabilities had low EPSS scores till a pointy rise at place 276. Additionally proven on the chart is the scaled chance of exploitation utilizing the complement rule, which successfully reaches 100% when solely the primary 264 vulnerabilities are thought of.

Because the scaled EPSS curve (left) on the chart signifies, as extra CVEs are thought of, the scaled chance that certainly one of them might be exploited within the wild will increase very quickly. By the point there are 265 distinct CVEs into account, the chance that certainly one of them might be exploited within the wild is greater than 99%. This stage is reached earlier than any particular person vulnerabilities with excessive EPSS come into consideration. When the scaled EPSS worth crosses 99% (Place 260) the utmost EPSS remains to be below 11% (0.11).

This instance, primarily based on precise consumer information on vulnerabilities uncovered to the Web, exhibits how troublesome prioritizing vulnerabilities turns into because the variety of programs will increase.

EPSS provides a chance {that a} vulnerability might be exploited within the wild, which is useful for defenders, however we have proven how rapidly this chance scales when a number of vulnerabilities are concerned. With sufficient vulnerabilities, there’s a actual chance that one will get exploited, even when the person EPSS scores are low.

Like a climate forecast predicting a “probability of rain,” the bigger the world, the larger the probability of rain someplace. Likewise, it’s doubtless not possible to scale back the chance of exploitation even nearer right down to zero.

Attacker Odds

We have recognized three essential truths that should be built-in into our examination of the vulnerability administration course of:

• Attackers aren’t centered on particular vulnerabilities; they goal to compromise programs.
• Exploiting vulnerabilities is not the one path to compromise.
• Attackers’ talent and persistence ranges fluctuate.

These elements enable us to increase our evaluation of EPSS and possibilities to think about the probability of an attacker compromising some arbitrary system, then scaling that to find out the chance of compromising some system inside a community that grants entry to the remainder.

We will assume every hacker has a sure “chance” of compromising a system, with this chance rising primarily based on their talent, expertise, instruments, and time. We will then proceed making use of chance scaling to evaluate attacker success in opposition to a broader pc atmosphere.

Given a affected person, undetected hacker, what number of makes an attempt are statistically required to breach a system granting entry to the graph? Answering this requires making use of a reworked binomial distribution within the type of this equation ^{[16, 17]}:

Utilizing this equation, we are able to estimate what number of makes an attempt an attacker of a sure talent stage would wish. As an example, if attacker A1 has a 5% success price (1 in 20) per system, they would wish to focus on as much as 180 programs to be 99.99% positive of success.

One other attacker, A2, with a ten% success price (1 in 10), would wish about 88 targets to make sure a minimum of one success, whereas a extra expert attacker, A3, with a 20% success price (1 in 5), would solely want round 42 targets for a similar chance.

These are possibilities—an attacker would possibly succeed on the primary strive or require a number of makes an attempt to achieve the anticipated success price. To evaluate real-world impression, we surveyed senior penetration testers in our enterprise, who estimated their success price in opposition to arbitrary internet-connected targets to be round 30%.

Assuming a talented attacker has a 5% to 40% probability of compromising a single machine, we are able to now estimate what number of targets could be wanted to just about assure one profitable compromise.

The implications are putting: with simply 100 potential targets, even a reasonably expert attacker is sort of sure to succeed a minimum of as soon as. In a typical enterprise, this single compromise usually supplies entry to the broader community, and enterprises sometimes have 1000’s of computer systems to think about.

Reimagining Vulnerability Administration

For the long run, we have to conceive an atmosphere and structure that’s resistant to compromise from a person system. Within the quick time period, we argue that our strategy to vulnerability administration wants to alter.

The present strategy to vulnerability administration is rooted in its title: specializing in “vulnerabilities” (as outlined by CVE, CVSS, EPSS, misconfiguration, errors, and so forth) and their “administration.” Nevertheless, we’ve got no management over the amount, velocity, or significance of CVEs, main us to continually react to chaotic new intelligence.

EPSS helps us prioritize vulnerabilities more likely to be exploited within the wild, representing actual threats, which forces us right into a reactive mode. Whereas mitigation addresses vulnerabilities, our response is actually about countering threats—therefore, this course of ought to be referred to as Menace Mitigation.

As mentioned earlier, it is statistically not possible to successfully counter threats in massive enterprises by merely reacting to vulnerability intelligence. Danger Discount is about the perfect we are able to do. Cyber threat outcomes from a risk focusing on a system’s property, leveraging vulnerabilities, and the potential impression of such an assault. By addressing threat, we open up extra areas below our management to handle and mitigate.

Menace Mitigation

Menace Mitigation is a dynamic, ongoing course of that entails figuring out threats, assessing their relevance, and taking motion to mitigate them. This response can embrace patching, reconfiguring, filtering, including compensating controls, and even eradicating weak programs. EPSS is a beneficial instrument that enhances different sources of risk and vulnerability intelligence.

Nevertheless, the scaling nature of possibilities makes EPSS much less helpful in massive inside environments. Since EPSS focuses on vulnerabilities more likely to be exploited “within the wild,” it’s most relevant to programs straight uncovered to the web. Subsequently, Menace Mitigation efforts ought to primarily goal these externally uncovered programs.

Danger Discount

Cyber threat is a product of Menace, Vulnerability, and Influence. Whereas the “Menace” is basically past our management, patching particular vulnerabilities in massive environments would not considerably decrease the chance of compromise. Subsequently, threat discount ought to concentrate on three key efforts:

1. Lowering the assault floor: Because the chance of compromise will increase with scale, it may be diminished by shrinking the assault floor. A key precedence is figuring out and eradicating unmanaged or pointless internet-facing programs.
2. Limiting the impression: Lambert’s regulation advises limiting attackers’ means to entry and traverse the “graph.” That is achieved by means of segmentation in any respect ranges—community, permissions, purposes, and information. The Zero Belief structure supplies a sensible reference mannequin for this objective.
3. Enhancing the baseline: As an alternative of specializing in particular vulnerabilities as they’re reported or found, systematically lowering the general quantity and severity of vulnerabilities lowers the chance of compromise. This strategy prioritizes effectivity and Return on Funding, ignoring present acute threats in favor of long-term threat discount.

By separating Menace Mitigation from Danger Discount, we are able to break away from the fixed cycle of reacting to particular threats and concentrate on extra environment friendly, strategic approaches, liberating up sources for different priorities.

An Environment friendly Method

This strategy will be pursued systematically to optimize sources. The main target shifts from “managing vulnerabilities” to designing, implementing, and validating resilient architectures and baseline configurations. As soon as these baselines are set by safety, IT can take over their implementation and upkeep.

The important thing right here is that the “set off” for patching inside programs is a predefined plan, agreed with system house owners, to improve to a brand new, accredited baseline. This strategy is for certain to be a lot much less disruptive and extra environment friendly than continually chasing the newest vulnerabilities.

Vulnerability Scanning stays essential for creating an correct asset stock and figuring out non-compliant programs. It could help current standardized processes, as an alternative of triggering them.

Shaping the Future

The overwhelming barrage of randomly found and reported vulnerabilities as represented by CVE, CVSS and EPSS are stressing our folks, processes and know-how. We have successfully been approaching vulnerability administration the identical manner for over 20 years, with average success.

It is time to reimagine how we design, construct, and preserve programs.

There may be extra to this. That is simply an excerpt of our protection of vulnerabilities within the Safety Navigator 2025. To seek out out extra on how we are able to take again management, how completely different industries evaluate in our vulnerability screening operations and the way elements like Generative AI impression cyber safety I warmly advocate heading over to the obtain web page and getting the total report!

Be aware: This text was expertly written and contributed by Wicus Ross, Senior Safety Researcher at Orange Cyberdefense.