CVE (Common Vulnerabilities and Exposures)

A CVE (Common Vulnerabilities and Exposures) is a unique, publicly catalogued identifier assigned to a specific, disclosed security flaw in software or hardware. The program is overseen by the MITRE Corporation with funding from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and IDs follow the format CVE-YYYY-NNNNN (for example, CVE-2021-44228, the Log4Shell flaw in Apache Log4j). A CVE record names the affected product, describes the weakness, and links to references — but it does not, by itself, score severity or tell you whether you are exploitable.

Why it matters

Before CVEs existed, two vendors might describe the same flaw with completely different names, making it impossible to know if a patch, a scanner alert, and an advisory all referred to the same problem. A CVE ID is a shared reference point: it lets vulnerability scanners, threat-intelligence feeds, patch notes, and security teams all point at the exact same issue. When a CVE is published for software you run on an internet-facing asset, attackers can read the same advisory you can — often within hours of disclosure.

How it works

Flaws are reported to a CNA (CVE Numbering Authority) — a vendor, project, or research organization authorized to issue IDs. The CNA reserves an ID, the details are validated, and the entry is published to the official CVE List and mirrored into the NVD (National Vulnerability Database). A CVE is usually paired with separate signals that drive prioritization:

• CVSS — a 0–10 score estimating technical severity.
• EPSS — the probability the flaw will be exploited in the wild.
• CISA KEV — a list of CVEs with confirmed active exploitation.

A high CVSS score does not automatically mean you must act today; a flaw that is already being exploited on KEV usually does. See how to prioritize vulnerabilities for how these signals combine.

A concrete example

When Log4Shell (CVE-2021-44228) was disclosed in December 2021, any public web service running a vulnerable Log4j version could be compromised with a single crafted request. Organizations that knew their external software inventory could map the CVE to exposed assets in minutes; those that did not spent days guessing where the library was running. The CVE ID was what tied the advisory, the scanner detections, and the patch together.

CVEs on your external attack surface

A CVE only matters to you if a vulnerable, reachable version of the affected software is actually exposed to the internet. That mapping — from a published flaw to your public-facing assets — is the core of external attack surface management.

FortWatch's vulnerability scanning uses Nuclei templates to fingerprint exposed services and match them against known CVEs, then assigns each finding a severity informed by exploitability signals (not just raw CVSS) and attaches AI-generated remediation guidance. Many high-impact exposures — an open database port, an outdated TLS stack, a leaked configuration file — sit alongside CVE matches as related findings rather than carrying a CVE of their own, which is why CVE detection is one input among several, not the whole picture. For supply-chain CVEs specifically, see defending against software supply chain attacks.