Skip to content
BLOG

What is CVE (Common Vulnerabilities and Exposures)?

Andrew Pla
Andrew Pla|Updated October 30, 2025
Computer with lock over blue background
Computer with lock over blue background
Sections

CVE (Common Vulnerabilities and Exposures) is a publicly available catalog of known security vulnerabilities, each identified with a unique CVE ID. It helps organizations quickly find, assess, and prioritize vulnerabilities for remediation across their systems.

Here’s a CVE cheat sheet that might come in handy when you want to flex in front of the new CTO.

What’s the difference between a vulnerability and an exposure? 

A vulnerability is a flaw in software, hardware, or systems that can be exploited by attackers — like weak encryption or buggy code.

An exposure increases security risk but isn’t necessarily a flaw. For example, running outdated software that leaves unpatched known vulnerabilities is an exposure (and a dicey move in IT).

What is the CVE Program?

Started in 1999, the CVE Program is a universal system for identifying and recording common hardware and software security vulnerabilities. The CVE Program was started by the MITRE Corporation, a nonprofit organization in the U.S. that runs government-funded research and development centers.

How are CVEs identified and recorded?

The CVE identification and publication process includes six key steps:

  1. Discovery: A vulnerability is discovered.

  2. Reporting: Individuals/organizations report the vulnerability to a CVE Numbering Authority (CNA).

  3. Verification: The vulnerability is assessed to verify that it meets the qualifying criteria for vulnerabilities.

  4. CVE ID request: Once verified, a CVE identifier (CVE ID) is requested and reserved.

  5. Submission: Details of the vulnerability are submitted to the CVE Program.

  6. Publishing: When published, the CVE record or entry includes a description of the vulnerability and relevant references, like vulnerability reports or advisories.

What is a CVE Numbering Authority? 

A CVE Numbering Authority (CNA) is an approved organization that assigns CVE IDs for vulnerabilities within its products or domain, such as Adobe Systems for Adobe software.

CVE IDs

Each vulnerability is assigned a unique identifier by a CVE Numbering Authority with the following format: CVE-YYYY-NNNNNNN. The year indicates when the CVE was published rather than when it was discovered. (That’s at least worth a point or two at the next company trivia night. You’re welcome.)

What is the Common Vulnerability Scoring System (CVSS)?

The Common Vulnerability Scoring System (CVSS) is a standardized system of scoring and categorizing vulnerabilities and their characteristics according to their severity levels.

CVSS metrics are split into four groups: Base, Threat, Environmental, and Supplemental. Most published CVSS ratings use just the Base Score. A CVSS score ranges from 0 to 10 and is measured using the CVSS calculator. CVSS scores allow organizations to determine the exploitability and potential impact of known vulnerabilities discovered in their environment so they can prioritize appropriate next steps.

Top CVE databases

Different CVE databases provide different types of vulnerability information and analyses that can enhance your vulnerability management program — from severity ratings to details of known exploits. The top CVE databases include:

Notable CVEs

There are vulnerabilities, and then there are vulnerabilities. Here are some that (despite their somewhat charming names) still plague our dreams, a cautionary reminder to never let down our guard.

How to choose a vulnerability scanner

In 2025 alone, we're expected to reach approximately 50,000 disclosed vulnerabilities. With this number growing each year, IT teams increasingly need to rely on security tools like vulnerability scanners to keep their environments secure (and the cold, hard fear of data breaches to a minimum).

When choosing a vulnerability scanner for your organization, here are some important features to consider.

  • Ease of use

  • Scan functionality

  • Scan coverage

  • Attack surface visibility

  • Contextualized prioritization

  • Reporting details

  • Scalability

  • Vendor reputation and support

Automate the tedious steps of vulnerability management with PDQ Connect: our end-to-end patch management solution. Let PDQ Connect inventory your software and flag vulnerabilities that you can patch in just one click. And should something go wrong with a patch (which would totally not be Microsoft’s fault, of course), use PDQ Connect’s built-in remote desktop control and access feature to get things back up and running again. Try PDQ Connect free for 14 days.

Andrew Pla
Andrew Pla

Andrew loves automation, PowerShell, and building tools that last. He has spent nearly a decade in IT with a focus on automation, infrastructure, and toolmaking. He has a passion for sharing knowledge and prefers humans to computers, and is a host of the PowerShell Podcast and a Microsoft MVP.

Related articles

Security green

How to build an acceptable use policy for artificial intelligence (AI)

SECURITY

Computer with lock over blue background

PDQ’s ongoing commitment to security (and honesty)

SECURITY

Security grey

Disaster recovery plan template (with free downloads)

SECURITY