Blog - Dattak | Cybersécurité, Assurance & Risques Tech

What is a CVE?

Written by Kévin Gouasbault | Apr 23, 2026 1:54:17 PM

The origins of CVEs

The CVE or Common Vulnerabilitiesand Exposuressystem was launched in 1999 by the MITRE Corporation, a non-profit organization which manages several cybersecurity programs on behalf of the US government. The main aim of the CVE project was to create a standardized repository for tracking and documenting vulnerabilities on a consistent global scale.

Prior to the creation of CVE, there was no universal way of naming and tracking vulnerabilities. Different security vendors used their own nomenclatures, making communication and coordination difficult. MITRE therefore proposed a :

  • Unique: Each CVE assigns a specific identifier to a vulnerability, avoiding ambiguity.
  • Public: CVEs are accessible to all, encouraging greater transparency and collaboration.
  • Neutral: The information does not favor any vendor or publisher.

How does the CVE system work?

The CVE creation process :

1.vulnerability identification: a security researcher or vendor discovers a flaw in a software or system. 2.submission to a CNA (CVE Numbering Authority): CNAs are entities authorized to assign CVE identifiers. They can be software publishers, researchers, or even groups such as Microsoft or Google. There areseveral hundred of them. 3Assessment and assignment: Once validated, the vulnerability is assigned a CVE identifier. 4Publication in the CVE database: The identifier is added to the public database, accessible via platforms such as theNational Vulnerability Database (NVD).

Understanding a CVE

Each documented vulnerability receives a unique identifier in the format:CVE-Year-Number

For example: CVE-2023-12345 - _2023_: The year in which the vulnerability was discovered or registered. - _12345_: A unique sequential number for this vulnerability.

CVSS : Vulnerability severity assessment

The Common Vulnerability Scoring System (CVSS) is a standard that often accompanies CVEs. It provides a numerical rating from 0 to 10 to indicate the severity of a vulnerability, enabling companies to prioritize their risk management.

To arrive at this score, three main metrics are used:

A CVSS is divided into several components to give a complete vulnerability assessment:

  1. Base Score : The base score evaluates the intrinsic characteristics of a vulnerability (its fundamental nature). It includes sub-metrics such as: - Attack Vector (AV) : Describes the ease of exploitation. Example: _1. Network: Exploitable remotely via the Internet _2. Local: Exploitable only with direct access to the machine._ - Attack Complexity (AC): Indicates whether exploitation requires special conditions (low or high). - Privileges Required (PR): Level of access required to exploit the vulnerability.
  1. Temporal Score: Takes into account changing factors such as the availability of a patch or known exploits, and includes sub-metrics such as: - Exploit Code Maturity (E): Are there any public tools or scripts exploiting this flaw? - Remediation Level (RL): Is there a patch or workaround available?
  1. Environmental Score: Allows you to adapt the score to a specific environment (company or organization). Examples: Importance of assets affected, impact on confidentiality, integrity, availability.

Interpreting CVSS scores

- 0.0 - 3.9 : Low: Minor risk, less urgent correction.

- 4.0 - 6.9 : Medium: Moderate risk, needs prompt attention.

- 7.0 - 8.9 : High: Serious risk, high priority.

- 9.0 - 10.0: Critical: Major vulnerability, must be corrected immediately.

How do you know if your system is vulnerable?

CPE: Identifying vulnerable systems

Common Platform Enumeration (CPE) is another standard often associated with CVEs. It provides a uniform method for identifying products, software and systems affected by a vulnerability.

Structure of a CPE

A CPE identifier follows a precise structure, as a kind of unique address for a specific piece of software or hardware:

```cpe:2.3:o:vendor:product:version:update:edition:language ````

Each section describes a particular aspect of the system: - Vendor: The supplier (e.g. Microsoft). - Product: The product or software concerned (e.g. Windows). - Version: The vulnerable version (e.g. 10.0.19044). - Update, Edition, Language: Additional details if required.

Practical example: For a vulnerability in Apache HTTP Server version 2.4.56, the associated CPE might look like this:

cpe:2.3:a:apache:http_server:2.4.56:::::::*````

The benefits of CPEs - Precise identification: to determine whether a specific system is vulnerable. - Automated security audits: Scanning tools such as Nmap, Nessus or OpenVAS use CPEs to automatically check whether an infrastructure is exposed to specific CVEs.

Case study: CVE-2019-0708 (BlueKeep)

CVE-2019-0708, nicknamedBlueKeep, is a security vulnerability detected in Microsoft Windows'Remote Desktop Protocol (RDP). It is extremely dangerous due to its ability to propagate autonomously, similar tocomputer worm attacks. -Discovery date: May 2019 -Base CVSS score: 9.8 (Critical) -Description: This vulnerability allowsremote code execution (RCE) without prior authentication, making it exploitable by remote attackers to take full control of an affected system.

CVSS analysis of CVE-2019-0708

The attack vector is identified as: ```CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ````

This corresponds to: !Screenshot 2025-01-23 at 16.39.58 1.png

Case study: CVE-2019-0708 management in a company

Step 1: Identify vulnerable systems

The IT team conducts a system audit to identify vulnerable Windows versions. Tools such as Nmap, OpenVAS or Nessus can be used to identify hosts with RDP enabled and unpatched. Corresponding CPEs include :

``` cpe:2.3:o:microsoft:windows_7:::::::: cpe:2.3:o:microsoft:windows_xp:::::::: ````

Step 2: Prioritization with the Environmental Score In the company's specific environment: - Confidentiality: Medium The systems concerned store moderately sensitive internal data. - Integrity: None All data is permanently backed up. - Availability: High RDP unavailability would affect the continuity of remote operations for several teams.

After environmental adjusted score: 7.8 (high)

Step 3: Implement solutions 1. Security patch - Microsoft has released updates for affected systems, even for obsolete versions such as Windows XP. These patches should be applied immediately. 2. Workarounds - Disable RDP on non-essential systems. - Set up firewall rules to restrict RDP connections to trusted IP addresses only. - Enable NLA (Network Level Authentication) to add a layer of security. 3. Access monitoring and management - Continuous monitoring of RDP connections via SIEM solutions. - Set up VPNs to further secure remote connections.

Step 4: Exploitation response plan If signs of BlueKeep exploitation are detected (increased RDP connection attempts, abnormal behavior), the company must: - Immediately isolate infected systems. - Analyze machine logs to identify the origin of the attack. - Restore systems from secure backups.

Conclusion: Why are CVEs important?

CVEs are much more than just a number. They bring several key benefits: 1.Facilitate communication With a CVE, security teams, vendors and researchers can talk about the same vulnerability without confusion. This simplifies the coordination of patches and updates. 2.rapid risk assessment Each CVE is accompanied by a description and, often, a severity score based on theCVSS (Common Vulnerability Scoring System). This helps companies prioritize which critical vulnerabilities to fix first. 3:Standardize security practices Companies use CVEs as a benchmark to assess their level of security and audit their systems. They can check whether they are affected by known vulnerabilities by scanning their infrastructures. Cyber risk is the number 1 risk for any company, whatever its size.
View full post