Why Track Vulnerabilities?

In the early Internet era, vulnerabilities were often reported informally through mailing lists like Bugtraq or by contacting vendors directly. There was no universal system for naming or tracking flaws. As software grew more complex and widely deployed, this created confusion: the same flaw might be described differently in different reports, and defenders had no consistent way to prioritize fixes.

To solve this, the Common Vulnerabilities and Exposures (CVE) system was launched in 1999 to provide unique identifiers for vulnerabilities. Over time, CVE became part of a larger ecosystem of databases and scoring frameworks, maintained by U.S. and international organizations. Today, these systems form the backbone of how the global security community shares information and organizes defenses.

The main systems developed to rate and track vulnerabilities are:

• CVE: Provides unique identifiers for reported vulnerabilities.
• CVSS: Scores their severity.
• NVD: A U.S. government database that enriches CVEs with standardized data.
• KEV: Lists CVEs known to be actively exploited.
• EPSS: Predicts the likelihood of exploitation.
• LEV: Helps organizations prioritize which vulnerabilities matter most in their own environments.

You don’t need to memorize every acronym, but you should recognize that these systems exist. In practice, CVE and CVSS appear most often in news articles and advisories.

Key Organizations

Several organizations coordinate vulnerability reporting and scoring. Students should recognize their roles:

• MITRE Corporation: A nonprofit operator of federally funded research and development centers (FFRDCs). MITRE manages the CVE program and develops the ATT&CK framework, which catalogs adversary techniques.
• NIST (National Institute of Standards and Technology): A U.S. Department of Commerce agency. NIST maintains the National Vulnerability Database (NVD), which enriches CVEs with severity scores, references, and product information.
• CISA (Cybersecurity and Infrastructure Security Agency): A U.S. Department of Homeland Security agency that publishes the Known Exploited Vulnerabilities (KEV) catalog, a list of CVEs confirmed to be actively exploited.
• FIRST (Forum of Incident Response and Security Teams): An international consortium of response teams from governments, corporations, and universities. FIRST develops the Exploit Prediction Scoring System (EPSS), which estimates the likelihood that vulnerabilities will be exploited.

These organizations provide a shared language for security professionals, ensuring vulnerabilities are consistently named, tracked, and prioritized.

Tracking Vulnerabilities With CVE

The Common Vulnerabilities and Exposures (CVE) system gives every publicly known vulnerability a standard name. Before CVE, two reports might describe the same flaw in different ways, making it hard for defenders to know they were dealing with the same issue. CVE solved this problem by creating a universal identifier.

The program is managed by MITRE Corporation and sponsored by the U.S. Department of Homeland Security and CISA. Each CVE entry is assigned a number in the format CVE-[Year]-[Number].

Example: CVE-2024-11477 identifies a flaw in the 7-Zip decompression library that can be exploited for remote code execution.

CVE entries provide only the basics: the identifier, a short description, the affected product or vendor, and references to advisories or reports. They do not include a severity score — the goal is simply to give the community a consistent way to talk about the same flaw.

Today, the CVE list contains over 240,000 records and continues to grow. New identifiers are posted regularly at cve.org and announced on @CVEnew.

CVSS: Vulnerability Scoring

If CVEs tell us what the vulnerability is, we still need a way to know how bad it is. That is the role of the Common Vulnerability Scoring System (CVSS).

CVSS provides a 0–10 rating based on exploitability and impact. A vulnerability rated 9.0 or higher is considered critical and demands immediate attention, while those rated lower may be less urgent:

• 0.0–3.9: Low
• 4.0–6.9: Medium
• 7.0–8.9: High
• 9.0–10.0: Critical

For example, the Log4Shell vulnerability (CVE-2021-44228) received a CVSS base score of 10.0 (Critical). It could be exploited over the network and allowed full system compromise, which made it one of the most severe flaws in recent history:

CVE-2021-44228 (Log4Shell)
Base Score: 10.0 (Critical)
Attack Vector: Network (remote)
Impact: Full system compromise

MITRE does not track CVSS scores — it only manages the CVE identifiers. The scoring data is added later by other organizations such as NVD.

NVD: Enriching CVEs

The National Vulnerability Database (NVD) was created to go beyond the barebones CVE entries. Security teams needed more than just an ID number; they needed context to assess the seriousness of a vulnerability.

NVD, maintained by NIST, provides that enrichment. It assigns CVSS scores, standardizes product names so tools can match vulnerabilities to software, and adds references and metadata. In practice, NVD is the source that most vulnerability scanners and security platforms consult when checking systems against known issues.

Known Exploited Vulnerabilities (KEV)

Not every documented vulnerability is exploited in the real world. Security teams wanted a way to separate background noise from the truly dangerous flaws. That need led to the Known Exploited Vulnerabilities (KEV) catalog.

KEV, maintained by CISA, identifies CVEs that have been confirmed as actively exploited in the wild. This makes KEV a high-priority patch list: if a vulnerability is on KEV, attackers are already using it, and organizations are expected to remediate it quickly.

Exploit Prediction Scoring System (EPSS)

Waiting until a vulnerability is already exploited can be too late. To give defenders an early warning system, the Exploit Prediction Scoring System (EPSS) was developed by FIRST.

EPSS uses machine learning trained on real-world exploitation data to predict the likelihood that a newly disclosed vulnerability will be exploited within the next 30 days.

A CVE with an EPSS score of 0.90 has a 90% chance of being exploited soon. A percentile score allows comparison across vulnerabilities — for example, an 82nd percentile score means it is more likely to be exploited than 82% of other CVEs.

EPSS fills a gap by helping prioritize which vulnerabilities deserve attention before they appear in KEV lists.

The Vulnerability Lifecycle

The vulnerability-tracking ecosystem follows a common pattern, ensuring that all parties use the same terminology and prioritization when handling flaws:

1. Discovery – A flaw is identified by a researcher, vendor, or attacker.
2. Reporting – The flaw is disclosed, often through coordinated vulnerability disclosure. Vendors are usually notified privately before public release so they can prepare a fix.
3. Investigation – The vendor investigates and confirms or disputes the report.
4. Assignment – A CVE Numbering Authority (CNA) assigns a CVE identifier with a description and references. MITRE oversees the program.
5. Publication – The CVE is added to MITRE’s public CVE list.
6. Scoring – The severity and exploitability of the vulnerability are rated using the Common Vulnerability Scoring System (CVSS). This work is done by NVD, not MITRE.
7. NVD Enrichment – The National Vulnerability Database enriches the CVE entry with CVSS scores, standardized product names (CPE), and references.
8. Mitigation – Vendors issue patches or workarounds, and administrators apply them.
9. Exploitation Tracking – Agencies and organizations track whether vulnerabilities are being exploited in the wild. Examples include CISA’s KEV catalog (confirmed exploitation) and FIRST’s EPSS model (predicted exploitation).

Likelihood of Exploitation Value (LEV)

While EPSS predicts exploitation globally, organizations also needed a way to measure how much a vulnerability matters in their own environment. This motivated NIST to propose the Likelihood of Exploitation Value (LEV) in 2025.

LEV is environment-specific. It considers whether the affected software is actually deployed, whether it is public-facing or isolated, the value of the asset, and how easy exploitation would be in the local configuration.

LEV is still experimental and not yet widely adopted. Students should understand the concept, but not treat it as a standard like CVE or CVSS.

Core Systems for Tracking Vulnerabilities

Taken together, these systems give defenders a structured way to manage risk.

• CVE provides the universal identifiers.
• CVSS offers a standardized measure of severity.
• KEV highlights the subset of vulnerabilities that are already being exploited.
• EPSS predicts which vulnerabilities are likely to be exploited soon.
• LEV allows organizations to apply this information to their own environments.

The big picture is that CVE and CVSS provide the foundation, while NVD, KEV, EPSS, and LEV build additional layers of context. This ecosystem ensures that security teams are not only speaking the same language about vulnerabilities but can also make informed decisions about which ones to address first.

Naming and Attribution of Attackers

When you read cybersecurity news, you will often see names attached to groups of attackers, such as Salt Typhoon, APT-36, or Imperial Kitten:

These are not names chosen by the attackers themselves. They are labels created by cybersecurity companies or government agencies to make sense of repeated activity. Threat hunters examine evidence across different incidents and group together operations they believe are carried out by the same adversary.

Advanced Persistent Threats (APTs)

Many of these groups are called Advanced Persistent Threats (APTs). The term captures three defining qualities:

• Advanced: They use sophisticated tools, including custom malware and zero-day exploits.
• Persistent: They maintain access for months or years, often remaining undetected.
• Threat: They have the capability to bypass defenses and achieve high-value objectives.

Well-known examples include China’s APT41, Russia’s Fancy Bear, and North Korea’s Lazarus Group. Each has been tied to espionage, sabotage, or large-scale theft.

Why Attribution Is Difficult

Attributing attacks to a specific group is one of the hardest challenges in cybersecurity. Attackers rarely leave obvious signatures and often go to great lengths to hide their origins:

• They reuse publicly available tools or stolen exploits, making forensic evidence unreliable.
• They launch operations through compromised infrastructure such as cloud servers or infected home computers.
• They may plant false indicators, known as “false flags,” to deliberately mislead investigators.

Because of these tactics, analysts may disagree about which group is responsible for a given incident. Even within one company, campaigns might be tracked separately at first and only later merged once connections are discovered.

Naming Conventions

Unlike vulnerabilities, which use standardized identifiers like CVEs, there is no universal naming system for attackers. Each cybersecurity company has developed its own conventions:

• Mandiant (formerly part of FireEye, now part of Google Cloud): Uses sequential APT numbers (APT1, APT29, etc.). For example, APT1 was linked to China’s PLA Unit 61398, and APT29 is linked to Russia’s Foreign Intelligence Service.
• CrowdStrike: Assigns animal names by geography.
  • Panda denotes Chinese groups (Deep Panda, Gothic Panda)
  • Bear refers to Russian groups (Fancy Bear, Cozy Bear)
  • Kitten indicates Iranian groups (Charming Kitten, Imperial Kitten)
  • Tiger has been used for Indian groups (Patchwork Tiger)
• Microsoft: Uses weather terms tied to regions or motivations.
  • Typhoon: China
  • Blizzard: Russia
  • Cyclone: Iran
  • Sleet: North Korea
  • Sandstorm: Middle East
  • Tempest: Financially motivated groups
  • Storm: Unknown or unattributed groups
  • Examples: Salt Typhoon, Midnight Blizzard.
• Other names sometimes emerge independently.
  • The Lazarus Group is a North Korean team famous for the Sony Pictures hack.
  • The Equation Group is believed to be tied to the U.S. National Security Agency.
  • The group Buckeye has been variously attributed to China or the United States.
• Numeric placeholders are also common, such as UNC2452 or Group-3390, which serve as temporary identifiers until more evidence allows analysts to link them to a known group.

This fragmented system means that the same adversary may be known by multiple names. The group responsible for the 2020 SolarWinds supply chain attack, for instance, is tracked as APT29 (Mandiant), Cozy Bear (CrowdStrike), and Midnight Blizzard (Microsoft).

Attempts at Coordination

Recognizing the confusion caused by multiple naming systems, Microsoft and CrowdStrike announced in June 2025 that they would collaborate to cross-reference group names. While this does not create a universal naming standard, it helps analysts map which labels from different vendors refer to the same actor. The long-term hope is that efforts like this will eventually lead to more consistency.

Focusing on Behavior: TTPs

For students, the most important takeaway is that names are inconsistent. Different articles may use different labels for the same group, depending on which company’s report they reference.

What matters more than the label is the adversary’s Tactics, Techniques, and Procedures (TTPs). These describe how attackers operate:

• Tactics: Broad objectives, such as gaining initial access or stealing data.
• Techniques: General methods used to achieve those objectives, such as spear phishing or credential dumping.
• Procedures: Specific implementations, such as a malware family, exploit kit, or command-and-control infrastructure.

TTPs provide a more reliable way to understand adversaries because behaviors tend to remain consistent, even when names differ. When reading reports, focus on what the attackers did rather than what they were called.