What is a CVE?
CVE stands for Common Vulnerabilities and Exposures. It is an international system for identifying and naming known vulnerabilities (Security vulnerabilities) in software, hardware and Firmware.
Each CVE is assigned a unique identifier such as CVE-2024-12345 and contains information
about the nature of the vulnerability and often its severity.
π― Why are CVEs important?
CVEs help organisations to:
- Quickly identify whether they are running vulnerable systems
- Prioritise updates and patches
- Enable automatic detection and risk analysis
- Maintain consistent terminology when discussing vulnerabilities
π Example of a CVE
CVE-2021-44228 β βLog4Shellβ
A severe vulnerability in the Apache Log4j Logging library. Attackers were able to execute remote code (RCE) using a simple string. Impact: extremely high β exploited globally across many systems.
𧱠What does a CVE record contain?
A CVE record typically contains:
- The ID number (e.g. CVE-2023-45678)
- A description of the vulnerability
- The affected products or versions
- The publication date
- (Often) a reference to a CVSS score (severity assessment)
π§ CVE & CVSS
The CVSS (Common Vulnerability Scoring System) score indicates how severe a vulnerability is on a scale of 0 to 10:
| Score | Impact level |
|---|---|
| 0.0 β 3.9 | Low |
| 4.0 β 6.9 | Medium |
| 7.0 β 8.9 | High |
| 9.0 β 10.0 | Critical |
π CVEs in an OT context
In industrial environments, CVEs are particularly important for:
- PLCs, SCADA systems and industrial gateways
- Network components such as routers, switches and Firewalls
- Software such as MES, HMI and Historians
- Risk-driven approaches under IEC 62443 or CSIR
π§ For vulnerabilities in industrial devices, CVEs are typically issued by vendors or by ICS-CERT.
π In summary
A CVE is a unique identifier for a known vulnerability that helps organisations respond quickly to security risks. It is an essential tool for patch management, risk management and information security β including in OT environments.