Skip to main content
Core Security Logo Core Security Logo
  • Contact Us
  • Support
  • All Fortra Products
  • FREE TRIALS
  • Contact Us
  • Support
  • All Fortra Products
  • FREE TRIALS
  • Cyber Threat

      Products

      • Core Impact Penetration testing software
      • Cobalt Strike Red team software
      • Outflank Security Tooling (OST) Evasive attack simulation
      • Event Manager Security information and event management
      • Powertech Antivirus Server-level virus protection
      • Product Bundles

      Solutions

      • Penetration Testing
      • Penetration Testing Services
      • Offensive Security
      • Threat Detection
      • Security Information and Event Management
    • Penetration Testing Services Security consulting services
  • Identity

      Products

      • Access Assurance Suite User provisioning and governance
      • Core Password & Secure Reset Self-service password management
      • Core Privileged Access Manager (BoKS) Privileged access management (PAM)

      Solutions

      • Privileged Access Management
      • Identity Governance & Administration
      • Password Management
    • See How to Simplify Access in Your Organization | Request a Demo
  • Industries
    • Healthcare
    • Financial Services
    • Federal Government
    • Retail
    • Utilities & Energy
    • Higher Education
    • Compliance
  • Resources
    • Upcoming Webinars & Events
    • Blogs
    • Case Studies
    • Videos
    • Datasheets
    • Guides
    • Ecourses
    • Compliance
    • All Resources
  • CoreLabs
    • Advisories
    • Exploits
    • Publications
    • Articles
    • Open Source Tools
  • About
    • Partners
    • Careers
    • Press Releases
    • Contact Us
  1. Home
  2. Blog
  3. Understanding CVE Ranking and the Top CVEs

Understanding CVE Ranking and the Top CVEs

CVE stands for Common Vulnerabilities and Exposures.  The CVE program is a reference list providing an id number, description, and instance of known vulnerabilities. The system has become the standard method for classifying vulnerabilities, used by the U.S. National Vulnerability Database (NVD) and other databases around the globe. There are currently over 199,000 CVE records available in the NVD, with thousands of new vulnerabilities reported and cataloged each year. With so many vulnerabilities out in the wild, how do you know which ones will truly endanger your organization? In this blog, we’ll explore different ways of determining how serious a threat a CVE may pose, the challenge of determining a definitive ranking system, and how to find dangerous vulnerabilities that exist in your own infrastructure.

Rating Risk of CVEs by Potential Impact

The first way that a vulnerability can be assessed is by determining how much damage would be plausible if an attacker exploited it. CVEs are given a rating using the Common Vulnerability Scoring System (CVSS). The base score is composed of six metrics which can be used to calculate a severity score of 0-10. These metrics are:

  • Access vector – The way in which a vulnerability can be exploited (e.g., locally or remotely)
  • Attack complexity – How difficult a vulnerability is to exploit
  • Authentication – How many times an attacker has to use authentication credentials to exploit the vulnerability
  • Confidentiality – How much sensitive data an attacker can access after exploiting the vulnerability
  • Integrity – How much and how many files can be modified as a result of exploiting the vulnerability
  • Availability – How much damage exploiting the vulnerability does to the target system (e.g. reduced performance/functionality)

Vulnerabilities on the lowest end of the spectrum typically have a minimal risk of impacting the system. On the high end of the spectrum, the risk is deemed to be much larger for a variety of reasons. For example, some vulnerabilities may allow an attacker to escalate their privileges, enabling them to gain access to sensitive data. A CVSS base score can optionally be modified by temporal metrics which account for changes over a vulnerability’s lifecycle, like if a patch is created.

There are two significant limitations to CVSS scoring. First, a list of critical CVEs hardly narrows things down, these days. For January 2023 alone, there were already over 25 new CVEs with ratings of nine or above. Additionally, while CVSS scores are a good place to start, they are not necessarily definitive. The most common criticism of CVSS scores is that they lack context. For example, a CVE with a severe rating that can only be exploited with direct access to the machine, is not going to be an issue if physical access to it is highly controlled, like being in a server room with very limited access. While environmental metrics can be used to adjust a rating based on an infrastructure’s security controls, such metrics are specific to each organization, and are up to them to calculate. Without an effective risk-based vulnerability management program, this would be an endeavor that’s too time consuming to undertake.

Ranking Severity by Number of Exploitations

When you see lists of “most dangerous CVEs,” the metric they tend to be using is not a CVSS score, but rather how commonly a CVE has been exploited. In fact, the Cybersecurity and Infrastructure Security Agency (CISA) now maintains a Known Exploited Vulnerabilities (KEV) catalog. This catalog only contains vulnerabilities that have been actively exploited—it does not include vulnerabilities uncovered in malicious scans or Proof of Concepts for how it may be exploited.

However, the KEV catalog currently contains over 800 entries, so further analysis is needed to determine which ones are the most commonly exploited. A top 15 list is now created annually as a joint task between cybersecurity agencies in the US, Australia, Canada, New Zealand, and the UK. This list is perhaps the best general list of dangerous exploitations. The 2021 list includes the following CVEs:

  • CVE-2021-34523 - Microsoft Exchange Server Privilege Escalation Vulnerability
  • CVE-2021-40539 - Zoho Corp. ManageEngine ADSelfService Plus Version 6113 and Earlier Authentication Bypass
  • CVE-2021-34473 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-31207 - Microsoft Exchange Server Security Feature Bypass Vulnerability
  • CVE-2021-27065 - Microsoft OWA Exchange Control Panel (ECP) Exploit Chain
  • CVE-2021-26858 - Microsoft OWA Exchange Control Panel (ECP) Exploit Chain
  • CVE-2021-44228 - Apache Log4j2 Remote Code Execution Vulnerability
  • CVE-2021-26857 -Microsoft Unified Messaging Deserialization Vulnerability
  • CVE-2021-26855 - Microsoft OWA Exchange Control Panel (ECP) Exploit Chain
  • CVE-2021-26084 - Atlassian Confluence Server Arbitrary Code Execution
  • CVE-2021-21972 - VMware vCenter Server Remote Code Execution Vulnerability
  • CVE-2020-1472 - NetLogon Privilege Escalation Vulnerability
  • CVE-2020-0688 - Microsoft Exchange Server Key Validation Vulnerability
  • CVE-2019-11510 - Pulse Connect Secure VPN Arbitrary File Reading Vulnerability
  • CVE-2018-13379 - Fortinet FortiOS SSL VPN credential exposure vulnerability

It’s worth noting that several of these CVEs were on the 2020 list, despite having patches available. This demonstrates the need for investment in developing and maturing vulnerability management programs, which help ensure both timely discovery and remediation.  

Finding The Top CVEs In Your Environment

While it’s important to stay vigilant about which CVEs are causing issues on a broad scale, it’s even more critical to have constant visibility into what puts your own environment at risk. The best way to begin assessing your security is with a risk-based Vulnerability Management Solution that scans your environment for vulnerabilities and provides a prioritized list to begin remediation processes. The most effective solutions, like Frontline VM, don’t just use CVSS rating for determining risk level, but instead combine these baseline scores with up-to-date external intelligence to create an aggregate score that better illustrates the likelihood of exploitability.

To provide further context to these scores, vulnerability management programs should also incorporate penetration testing solutions that can uncover the potential attack path that an exploitation could create. Automated tools like Core Impact integrate with and validate vulnerability scans, further prioritizing what to focus remediation efforts on. Ultimately, when it comes to top CVEs, the most important list is the one tailor-made for your organization’s unique infrastructure.

Related Content
Top 12 Vulnerability Scanners for Cybersecurity Professionals
Blog
Top 14 Vulnerability Scanners for Cybersecurity Professionals
Taking Back Control: A Proactive Approach to Advance Your Security Maturity Text Offensive Security Solutions and Services from Fortra    Left Column Frontline Vulnerability Manager  SaaS vulnerability management solution  Learn More >  Middle Column Core Impact  Penetration testing software  Learn More >  Right Column Penetration Testing Services  Security consulting services  Learn More >  Text  Left Column Cobalt Strike  Red team software  Learn More >  Middle Column Outflank Security Tooling (OST)  Evas
Guide
Taking Back Control: A Proactive Approach to Advance Your Security Maturity
network-monitoring-identity-governance
Guide
A Simple Guide to Successful Penetration Testing
Video
Bundling Up: The Importance of Layering Offensive Security Solutions

Want to learn more about effectively managing vulnerabilities?

CTA Text

Find out how an offensive approach to security can help you get ahead of attackers in our guide, Taking Back Control: A Proactive Approach to Advance Your Security Maturity.

READ THE GUIDE
  • Email Core Security Email Us
  • Twitter Find us on Twitter
  • LinkedIn Find us on LinkedIn
  • Facebook Find us on Facebook

Products

  • Access Assurance Suite
  • Core Impact
  • Cobalt Strike
  • Event Manager
  • Browse All Products

Solutions

  • Identity Governance

  • PAM
  • IGA
  • IAM
  • Password Management
  • Vulnerability Management
  • Compliance
  • Cyber Threat

  • Penetration Testing
  • Red Team
  • Phishing
  • Threat Detection
  • SIEM

Resources

  • Upcoming Webinars & Events
  • Corelabs Research
  • Blog
  • Training

About

  • Our Company
  • Partners
  • Careers
  • Accessibility

Support

Privacy Policy

Contact

Impressum

Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.