Understanding CVE Ranking and the Top CVEs

CVE stands for Common Vulnerabilities and Exposures.  The CVE program is a reference list providing an id number, description, and instance of known vulnerabilities. The system has become the standard method for classifying vulnerabilities, used by the U.S. National Vulnerability Database (NVD) and other databases around the globe. There are currently over 199,000 CVE records available in the NVD, with thousands of new vulnerabilities reported and cataloged each year. With so many vulnerabilities out in the wild, how do you know which ones will truly endanger your organization? In this blog, we’ll explore different ways of determining how serious a threat a CVE may pose, the challenge of determining a definitive ranking system, and how to find dangerous vulnerabilities that exist in your own infrastructure.

Rating Risk of CVEs by Potential Impact

The first way that a vulnerability can be assessed is by determining how much damage would be plausible if an attacker exploited it. CVEs are given a rating using the Common Vulnerability Scoring System (CVSS). The base score is composed of six metrics which can be used to calculate a severity score of 0-10. These metrics are:

• Access vector – The way in which a vulnerability can be exploited (e.g., locally or remotely)
• Attack complexity – How difficult a vulnerability is to exploit
• Authentication – How many times an attacker has to use authentication credentials to exploit the vulnerability
• Confidentiality – How much sensitive data an attacker can access after exploiting the vulnerability
• Integrity – How much and how many files can be modified as a result of exploiting the vulnerability
• Availability – How much damage exploiting the vulnerability does to the target system (e.g. reduced performance/functionality)

Vulnerabilities on the lowest end of the spectrum typically have a minimal risk of impacting the system. On the high end of the spectrum, the risk is deemed to be much larger for a variety of reasons. For example, some vulnerabilities may allow an attacker to escalate their privileges, enabling them to gain access to sensitive data. A CVSS base score can optionally be modified by temporal metrics which account for changes over a vulnerability’s lifecycle, like if a patch is created.

There are two significant limitations to CVSS scoring. First, a list of critical CVEs hardly narrows things down, these days. For January 2023 alone, there were already over 25 new CVEs with ratings of nine or above. Additionally, while CVSS scores are a good place to start, they are not necessarily definitive. The most common criticism of CVSS scores is that they lack context. For example, a CVE with a severe rating that can only be exploited with direct access to the machine, is not going to be an issue if physical access to it is highly controlled, like being in a server room with very limited access. While environmental metrics can be used to adjust a rating based on an infrastructure’s security controls, such metrics are specific to each organization, and are up to them to calculate. Without an effective risk-based vulnerability management program, this would be an endeavor that’s too time consuming to undertake.

Ranking Severity by Number of Exploitations

When you see lists of “most dangerous CVEs,” the metric they tend to be using is not a CVSS score, but rather how commonly a CVE has been exploited. In fact, the Cybersecurity and Infrastructure Security Agency (CISA) now maintains a Known Exploited Vulnerabilities (KEV) catalog. This catalog only contains vulnerabilities that have been actively exploited—it does not include vulnerabilities uncovered in malicious scans or Proof of Concepts for how it may be exploited.

However, the KEV catalog currently contains over 800 entries, so further analysis is needed to determine which ones are the most commonly exploited. A top 15 list is now created annually as a joint task between cybersecurity agencies in the US, Australia, Canada, New Zealand, and the UK. This list is perhaps the best general list of dangerous exploitations. The 2021 list includes the following CVEs:

• CVE-2021-34523 - Microsoft Exchange Server Privilege Escalation Vulnerability
• CVE-2021-40539 - Zoho Corp. ManageEngine ADSelfService Plus Version 6113 and Earlier Authentication Bypass
• CVE-2021-34473 - Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-31207 - Microsoft Exchange Server Security Feature Bypass Vulnerability
• CVE-2021-27065 - Microsoft OWA Exchange Control Panel (ECP) Exploit Chain
• CVE-2021-26858 - Microsoft OWA Exchange Control Panel (ECP) Exploit Chain
• CVE-2021-44228 - Apache Log4j2 Remote Code Execution Vulnerability
• CVE-2021-26857 -Microsoft Unified Messaging Deserialization Vulnerability
• CVE-2021-26855 - Microsoft OWA Exchange Control Panel (ECP) Exploit Chain
• CVE-2021-26084 - Atlassian Confluence Server Arbitrary Code Execution
• CVE-2021-21972 - VMware vCenter Server Remote Code Execution Vulnerability
• CVE-2020-1472 - NetLogon Privilege Escalation Vulnerability
• CVE-2020-0688 - Microsoft Exchange Server Key Validation Vulnerability
• CVE-2019-11510 - Pulse Connect Secure VPN Arbitrary File Reading Vulnerability
• CVE-2018-13379 - Fortinet FortiOS SSL VPN credential exposure vulnerability

It’s worth noting that several of these CVEs were on the 2020 list, despite having patches available. This demonstrates the need for investment in developing and maturing vulnerability management programs, which help ensure both timely discovery and remediation.  

Finding The Top CVEs In Your Environment

While it’s important to stay vigilant about which CVEs are causing issues on a broad scale, it’s even more critical to have constant visibility into what puts your own environment at risk. The best way to begin assessing your security is with a risk-based Vulnerability Management Solution that scans your environment for vulnerabilities and provides a prioritized list to begin remediation processes. The most effective solutions, like Fortra VM (formerly Frontline VM), don’t just use CVSS rating for determining risk level, but instead combine these baseline scores with up-to-date external intelligence to create an aggregate score that better illustrates the likelihood of exploitability.

To provide further context to these scores, vulnerability management programs should also incorporate penetration testing solutions that can uncover the potential attack path that an exploitation could create. Automated tools like Core Impact integrate with and validate vulnerability scans, further prioritizing what to focus remediation efforts on. Ultimately, when it comes to top CVEs, the most important list is the one tailor-made for your organization’s unique infrastructure.