CVE � Common Vulnerabilities and Exposures
CVE (Common Vulnerabilities and Exposures) is a globally recognized system for identifying and naming cybersecurity vulnerabilities. Each vulnerability receives a unique CVE-ID (e.g., CVE-2024-3094) that allows security teams, manufacturers, and regulators to unambiguously reference the same vulnerability. Under the EU Cyber Resilience Act, CVE monitoring is essential for meeting the 24-hour vulnerability reporting obligation to ENISA.
Key Facts
| Detail | Information |
|---|---|
| Full name | Common Vulnerabilities and Exposures |
| Maintained by | MITRE Corporation (U.S., funded by CISA) |
| ID format | CVE-YYYY-NNNNN (year + sequential number) |
| Total CVEs published | ~240,000+ (as of early 2026) |
| New CVEs per year | ~25,000�30,000 (accelerating) |
| Public database | cve.org |
| Enrichment database | NVD (National Vulnerability Database) � adds CVSS scores, CPE matches |
| EU equivalent | ENISA maintains EU Vulnerability Database (mandated by NIS2) |
How CVEs Work
Lifecycle of a Vulnerability
+----------------------------------------------------+
� 1. DISCOVERY �
� Researcher / vendor / attacker finds vulnerability �
+----------------------------------------------------+
?
+----------------------------------------------------+
� 2. CVE ASSIGNMENT �
� CNA (CVE Numbering Authority) assigns CVE-ID �
� Reserved but not yet public �
+----------------------------------------------------+
?
+----------------------------------------------------+
� 3. PUBLICATION �
� CVE record published on cve.org �
� Includes: description, references, affected products�
+----------------------------------------------------+
?
+----------------------------------------------------+
� 4. NVD ENRICHMENT �
� NVD adds: CVSS score, CPE matches, CWE category �
� Appears in automated scanning tools �
+----------------------------------------------------+
?
+----------------------------------------------------+
� 5. REMEDIATION �
� Vendor releases patch / firmware update via OTA �
� Product SBOM updated to reflect fixed versions �
+-----------------------------------------------------+CVSS Severity Scoring
Each CVE receives a CVSS (Common Vulnerability Scoring System) score indicating severity:
| CVSS Score | Severity | Example Impact |
|---|---|---|
| 9.0�10.0 | Critical | Remote code execution, complete device takeover |
| 7.0�8.9 | High | Privilege escalation, authentication bypass |
| 4.0�6.9 | Medium | Information disclosure, denial of service |
| 0.1�3.9 | Low | Minor information leak, theoretical exploit |
Why CVEs Matter for Hardware Manufacturers
CRA Vulnerability Reporting
The CRA creates a direct link between CVE monitoring and legal obligations:
| CRA Requirement | CVE Connection |
|---|---|
| 24-hour ENISA notification | Triggered when a CVE affecting your product is actively exploited |
| No known vulnerabilities at shipment | All CVEs matching your SBOM components must be patched before market placement |
| 5-year vulnerability management | CVE monitoring must continue for the product’s entire support lifetime |
| OTA updates | CVE-triggered patches must be delivered to deployed devices |
The SBOM�CVE Connection
Your product’s SBOM is the key to automated CVE monitoring:
| SBOM Component | CVE Risk Example |
|---|---|
| FreeRTOS 10.4.3 | CVE-2021-31571 � buffer overflow in TCP/IP stack |
| mbedTLS 2.28.0 | CVE-2023-43615 � certificate validation bypass |
| lwIP 2.1.3 | CVE-2023-36321 � denial of service via malformed packet |
| U-Boot 2023.04 | CVE-2024-xxxxx � secure boot bypass via crafted image |
| Linux kernel 5.15 | Hundreds of CVEs per year � continuous monitoring essential |
The automated pipeline: SBOM ? CPE matching ? CVE database lookup ? severity filtering ? ENISA report generation ? OTA patch deployment. This is what our SBOM Monitoring Service provides.
CVE Monitoring for Embedded Products
Challenges Specific to Embedded/IoT
| Challenge | Description |
|---|---|
| Long deployment cycles | IoT devices deployed for 10�15 years; CVEs accumulate over time |
| Constrained resources | Devices may lack bandwidth/storage for frequent patches |
| Component lag | Embedded vendors often use older versions of open-source components |
| Custom BSP | Board Support Packages from silicon vendors may contain untracked components |
| Nested dependencies | Transitive dependencies (deps of deps) are often not in the SBOM |
| No centralized updater | Unlike mobile OS, each manufacturer manages their own update pipeline |
Recommended Monitoring Workflow
- Generate SBOM at build time (SPDX or CycloneDX format).
- Map components to CPE identifiers for NVD database matching.
- Continuous CVE scanning � automated daily or real-time checks against NVD/EPSS feeds.
- Risk-based triage � prioritize by CVSS score � EPSS (Exploit Prediction Scoring System) � product exposure.
- Patch or mitigate � deliver fixes via OTA update or publish mitigation guidance.
- Report to ENISA � if actively exploited, trigger 24h/72h/14d reporting workflow.
Related Terms
- SBOM � The component inventory that enables automated CVE matching.
- ENISA � The EU agency that receives vulnerability reports triggered by CVEs.
- CRA � The regulation mandating CVE monitoring and vulnerability management.
- OTA Update � The delivery mechanism for CVE-triggered security patches.
Official References
- CVE Program � MITRE Corporation � MITRE (CVE database and numbering authority)
- National Vulnerability Database (NVD) � NIST (enriched CVE data with CVSS scores)