Skip to content
Home
Vulnerability Management: CVE, CVSS, and Remediation

Vulnerability Management: CVE, CVSS, and Remediation

Security Security 8 min read 1571 words Beginner ExcellentWiki Editorial Team

Vulnerability management is the continuous process of identifying, classifying, prioritizing, and remediating security vulnerabilities across an organization’s infrastructure. The 2025 Qualys Threat Research Report found that the average enterprise has over 260,000 vulnerabilities across its attack surface, with 12% classified as critical or high severity. Without a systematic program, security teams drown in noise while critical vulnerabilities remain unpatched. This guide covers the complete vulnerability management lifecycle — CVE databases, CVSS scoring, scanning, prioritization, patch management, and reporting.

The Vulnerability Management Lifecycle

NIST SP 800-40 Rev. 4 defines the vulnerability management process as a continuous cycle: identify vulnerabilities, evaluate and prioritize, remediate or mitigate, and verify effectiveness. The cycle operates at different cadences: daily for critical severity, weekly for high, and monthly for medium/low.

Asset Discovery and Inventory

You cannot patch what you do not know exists. Asset discovery — agent-based (CrowdStrike, Defender) or agentless (Nmap, Shodan, Tenable) — identifies every device, VM, container, serverless function, and cloud resource. CMDB integration ensures assets are tagged with owner, environment, and criticality. The 2025 Gartner Market Guide for Vulnerability Assessment notes that organizations with automated asset discovery remediate vulnerabilities 3.1x faster than those relying on manual inventories.

CVE Database and CVE Numbering

The Common Vulnerabilities and Exposures (CVE) system provides unique identifiers for publicly disclosed vulnerabilities.

CVE Structure

A CVE ID follows the format CVE-YYYY-NNNNN (e.g., CVE-2024-3094 for the XZ Utils backdoor). Each entry contains: CVE ID, description, CVSS score, affected software versions, and references (patch links, advisories, exploit PoC links). The MITRE Corporation manages the CVE program, with CVE Numbering Authorities (CNAs) — currently 300+ organizations including Microsoft, Google, Red Hat, and AWS — assigning CVE IDs for their products.

CVE vs CWE

While CVE identifies specific instances, the Common Weakness Enumeration (CWE) categorizes the underlying weakness class. CVE-2024-3094 maps to CWE-506 (Embedded Malicious Code). Mapping CVEs to CWEs helps organizations understand their vulnerability patterns and focus training on the most frequent weakness categories.

CVSS Scoring

The Common Vulnerability Scoring System (CVSS v3.1) provides a standardized severity rating from 0.0 to 10.0.

Base Metrics

The base score measures intrinsic vulnerability characteristics: Attack Vector (Network, Adjacent, Local, Physical), Attack Complexity (Low, High), Privileges Required (None, Low, High), User Interaction (None, Required), Scope (Unchanged, Changed), and three impact metrics — Confidentiality, Integrity, and Availability (each: High, Low, None). A network-exploitable, no-authentication, high-impact vulnerability receives a base score near 10.0.

Temporal and Environmental Metrics

Temporal metrics adjust the base score for factors that change over time: Exploit Code Maturity (Unproven, Proof-of-Concept, Functional, High), Remediation Level (Official Fix, Temporary Fix, Workaround, Unavailable), and Report Confidence (Unknown, Reasonable, Confirmed). Environmental metrics adjust for organizational context: modified base metrics, and requirements (Confidentiality, Integrity, Availability) weighted by business criticality.

CVSS Limitations and Alternatives

CVSS has been criticized for poor prioritization — a network-critical CVSS 9.0 vulnerability in a non-critical asset gets the same score as in a crown-jewel system. The Exploit Prediction Scoring System (EPSS) from FIRST predicts the likelihood of exploitation within 30 days, combining 20+ features (CVE age, exploit PoC availability, Twitter mentions, dark web chatter). Combining CVSS + EPSS provides better prioritization: prioritize high-CVSS vulnerabilities with high EPSS probabilities first.

Vulnerability Scanning

Agent-Based vs Agentless

Agent-based scanning installs software on endpoints (Qualys Cloud Agent, Tenable Nessus Agent, CrowdStrike Spotlight). Benefits: continuous assessment, post-authentication scanning, offline coverage. Agentless scanning uses network-based probes (Nessus, OpenVAS). Benefits: no agent management overhead, broader coverage of network devices.

Scanning Frequency

The 2025 Verizon DBIR found that 60% of breaches involved vulnerabilities for which a patch was available but not applied. Scanning frequency should match patch cadence: critical infrastructure weekly, internal infrastructure bi-weekly, and external-facing assets daily. AWS Inspector, Qualys, and Tenable support continuous scanning — assessing assets within minutes of deployment.

Authenticated vs Unauthenticated Scanning

Unauthenticated scanning identifies vulnerabilities visible to an external attacker. Authenticated scanning — using SSH keys, Windows credentials, or cloud API tokens — identifies OS-level and application-level vulnerabilities requiring deeper access. Authenticated scans typically find 5-10x more vulnerabilities than unauthenticated scans.

Prioritization and Risk-Based VM

Vulnerability prioritization moves beyond CVSS base scores to operational context.

Contextual Prioritization Factors

Asset criticality: a CVSS 7.5 vulnerability on a payment processing server is higher priority than the same vulnerability on a development sandbox. Exploit availability: prioritize vulnerabilities with public exploit code, active C2 infrastructure, or malware kit integration. Attack path proximity: vulnerabilities chained with initial access vectors (phishing, exposed RDP) require immediate action. Regulatory compliance: PCI DSS, HIPAA, and SOX require patching according to defined SLAs.

Remediation SLAs

Common SLA frameworks: Critical (CVSS 9-10) — patch within 48 hours; High (CVSS 7-8.9) — patch within 15 days; Medium (CVSS 4-6.9) — patch within 30 days; Low (CVSS 0-3.9) — patch within 90 days. SLAs may be shorter for internet-facing systems or regulated data. The 2025 Ponemon Cost of Patching study found that every day past SLA increases breach probability by 4.3%.

Patch Management

Patch Testing

Emergency patches for actively exploited vulnerabilities bypass testing windows but require monitoring and rollback plans. Standard patches follow a testing cycle: 48 hours in sandbox → 7 days in staging → production deployment. Automated patching tools: AWS Systems Manager Patch Manager, Azure Update Manager, GCP OS Patch Management, and WSUS/SCCM for on-premises.

Virtual Patching

When an official patch is unavailable or cannot be applied immediately, virtual patching applies compensating controls: WAF rules blocking exploit traffic (ModSecurity, AWS WAF), IDS/IPS signatures, and configuration workarounds. The Log4Shell (CVE-2021-44228) response drove widespread adoption of virtual patching — WAF vendors deployed blocking rules within hours of disclosure.

Reporting and Metrics

Effective vulnerability management reporting answers: what is our total vulnerability count by severity? Which business units have the highest remediation time? Which vulnerability categories are most common? Track: mean time to remediate (MTTR), vulnerability density (vulnerabilities per asset), patch compliance rate, and vulnerability recurrence rate.

Automated Vulnerability Management

Automation is essential for scaling vulnerability management across large, dynamic environments.

Vulnerability Management Platforms

Enterprise VM platforms (Qualys VMDR, Tenable.io, Rapid7 InsightVM, CrowdStrike Falcon Spotlight) provide: continuous discovery and classification, agent and agentless scanning, vulnerability prioritization with EPSS and asset criticality, automated ticketing (ServiceNow, Jira), and dashboards and reporting. Platform selection should consider: cloud coverage (multi-cloud support), container and Kubernetes scanning, integration with existing ITSM/SOAR tools, and accuracy (false positive rate).

Automated Remediation Workflows

Detection without remediation creates noise. Automated remediation workflows close the loop: critical vulnerability detected on production server → validation (re-scan to confirm) → ticket creation with asset owner, CVE details, remediation guidance → automated patching via patch management tool → verification scan → ticket closure. For scenarios where patching is delayed, automated virtual patching deploys WAF/IPS rules. The 2025 Qualys TruRisk Report found that organizations with automated VM workflows achieve 82% faster median patch times compared to manual processes.

Reporting and Executive Communication

Effective VM reporting communicates risk in business terms, not technical metrics. Executive dashboards should show: vulnerability aging (MTTR trend over time), risk exposure (total CVSS-weighted vulnerability count by asset criticality), top 10 most impactful vulnerabilities, and business unit comparison (which unit has the highest risk). Technical reports for operations teams focus on: specific assets requiring patching, available patches, and verification status. The CIS Controls recommend monthly vulnerability management reports to executive leadership.

Integrating VM with Other Security Programs

Vulnerability management does not operate in isolation. Integration with the broader security program multiplies its effectiveness.

VM and Threat Intelligence

Threat intelligence feeds prioritize vulnerabilities under active exploitation. CISA’s Known Exploited Vulnerabilities (KEV) catalog provides an authoritative list of vulnerabilities being exploited in the wild — these must be remediated ahead of CVSS-only priorities. Commercial threat intelligence (Recorded Future, Mandiant, CrowdStrike) identifies which vulnerabilities are being discussed on dark web forums, included in exploit kits, or targeted by specific threat actors. The 2025 SANS CTI Survey found that organizations integrating CTI with VM patch critical exploited vulnerabilities 4x faster than CVSS-only prioritization.

VM and Asset Management

CMDB accuracy directly impacts VM effectiveness — mis-tagged assets receive wrong prioritization. Automate asset discovery with cloud provider APIs (AWS Config, Azure Resource Graph, GCP Asset Inventory) and endpoint management tools. Tag assets with: environment (production, staging, development), data classification (PII, PCI, public), business owner, maintenance window, and compliance scope. The 2025 Gartner VM Magic Quadrant emphasizes that asset context separates effective VM programs from ineffective ones.

FAQ

What is the difference between CVE and CVSS? CVE is a vulnerability identifier (naming). CVSS is a scoring system (severity rating). A CVE entry includes a CVSS score but they are separate systems managed by MITRE and FIRST respectively.

How do I prioritize when every vulnerability is critical? Use asset criticality as a multiplier — the same CVSS score on a different asset may have different priority. Combine CVSS with EPSS exploitation probability and asset business impact.

Should I patch every vulnerability? No — patching costs and risks should be proportionate to risk. Low-severity vulnerabilities in non-critical systems may be accepted with documented risk acceptance from business owners.

What is a virtual patch? A compensating security control — typically a WAF rule, IPS signature, or configuration change — that blocks exploitation of a vulnerability without applying the official vendor patch. Used when the patch cannot be immediately deployed.

How often should I scan? External-facing infrastructure: daily. Internal critical systems: weekly. Standard internal systems: bi-weekly. After any significant infrastructure change: immediate scan.

For foundational security principles, see our Security Guide. Proactively identify risks with Threat Modeling. For vulnerability exploitation testing, read Security Testing.

Section: Security 1571 words 8 min read Beginner 756 articles in section Report inaccuracy Back to top