Every day, security teams face a flood of new software flaws — more than 130 disclosed every 24 hours in 2025 alone. Without a shared system for naming and tracking those flaws, defenders would waste critical hours just figuring out whether two advisories describe the same bug. That shared system is CVE, and understanding how it works is foundational to every modern vulnerability management program. This guide covers what CVE means, how identifiers are assigned, the ecosystem of related standards, and the 2025 funding crisis that nearly shut the entire program down. Whether you are triaging alerts in a SOC or mapping controls for an audit, the information here will sharpen how you use CVE data day to day.
CVE (Common Vulnerabilities and Exposures) is a standardized identification system that assigns unique IDs to publicly disclosed cybersecurity vulnerabilities, giving security teams, vendors, and researchers a common language to track, discuss, and remediate specific flaws across tools and organizations worldwide.
The MITRE Corporation created the CVE system in 1999 with funding from the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Before CVE existed, a single vulnerability might carry different names in different scanners, advisories, and patch bulletins. That inconsistency made cross-team coordination slow and error-prone. CVE solved the problem by providing one canonical identifier per flaw — a reference number that every tool, every vendor, and every analyst can point to unambiguously.
The scale of the program reflects the scale of the problem. According to Jerry Gamblin's 2025 CVE Data Review, a record 48,185 CVEs were published in 2025 — a 20.6% increase over 2024's 39,962 entries. The cumulative catalog now exceeds 308,000 entries. That growth underscores both the expanding attack surface and the critical role CVE plays in keeping vulnerability data organized.
The CVE.org program overview describes the mission succinctly: identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. The system is free to use, openly accessible, and integrated into virtually every major security tool on the market.
Without CVE, organizations would lack a shared vocabulary for discussing specific vulnerabilities. When a scanner flags a flaw and a patch bulletin addresses the same flaw, the CVE ID is what confirms they are talking about the same issue. That shared reference enables several critical workflows:
A CVE identifier follows the format CVE-YEAR-NUMBER and includes a description, affected products, severity score, and reference links. Understanding the anatomy of a CVE ID helps analysts quickly parse advisories and prioritize action.
Each identifier has three components:
Beyond the ID itself, each CVE record contains several data fields:
Consider CVE-2021-44228, commonly known as Log4Shell. The ID tells you immediately that it was assigned in 2021 and carries sequence number 44228. The CVE record describes a remote code execution flaw in the Apache Log4j 2 logging library. Its CVSS score — assigned separately through the Common Vulnerability Scoring System — is 10.0, the maximum severity. The references section links to the Apache advisory, the NVD enrichment page, and multiple third-party analyses.
It is important to distinguish the CVE ID itself from the CVSS score that accompanies it. CVE identifies what the flaw is. CVSS — maintained by the Forum of Incident Response and Security Teams (FIRST) — quantifies how severe that flaw is on a 0–10 scale. The two systems are complementary, not interchangeable.
CVE Numbering Authorities validate and assign identifiers through a structured lifecycle from discovery to publication and NVD enrichment. The process moves through six stages:
The CNA hierarchy is structured in three tiers. MITRE serves as the Top-Level Root, overseeing the entire program. Below MITRE sit Roots — organizations like CISA, Google, and Microsoft that manage groups of CNAs. At the base are the CVE Numbering Authorities themselves: 365 active CNAs operated across the ecosystem in 2025.
A CVE Numbering Authority (CNA) is an organization authorized by the CVE program to assign CVE IDs within a defined scope — typically its own products or a specific technology domain. The top CNAs by volume in 2025 illustrate the breadth of the program:
These numbers, drawn from Jerry Gamblin's 2025 analysis, show that open-source and web application ecosystems now drive the largest share of new CVE assignments. Any organization can apply to become a CNA through the CVE.org program.
Researchers who discover a flaw can report it through two paths. If the affected vendor operates as a CNA, the researcher submits directly to that vendor. If not, the researcher can use the CVE.org request form, which routes the submission to the appropriate CNA or to MITRE as a last resort.
Not every submission results in a published CVE. In 2025, 1,787 CVEs were rejected — a 3.58% rejection rate — typically because the reported issue did not meet the program's inclusion criteria or duplicated an existing entry.
CVE identifies specific vulnerabilities, while CVSS scores their severity, CWE classifies weakness types, and NVD provides enriched metadata. These four systems are commonly confused, so a clear comparison helps practitioners understand how they fit together.
How CVE, CWE, CVSS, and NVD relate in the vulnerability management pipeline:
The pipeline works like this: a CWE describes the general weakness class (for example, CWE-79 for Cross-Site Scripting). A CVE identifies a specific instance of that weakness in a particular product. CVSS then scores how severe that specific instance is. Finally, the National Vulnerability Database enriches the CVE record with structured data — CVSS scores, affected product enumerations, and references to patches.
In 2025, CWE-79 (Cross-Site Scripting) led all weakness categories with 8,207 instances, and the average CVSS score across all published CVEs was 6.60 — squarely in the "Medium" severity range.
Understanding these distinctions matters because they answer different questions. "What is the flaw?" — that is CVE. "What kind of flaw is it?" — that is CWE. "How bad is it?" — that is CVSS. "Where can I find the complete enriched record?" — that is NVD.
The CVE program survived a 2025 funding crisis, but NVD backlogs and competing systems like EUVD and GCVE are reshaping vulnerability tracking. This section covers the three developments that competitors in the SERP consistently miss.
In April 2025, the CVE program came within days of shutting down. MITRE's contract with DHS to operate the program was set to expire, and no renewal was in place. SecurityWeek reported that MITRE leadership signaled "potential deterioration" of the program as the deadline approached.
On April 16, 2025, two things happened simultaneously. CISA secured an 11-month bridge extension to keep the program running. And the newly formed CVE Foundation — a nonprofit established by CVE Board members — launched to advocate for diversified, long-term governance.
By January 2026, the situation stabilized. CSO Online reported that the CVE Board was informed there would be "no funding cliff in March," with CVE elevated to a core CISA program. However, funding details remain opaque — described by observers as a "mystery contract with a mystery number."
The funding scare accelerated two alternative approaches to vulnerability tracking:
The National Vulnerability Database — the NIST-maintained system that enriches CVE records with CVSS scores and CPE data — has struggled to keep pace. According to analysis by inventivehq, approximately 44% of CVEs added in the past year lack CVSS scores and affected product data (2025).
NIST compounded the problem by marking all pre-2018 CVEs as "Deferred" — nearly 100,000 records that will no longer receive enrichment updates (2026). The Commerce Department's Office of Inspector General launched a federal audit into NVD management practices.
For practitioners, the implication is clear: teams relying solely on NVD face incomplete data. CISA's Vulnrichment project provides a supplementary enrichment source, and the EUVD offers an additional data stream for EU-regulated organizations.
With more than 130 new CVEs published daily and 28% of exploits launched within 24 hours of disclosure (2025), organizations need automated triage that goes beyond manual tracking.
The 2025 numbers paint a stark picture. Of the record 48,185 published CVEs, the severity breakdown was:
CVE severity distribution in 2025, based on CVSS scores. Source: Jerry Gamblin's 2025 CVE Data Review.
Despite the volume, threat actors remain highly selective. Only about 1% of the 48,000+ CVEs published in 2025 were confirmed exploited in the wild. However, when exploitation does occur, it happens fast — 54% of critical CVEs were exploited within the first week of disclosure (2025). Security researchers identified 884 known exploited vulnerabilities with first-time evidence in 2025, and the CISA KEV catalog grew by 244 entries (a 28% increase), bringing its total to 1,483.
FIRST projects a median of 59,427 new CVEs for 2026 — a trajectory that makes manual tracking increasingly untenable.
Three real-world examples illustrate different exploitation patterns:
Effective CVE-based defense requires risk-based prioritization combining CVSS scores, CISA KEV status, exploit intelligence, and behavioral detection capabilities. The following workflow helps security teams operationalize CVE data:
The CISA KEV catalog deserves special attention in step three. With a median time to KEV inclusion of just 5.0 days (down from 8.5 in prior years, 2025), the catalog provides a fast, curated signal of which CVEs attackers are actually using. Under Binding Operational Directive 22-01, U.S. federal agencies must remediate KEV entries within mandated timelines.
CVE-based patching alone leaves gaps. Zero-day vulnerabilities are exploited before any CVE ID exists. Patches take time to deploy. And some environments — legacy systems, operational technology, third-party SaaS — cannot be patched quickly.
Behavioral threat detection closes that gap by focusing on what attackers do after exploiting a vulnerability, rather than on the specific CVE they used. Network detection and response solutions monitor for post-exploitation behaviors — reconnaissance, lateral movement, privilege escalation, command-and-control communication, and data exfiltration — regardless of the entry vector.
A defense-in-depth approach combines CVE-based vulnerability management with behavioral detection and incident response capabilities. When a zero-day bypass renders CVE-based defenses temporarily blind, behavioral detection provides the safety net.
CVE tracking directly supports compliance requirements across major regulatory frameworks. The following crosswalk maps CVE processes to the controls that auditors look for.
How CVE tracking maps to major compliance frameworks:
Beyond framework mapping, CVE data connects directly to the MITRE ATT&CK. MITRE's Center for Threat-Informed Defense (CTID) maintains a project mapping ATT&CK techniques to CVEs, linking specific vulnerabilities to attacker behaviors. For example, technique T1190 (Exploit Public-Facing Application) maps to CVEs in web servers and APIs, while T1068 (Exploitation for Privilege Escalation) maps to local elevation-of-privilege flaws.
Modern vulnerability intelligence combines CVE data with behavioral detection and risk-based prioritization to address the gap between disclosure and exploitation. With FIRST projecting a median of 59,427 new CVEs for 2026, the old approach of patching everything by CVSS score is collapsing under its own weight.
Several shifts define the current landscape:
Vectra AI approaches vulnerability exploitation through the lens of assume compromise. Rather than relying solely on CVE-based patching, Vectra AI's Attack Signal Intelligence focuses on detecting the behaviors attackers exhibit after exploiting vulnerabilities — whether those CVEs are known, unknown, or zero-day. This methodology ensures defenders can identify exploitation patterns like lateral movement, privilege escalation, and data exfiltration regardless of the specific CVE involved, closing the gap between vulnerability disclosure and organizational response.
The vulnerability disclosure ecosystem is entering a period of rapid structural change. Over the next 12–24 months, several developments will reshape how organizations discover, prioritize, and respond to CVEs.
Volume will continue to accelerate. FIRST's median projection of 59,427 new CVEs for 2026 represents another 23% increase over 2025's record. AI frameworks (Langflow, Semantic Kernel) and enterprise control planes (SD-WAN appliances, identity infrastructure, migration tools) are opening new vulnerability categories that barely existed two years ago. Security teams should plan staffing and tooling around the assumption that daily CVE volume will exceed 160 entries by late 2026.
Regulatory requirements will tighten. The EU Cyber Resilience Act (CRA) takes effect in September 2026, requiring vendors to report actively exploited vulnerabilities within 24 hours. NIS2 already mandates risk-based vulnerability management for essential and important entities across the EU. In the U.S., the Commerce Department's OIG audit of NVD could result in structural changes to how NIST enriches vulnerability data. Organizations operating in multiple jurisdictions should prepare for overlapping CVE, EUVD, and GCVE reporting obligations.
Decentralization will bring both resilience and friction. The emergence of EUVD and GCVE introduces redundancy — a valuable safeguard against single points of failure like the 2025 funding scare. But it also introduces coordination challenges. Will a vulnerability tracked in GCVE carry the same ID in CVE? How will NVD handle enrichment for entries that originate outside the traditional CNA hierarchy? These questions remain unanswered and will demand attention from both policy makers and practitioners.
AI-assisted CVE triage will become table stakes. With the NVD backlog persisting and volume rising, organizations that still rely on manual CVE review will fall further behind. Expect broader adoption of automated correlation engines, AI-driven exploitability prediction models, and integration of SBOM data into vulnerability management workflows.
Investment priority: Organizations should budget for automated CVE correlation, SBOM tooling, and behavioral detection capabilities that work independently of specific CVE assignments — because the next critical exploit may arrive before any CVE ID does.
CVE remains the bedrock of how the cybersecurity community identifies and communicates about vulnerabilities. From its 1999 origins to the record 48,185 entries published in 2025, the system has scaled alongside an ever-expanding attack surface. But scale brings challenges: the 2025 funding crisis, the NVD enrichment backlog, and the emergence of EUVD and GCVE all signal that the vulnerability ecosystem is diversifying.
For security teams, the practical takeaway is to build workflows that go beyond CVE alone. Pair CVE tracking with risk-based prioritization using the CISA KEV catalog, supplement NVD data with multiple enrichment sources, and invest in behavioral detection that catches exploitation regardless of whether a CVE has been assigned. The attackers who matter most — the ones targeting your organization — will not wait for a CVE ID before they strike.
To learn how Vectra AI helps organizations detect post-exploitation behaviors across network, identity, and cloud environments, explore the Vectra AI platform.
CVE stands for Common Vulnerabilities and Exposures. The MITRE Corporation created the system in 1999 to provide a standardized way of identifying publicly disclosed cybersecurity vulnerabilities. Each CVE entry receives a unique identifier in the format CVE-YEAR-NUMBER (for example, CVE-2021-44228 for the Log4Shell flaw). The "Common" in the name reflects its core purpose: creating a shared reference that every security tool, vendor, and analyst can use. Before CVE, different organizations often used different names for the same flaw, making coordination slow and unreliable. Today, the CVE.org program catalogs over 308,000 entries and is integrated into virtually every vulnerability scanner, SIEM, and patch management platform on the market. CISA funds the program as a public good for the global cybersecurity community.
CVE identifiers are assigned by CVE Numbering Authorities (CNAs) — organizations authorized to issue CVE IDs within a defined scope. As of 2025, 365 active CNAs operate across the program, ranging from major software vendors to security research organizations like Patchstack and VulDB. When a researcher discovers a vulnerability, they submit it to the relevant CNA (usually the affected vendor) or through the CVE.org request form. The CNA validates the report, confirms it meets inclusion criteria, and assigns a CVE ID. The record is then published on CVE.org with a description and references. In 2025, 1,787 submissions were rejected (a 3.58% rejection rate), typically because the issue duplicated an existing entry or did not meet program criteria.
CVE and CVSS serve complementary but distinct functions. CVE provides a unique identifier for a specific vulnerability — it answers the question "what is the flaw?" CVSS (Common Vulnerability Scoring System), maintained by FIRST, provides a numerical severity score on a 0–10 scale — it answers "how bad is it?" For example, CVE-2021-44228 (Log4Shell) is the identifier; its CVSS score of 10.0 indicates maximum severity. A CVE entry can exist without a CVSS score (and roughly 44% of recent NVD entries lack one due to the enrichment backlog), but a CVSS score always references a specific CVE. In practice, security teams use CVE IDs to track individual flaws and CVSS scores to help prioritize remediation — though experts increasingly recommend supplementing CVSS with CISA KEV status and exploit intelligence for more accurate risk ranking.
CVE is the identification system that assigns unique IDs to vulnerabilities. The National Vulnerability Database (NVD), maintained by NIST, is a separate system that takes CVE entries and enriches them with additional data — CVSS severity scores, Common Platform Enumeration (CPE) data identifying affected products, and references to patches and fixes. Think of CVE as the birth certificate and NVD as the detailed medical record. CVE tells you the vulnerability exists; NVD tells you how severe it is and which specific software versions are affected. The distinction matters practically because the NVD enrichment backlog means not all CVEs receive timely NVD analysis. Teams that rely solely on NVD for prioritization may miss recently published CVEs that have not yet been scored.
The CVE program has cataloged over 308,000 vulnerabilities since its 1999 launch. In 2025 alone, a record 48,185 CVEs were published — a 20.6% increase over 2024's 39,962. FIRST projects a median of 59,427 new CVEs for 2026, continuing the upward trajectory. The severity distribution in 2025 broke down as follows: 8.3% Critical, 31.1% High, 53.0% Medium, and 3.2% Low. Despite these volumes, only about 1% of published CVEs are confirmed exploited in the wild, which is why risk-based prioritization — using tools like the CISA KEV catalog — is essential. The top CVE Numbering Authorities by volume in 2025 were Patchstack (7,007), VulDB (5,902), and Linux (5,686), reflecting the large contribution of open-source and web application ecosystems.
In April 2025, the CVE program faced an existential crisis when MITRE's contract with DHS to operate the system was set to expire with no renewal in place. SecurityWeek reported that MITRE leadership warned of "potential deterioration" of the program. On April 16, 2025, CISA secured an 11-month bridge extension, and the CVE Foundation launched as a nonprofit to advocate for long-term governance. By January 2026, CSO Online confirmed that the CVE Board was told there would be "no funding cliff in March," with CVE elevated to a core CISA program. The crisis prompted the EU to accelerate the EUVD and spurred the creation of GCVE, both designed to reduce dependency on a single U.S.-funded program.
The CISA Known Exploited Vulnerabilities (KEV) catalog is a curated list of CVEs that have been confirmed actively exploited in real-world attacks. Unlike the full CVE catalog — which contains over 308,000 entries — the KEV catalog focuses exclusively on the small subset of vulnerabilities that threat actors are actually using. By the end of 2025, it contained 1,483 entries, with 244 new additions during the year (a 28% increase). Under Binding Operational Directive 22-01, U.S. federal agencies must remediate KEV entries within mandated timelines. For non-federal organizations, the KEV catalog serves as one of the most practical prioritization tools available — a curated signal that cuts through the noise of 48,000+ annual CVEs to highlight the ones that pose immediate, demonstrated risk.