CVE

When a security vulnerability is discovered and disclosed, it gets a CVE identifier: a unique number in the format CVE-[year]-[number]. This standardized ID is how vendors, security tools, news coverage, and patch notes all refer to the same vulnerability — allowing organizations to determine whether they're affected and prioritize remediation.

Each CVE entry includes a description of the vulnerability, affected software versions, and a CVSS (Common Vulnerability Scoring System) severity score from 0 to 10. Critical-rated CVEs (CVSS 9.0+) typically represent remote code execution or similar high-impact vulnerabilities.

The CVE system is maintained by MITRE Corporation and funded by CISA. The NVD (National Vulnerability Database) maintained by NIST provides enriched data including CVSS scores and affected vendor data.

For IT operations, CVE awareness matters for:

Patching prioritization — not all patches are equal. A patch addressing a CVSS 9.8 CVE being actively exploited is more urgent than one addressing a 4.0 CVE requiring local access.

Vulnerability scanning — scanners like Tenable Nessus and Qualys map discovered vulnerabilities to CVE IDs, giving you a structured list of what needs fixing.

Vendor advisories — when vendors release security patches, they reference CVE IDs so you can assess impact against your specific configuration.