CVE: The Big Vote of No Confidence

Yesterday, Matt Harman, CISA Acting Executive Assistant Director for Cybersecurity, issued a statement on the CVE program. Trying to summarize the last several days and what happened is tricky, but you can read my LinkedIn posts as well as countless news articles and folks talking about.  The super tl;dr is that on April 15, a letter was sent from MITRE to the CVE Board saying that the next day…

Reporting on the IBM 2025 Report

On April 16, 2025, IBM posted their X-Force 2025 Threat Intelligence Index. Like many reports of this nature, it covers a wide variety of aspects relating to threat intelligence. Of course, one of those aspects is vulnerability intelligence and this report has a section for that. You are reading this so you can guess where I am going. It’s been a while since I have taken vulnerability reports to…

Who Reads Mega-advisories? No one! (Almost)

Vulnerability disclosure analysts are long familiar with so-called “mega advisories”, ones that typically come from vendors and often for products that ship appliances using hundreds of libraries or products with an entire operating system included. Such advisories can literally represent over 500 vulnerabilities in one shot. I’ll try to make this a bit fun! Disclaimer: I am going to use one…

VulnCon Day 2 Errata & Taking Ben Edwards to Task

Today was the second day of VulnCon 2025, a conference whose stated purpose is “to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem.”  While the purpose is to develop “forward leaning” ideas, the reality is that sometimes…

The Curious Case of CVE-2015-2551 & CVE-2019-9081 - Doom and Gloom! Or not.

What’s Your Story CVE-2015-2551? This CVE-2015-2551 entry seems straight-forward, based on the description provided by CVE or NVD. Looking at the change history on NVD it is a bit more informative: CVE Rejected by MITRE 5/11/2017 10:21:04 AM CVE Source Update by Microsoft Corporation 11/06/2023 9:25:22 PM They updated it to reflect they were the source, or assigning CNA. CVE Modified by…

ChatGPT Exploited by Threat Actors, Doom and Gloom! Or not.

After years of chasing down typos in CVE IDs, now we all have to contend with poorly researched headlines and apparent to me ambulance chasing over mistaken product names. If you missed the news, threat actors are exploiting a vulnerability in ChatGPT! This is obviously a huge warning and we should all be afraid because of how prevalent ChatGPT is! Right? Regular readers of mine will know what’s…

APT Naming Woes Redux (Bonus 'DOJ' Oops!)

One aspect of vulnerability intelligence is also doing a best-faith effort to track the threat actors that are using the vulnerabilities. While that information often isn’t published, when it is we should include it. For example, less than 1% of data breaches publish the vulnerability associated with the initial compromise, and that is often the same with who was behind the compromise. Recently,…

Has CWE Jumped the Shark?

Reason #283 Why InfoSec Has Failed

For those familiar with my social media, you know that I have frequently said that our industry is failing the commons. InfoSec represents a huge market, companies get paid exorbitant amounts of money, salaries can border on the ridiculous, and the concept of researchers being famous for their work is still alive. Meanwhile, vulnerabilities are increasing in software, data breaches are up,…

Why Don't You Fix CVE?

Historically when I pointed out problems in anything, I wasn’t the best at offering solutions. Sometimes I simply had none because the problem was complex and the solutions I came up with were problematic themselves. Other times I had ideas, but they were fairly high-level and abstract and I didn’t want to be like the vulnerability disclosers offering the vendor fix ideas ala “sanitize input“.…

CVE Farming - Problem & Solution

Blog Origins In the last year or two, I have increasingly used the term “CVE farming” in conversations and LinkedIn posts [1]. This has led a few people to ask what it meant and I gave a very cliff notes version of the answer. I started taking notes for this blog a while back expecting for the question to come up more and more. Weeks back the topic came up again on LinkedIn and I said something…

MITRE's Phoning in New CNAs

On December 17, 2024, MITRE announced five new CVE Numbering Authorities (CNA) on their Twitter feed as well as their news page. However, there were actually seven added according to the CNAs page based on tracking it daily. Last year, when I asked about a discrepancy in tracking the CNAs, MITRE promptly replied to clarify. Earlier this year, when I asked about another discrepancy I didn’t…

CISA Weekly Bulletins FOIA Results

Did you know that CISA publishes a weekly bulletin of “new vulnerabilities”, and has for a long time? They tend to have anywhere from 350 up to almost 1,000 vulnerabilities depending on the volume of CVEs published. The bulletins are entirely based on CVE IDs being published, not when the disclosures happened (just like CVE doesn’t track or map to). I was curious about these because they don’t…

Don't Be a CVE Dummy

One of the aspects of vulnerability intelligence is monitoring various public sources for new vulnerabilities, especially ones with a Common Vulnerabilities and Exposures (CVE) ID. These numbers are designed to help communicate details about a specific vulnerability. “Hey, remember that remote code execution in Fortinet in May?”  Unfortunately, that isn’t very specific as there were at least six…

Was It Really GPAC? (No!) Getting a CVE Removed from CISA KEV

On October 3, 2024, Aquasec published a report about newly discovered malware named “perfctl”, targeting Linux servers. In it they cite the malware taking advantage of misconfigurations, as well as attempting to “exploit the Polkit vulnerability (CVE-2021-4043) to escalate privileges.”  Only problem is that CVE-2021-4043 isn’t “the Polkit vulnerability”, which in itself is problematic since…

Known Exploited Vulnerabilities (KEV) Thoughts - Part Two

This is part two of my thoughts on Known Exploited Vulnerabilities (KEV), and where it gets a lot more interesting! Please see the first blog before starting here. Automation / Eagerness To Add Reading vulnerability disclosures can be a grueling mission full of frustrations. Poorly written advisories, missing technical details, and errors make the life of a disclosure analyst exhausting (Want…

Known Exploited Vulnerabilities (KEV) Thoughts - Part One

This is the first of two blogs with my thoughts on Known Exploited Vulnerabilities (KEV) tracking and the challenges that come with tracking them. Introduction On November 03, 2021, Cybersecurity and Infrastructure Security Agency (CISA) announced a Binding Operational Directives (BOD) titled “BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities“. This BOD established the…