Flashpoint's VulnDB, a prominent vulnerability intelligence database, has recorded a noteworthy number of over 100,000 vulnerabilities that are not listed in the CVE (Common Vulnerabilities and Exposures) and NVD (National Vulnerability Database). This figure highlights a gap in the current CVE-dependent vulnerability management programs.
VulnDB's extensive array of non-CVE vulnerabilities includes those affecting major tech companies such as Google and Microsoft, alongside various third-party libraries. It also covers zero-day exploits and vulnerabilities actively exploited in the wild. This data is particularly relevant for sectors like manufacturing and blockchain, emphasizing the need for thorough vulnerability intelligence in today's cybersecurity landscape.
In total, VulnDB contains over 339,000 known disclosed vulnerabilities, with more than 101,000 being non-CVE vulnerabilities. This situation poses a significant concern for organizational security, as reliance on CVE data means many vulnerability management programs might miss about 30% of known risks. VulnDB's non-CVE vulnerabilities also highlight issues in major vendor platforms and third-party libraries that are often overlooked.
For industries such as manufacturing, medical, and blockchain technology, the detailed information provided by VulnDB on non-CVE vulnerabilities proves to be of high importance. The database offers standardized details for each vulnerability, aiding in the effective triaging and prioritizing of security risks.
Despite the CVSS (Common Vulnerability Scoring System) being a common tool for vulnerability assessment, VulnDB's data indicates that a significant number of high to critical severity vulnerabilities are not captured by CVE. Over half of the non-CVE vulnerabilities documented by VulnDB fall into the high to critical severity range according to CVSSv3, and approximately 60.4% are remotely exploitable.
Flashpoint analysts have identified over 300 vulnerabilities exploited in the wild as of December 2023, which still lack CVE IDs. These include vulnerabilities in widely-used software such as Adobe Reader, Apple iOS, and Microsoft SQL Server.
The delay in CVE assigning IDs to major vulnerabilities underscores the importance for security teams to have immediate access to the latest vulnerability information, whether or not it initially has a CVE ID. Flashpoint's approach to vulnerability intelligence, which includes proactive monitoring and a quicker update cycle than CVE, provides a more comprehensive source for organizations to identify and prioritize cybersecurity threats. This approach is particularly beneficial for industries with specific technology needs and vulnerabilities.