Early Access to Unpublished CVEs

VulnCheck Exploit & Vulnerability Intelligence often includes early access information on CVEs not yet published by NIST in the NVD, in cases where vendor advisories are monitored or exploits are discovered.

Overview

VulnCheck Exploit & Vulnerability Intelligence is an autonomous system that tracks dozens of vendor and government advisories, and then marries that data with best-in-class exploit intel from VulnCheck. When it comes to CVE records published by NIST in the Nationality Vulnerability Database (NVD), there is often a lag associated with publication. VulnCheck Explloit & Vulnerability Intelligence monitors far more sources than just the NVD, allowing organizations to get a heads up on future CVEs ahead of their publication by NIST in the NVD.

Example Root Cause: CVE Numbering Authority (CNA) Publication

Often a CVE Numbering Authority (CNA) has gone public with a CVE via a Vendor Advisory or Blog post, before NIST has published the CVE record. In cases like these, a CVE is often still marked RESERVED in the NVD, because the CVEs are allocated in blocks to CNAs, yet actively used in the public domain until later publication by NIST in the NVD.

Enter VulnCheck: Early Access to Unpublished CVEs

In cases where VulnCheck Exploit & Vulnerability Intelligence is monitoring the Vendor Advisories, say of a CNA, customers of VulnCheck Exploit & Vulnerability Intelligence do not suffer from a NIST NVD publication lag, because VulnCheck Exploit & Vulnerability Intelligence is able to include CVE references for monitored vendor and exploit sources, including for CVEs that are marked RESERVED by NIST in the NVD, or are otherwise unpublished by NIST.

Example: PwnKit (CVE-2021-4034)

The PwnKit vulnerability (CVE-2021-4034) was discovered by the Qualys research team and published on 2022-01-25. The same day, 2022-01-25, numerous vendor advisories were published, such as by Debian and Red Hat. In fact, Red Hat was the CVE Numbering Authority (CNA) responsible for the CVE.

Additionally, numerous exploits were published, that same day, on 2022-01-25, including numerous on GitHub.

The NIST National Vulnerability Database only published the original PwnKit (CVE-2021-4034) vulnerability record in the NVD on 2022-01-28. Thus organizations relying on the NVD for their source of vulnerability data, would have been blind to the vulnerability disclosure and associated exploits in-the-wild.