CVE (Common Vulnerabilities and Exposures)

What is CVE (Common Vulnerabilities and Exposures)?

Publicly disclosed security flaws with unique identifiers. ORDR maps CVEs to specific assets in the environment for context-aware, prioritized remediation rather than generic patching lists.

CVE (Common Vulnerabilities and Exposures) is the standardized naming system for publicly disclosed security vulnerabilities. Maintained by MITRE and funded by CISA, each CVE entry provides a unique identifier (e.g., CVE-2021-44228), a description of the vulnerability, and references to technical details and patches. The CVE system is the common language that connects vulnerability researchers, vendors, and security teams — when a researcher discovers a flaw in a Cisco router or a Siemens PLC, they file for a CVE identifier so everyone can refer to the same issue unambiguously.

The challenge is scale. Over 25,000 CVEs are published annually, and the total catalog contains more than 200,000 entries. A mid-sized enterprise with diverse IoT and OT assets may have hundreds of thousands of CVE exposures across its device fleet — far more than any team can remediate in any reasonable timeframe. Raw CVE counts are overwhelming; prioritization based on exploitability, asset context, and operational risk is the only practical path forward.

IoT and OT environments add a further complication: many CVEs affecting industrial and medical devices are published without vendor patches, or with patches that cannot be applied in practice. A CVE for a PLC that requires a firmware update is effectively unremediable in operational environments that cannot tolerate downtime or risk introducing new instability through firmware changes.

Frequently Asked Questions