Investigator Use
The CVE database, maintained by MITRE Corporation under sponsorship from the US Department of Homeland Security, is the global standard for identifying and naming publicly disclosed cybersecurity vulnerabilities. Every CVE entry provides a unique identifier, description, severity score, and references to patches, advisories, and proof-of-concept exploit code.
What OSINT investigators and security analysts use CVE for: identifying known vulnerabilities in software versions observed during infrastructure reconnaissance, researching the exploitation history of specific CVEs to understand attacker capabilities, correlating vulnerability identifiers across threat intelligence reports, and assessing the risk exposure of a target organization's software stack.
What CVE exposes: standardized vulnerability identifiers in the format CVE-YEAR-NUMBER, concise descriptions of each vulnerability, CVSS severity scores, CWE weakness classifications, affected software and version ranges, and links to vendor advisories, patch notes, and research papers. New CVEs are published continuously as researchers and vendors disclose vulnerabilities.
CVE identifiers are the universal language of vulnerability intelligence. When threat intelligence reports reference specific CVEs, security teams can look them up to understand exactly what was exploited, what software is affected, and whether patches are available. This makes CVE an essential reference tool for understanding attacks observed during incident investigations.
For attack surface analysis: after discovering the software versions running on a target organization's infrastructure through Shodan or Censys, searching CVE for known vulnerabilities in those specific versions reveals the theoretical attack surface. Any high-severity unpatched CVE is a potential entry point worth noting in an investigation report.
NVD integration: the CVE database is mirrored and enriched by NIST's National Vulnerability Database (NVD), which adds CVSS scores, CWE classifications, and CPE identifiers. For full vulnerability details including severity scoring, the NVD provides more structured data than the CVE database alone.
In a workflow: use CVE lookups in the analysis phase after reconnaissance has identified software versions. Pair with Exploit DB to check whether working exploits exist for discovered CVEs. Use Pulsedive and MISP to check whether specific CVEs have been actively exploited in recent campaigns.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
CVE Details
Cyber Threat OSINT
CVE Details aggregates vulnerability records, CVSS scores, and affected software lists for security analysis and patch prioritization.
Default Passwords
Cyber Threat OSINT
Find default passwords and credentials for routers, printers, servers, and network devices for authorized security auditing.
Exploit DB
Cyber Threat OSINT
The Exploit Database archives public exploits and proof-of-concept code for known vulnerabilities, used in penetration testing and research.
Honey DB
Cyber Threat OSINT
HoneyDB aggregates honeypot sensor data to identify malicious IP addresses, attacker tactics, and emerging threat patterns.
Hybrid analysis
Cyber Threat OSINT
Hybrid Analysis provides free malware sandboxing with Falcon Sandbox technology to analyze suspicious files and URLs for threat intelligence.
IP lists
Cyber Threat OSINT
FireHOL IP Lists aggregates cybercrime, botnet, malware, proxy, and abuse IP blocklists for threat intelligence and network filtering.