Flashpoint’s latest report redefines the Vulnerability Management system and challenges the current standards set by CVE.
Reaching a noteworthy milestone, the cybersecurity firm Flashpoint has announced that its VulnDB (Vulnerability Database) now documents over 100,000 vulnerabilities. Notably, these vulnerabilities were not covered by the Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD). This includes zero-day vulnerabilities, containing those that were previously unknown, unannounced, and undocumented.
Vulnerability management programs typically rely on CVE data. However, this approach leaves organizations vulnerable, overlooking 30% of known threats. Flashpoint’s VulnDB database addresses this gap by including over 100,000 non-CVE vulnerabilities and comprehensively analyzing the threat landscape.
Flashpoint’s Brian Martin confirmed in the company’s official announcement that 101,000 non-CVE or hidden vulnerabilities, including zero-days and recently exploited flaws, have become part of their database. These vulnerabilities affect major vendors and specialized industries, posing significant risks.
“Our team goes above and beyond to provide our customers with the most comprehensive, actionable, and timely source of vulnerability intelligence. This includes our team adding over 90 new vulnerabilities on average daily while also updating roughly many hundreds of existing records,” Flashpoint researchers noted.
There are several restrictions with CVE data. For instance, CVE misses at least 30% of known vulnerabilities, and assigning CVE IDs is a lengthy process that may take up to a month to complete, leaving users/businesses vulnerable to zero-day attacks. Most importantly, CVE prioritizes vulnerabilities that can impact major vendors and neglects niche industries with distinct needs.
VulnDB, on the other hand, offers standardized information on CVE and non-CVE vulnerabilities. So it becomes easier for organizations to address them. Flashpoint collects data from thousands of sources, making VulnDB the most useful vulnerability database.
Over half of the non-CVE vulnerabilities are rated high to critical severity using CVSS v3. VulnDB covers a broader range of vendors, including Microsoft, Google, and Apple. The company tracks zero days and issues exploited in the wild, which helps it offer critical threat intelligence.
“Organizations need to remember that vulnerabilities discovered in the wild are sometimes first disclosed without a CVE ID. Zero-day vulnerabilities and other high-profile issues, such as the MOVEit vulnerability, also tend to follow this trend,” the blog read.
The report noted that around 60.4% of non-CVE vulnerabilities are remotely exploitable, making them attractive targets for attackers. Flashpoint’s VulnDB can help security teams identify/prioritize more vulnerabilities and focus on easy wins. They can target vulnerabilities with readily available exploit information and remediation steps.
In addition, they can improve patch effectiveness by prioritizing vulnerabilities based on their actual impact and exploitability. Furthermore, VulnDB caters to the specific needs of industries such as manufacturing and medical devices, addressing issues often missed by CVE.
According to researchers, VulnDB provides quicker access to newly disclosed vulnerabilities, enabling proactive mitigation strategies and integrates well with existing GRC, ITIL, CMDB, and SIEM products, streamlining workflows.
Dangers of Unreported and Unknown Vulnerabilities
Unreported vulnerabilities pose a significant threat to cybersecurity due to their concealed nature and the potential for malicious exploitation. When vulnerabilities go unreported, organizations are unaware of their existence and, consequently, are unable to take proactive measures to address and patch these weaknesses in their systems.
This lack of awareness leaves systems exposed to exploitation by threat actors, who may capitalize on undisclosed vulnerabilities for unauthorized access, data breaches, or other malicious activities. The absence of reports also means that security experts and vendors remain uninformed, slowing the development of timely patches or mitigations.
As a result, unreported vulnerabilities can persist longer, increasing the window of opportunity for cybercriminals to exploit these weaknesses, thereby posing a serious and often underestimated risk to the overall security posture of systems and networks.