After this lesson, you will be able to: Read a CVE entry and its CVSS vector, find the patch or workaround, and write a one-page vulnerability report a real security team would actually use.
The vulnerability report is the deliverable that turns scanner output into business action. This lesson teaches you to read the canonical sources (NVD, vendor advisories, CISA KEV) and write the artefact that gets fixes shipped.
Every CVE has: a CVE ID (CVE-YYYY-NNNNN), a description (often terse), references (advisory links), affected configurations (CPE list), and one or more CVSS scores. The CVE itself is just metadata; the real information is in the vendor advisory and any public exploit (Exploit-DB, GitHub PoCs). NVD (National Vulnerability Database) is the canonical source: nvd.nist.gov.
Read this vector character by character. Each metric has a defined meaning.
CVE-2024-1234CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = Score 9.8 (Critical)AV:N Attack Vector: Network (remote, no local access needed)AC:L Attack Complexity: Low (reliable exploitation, no special conditions)PR:N Privileges Required: None (no authentication needed)UI:N User Interaction: None (no user click required)S:U Scope: Unchanged (impact stays in the vulnerable component)C:H Confidentiality: High (full disclosure of data)I:H Integrity: High (full modification possible)A:H Availability: High (denial of service possible)
Trace a real CVE end-to-end.
Pick a recent CVE from CISA KEV (cisa.gov/known-exploited-vulnerabilities-catalog)
Open nvd.nist.gov/vuln/detail/<CVE-ID> and read the description, CVSS vector, and CPE list
Click through to the vendor advisory (Microsoft, Cisco, Atlassian, etc.) and read the official fix
Search Exploit-DB and GitHub for the CVE ID, note whether a public PoC exists
Check if the vendor has emergency mitigations (often firewall rules or config changes) for environments that can't patch immediately
Note the EPSS score at api.first.org/data/v1/epss?cve=<CVE-ID>
Use this exact structure for every CVE you write up. Real security teams read hundreds of these; consistency is kindness.
# CVE-2024-1234, Remote Code Execution in Acme Widget Server 5.x**Severity:** Critical (CVSS 9.8) | CISA KEV: Yes | EPSS: 12.4%## What it isA pre-authentication RCE in the Acme Widget Server's /api/upload endpoint allows an attacker to execute arbitrary code as the service account.## Who's affectedAll Acme Widget Server 5.0 through 5.4.2. Patched in 5.4.3 (released 2024-MM-DD).## Impact in our environmentThree instances confirmed by OpenVAS: prod-widget-01, prod-widget-02, dr-widget-01. Service account has read access to the customer-records database.## FixUpgrade to 5.4.3 or later. Vendor advisory: <link>. Upgrade tested in staging on YYYY-MM-DD, no breakage.## Workaround if patching is delayedBlock /api/upload at the WAF (Cloudflare rule attached) until patch is deployed.## DetectionSplunk query: index=widget /api/upload AND status_code=200 AND user_agent!=Acme-Health-Check## Owner & deadlineOwner: Platform Eng (Lisa). Deadline: 72 hours per CISA KEV mandate.
Quoting CVSS without context. 'Critical CVE' means nothing if the bug requires a config you don't have. Skipping the impact-in-our-environment section. Generic reports get ignored; tailored reports get fixes shipped. Forgetting the workaround. The first 24 hours after disclosure are usually unpatched; a WAF rule or feature flag can buy time. Not naming an owner. Findings without owners die in Jira backlogs. Skipping detection. Every report should include 'how would we know if this was exploited yesterday'.
Three findings, same week. Which gets fixed first?
Sign in and purchase access to unlock this lesson.