█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Vulnerability Management/Reading CVEs and Writing the Report
45 minIntermediate

Reading CVEs and Writing the Report

After this lesson, you will be able to: Read a CVE entry and its CVSS vector, find the patch or workaround, and write a one-page vulnerability report a real security team would actually use.

The vulnerability report is the deliverable that turns scanner output into business action. This lesson teaches you to read the canonical sources (NVD, vendor advisories, CISA KEV) and write the artefact that gets fixes shipped.

Prerequisites:OpenVAS Scan-to-Remediation

Anatomy of a CVE

Every CVE has: a CVE ID (CVE-YYYY-NNNNN), a description (often terse), references (advisory links), affected configurations (CPE list), and one or more CVSS scores. The CVE itself is just metadata; the real information is in the vendor advisory and any public exploit (Exploit-DB, GitHub PoCs). NVD (National Vulnerability Database) is the canonical source: nvd.nist.gov.

Decoding a CVSS 3.1 vector

Read this vector character by character. Each metric has a defined meaning.

tsx
CVE-2024-1234
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = Score 9.8 (Critical)
AV:N Attack Vector: Network (remote, no local access needed)
AC:L Attack Complexity: Low (reliable exploitation, no special conditions)
PR:N Privileges Required: None (no authentication needed)
UI:N User Interaction: None (no user click required)
S:U Scope: Unchanged (impact stays in the vulnerable component)
C:H Confidentiality: High (full disclosure of data)
I:H Integrity: High (full modification possible)
A:H Availability: High (denial of service possible)

💡 CVSS is the score. CISA KEV and EPSS are the truth.

CVSS measures theoretical severity. It does NOT measure whether anyone is actually exploiting the bug. CISA KEV (Known Exploited Vulnerabilities) lists bugs with confirmed in-the-wild exploitation, patch these first regardless of CVSS. EPSS (Exploit Prediction Scoring System) is a percent likelihood of exploitation in the next 30 days, useful for prioritising the long tail. A CVSS 9.8 with EPSS 0.02% can wait. A CVSS 7.5 in CISA KEV cannot.

Find the canonical sources

Trace a real CVE end-to-end.

  1. 1

    Pick a recent CVE from CISA KEV (cisa.gov/known-exploited-vulnerabilities-catalog)

  2. 2

    Open nvd.nist.gov/vuln/detail/<CVE-ID> and read the description, CVSS vector, and CPE list

  3. 3

    Click through to the vendor advisory (Microsoft, Cisco, Atlassian, etc.) and read the official fix

  4. 4

    Search Exploit-DB and GitHub for the CVE ID, note whether a public PoC exists

  5. 5

    Check if the vendor has emergency mitigations (often firewall rules or config changes) for environments that can't patch immediately

  6. 6

    Note the EPSS score at api.first.org/data/v1/epss?cve=<CVE-ID>

Template: 1-page vulnerability report

Use this exact structure for every CVE you write up. Real security teams read hundreds of these; consistency is kindness.

tsx
# CVE-2024-1234, Remote Code Execution in Acme Widget Server 5.x
**Severity:** Critical (CVSS 9.8) | CISA KEV: Yes | EPSS: 12.4%
## What it is
A pre-authentication RCE in the Acme Widget Server's /api/upload endpoint allows an attacker to execute arbitrary code as the service account.
## Who's affected
All Acme Widget Server 5.0 through 5.4.2. Patched in 5.4.3 (released 2024-MM-DD).
## Impact in our environment
Three instances confirmed by OpenVAS: prod-widget-01, prod-widget-02, dr-widget-01. Service account has read access to the customer-records database.
## Fix
Upgrade to 5.4.3 or later. Vendor advisory: <link>. Upgrade tested in staging on YYYY-MM-DD, no breakage.
## Workaround if patching is delayed
Block /api/upload at the WAF (Cloudflare rule attached) until patch is deployed.
## Detection
Splunk query: index=widget /api/upload AND status_code=200 AND user_agent!=Acme-Health-Check
## Owner & deadline
Owner: Platform Eng (Lisa). Deadline: 72 hours per CISA KEV mandate.

Common mistakes only senior analysts catch

Quoting CVSS without context. 'Critical CVE' means nothing if the bug requires a config you don't have. Skipping the impact-in-our-environment section. Generic reports get ignored; tailored reports get fixes shipped. Forgetting the workaround. The first 24 hours after disclosure are usually unpatched; a WAF rule or feature flag can buy time. Not naming an owner. Findings without owners die in Jira backlogs. Skipping detection. Every report should include 'how would we know if this was exploited yesterday'.

Quick Check

Which CVE should you prioritise?

Three findings, same week. Which gets fixed first?

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Hands-on: OpenVAS in Docker
Back to Vulnerability Management
Enterprise Patch Management→