More than 29,000 CVEs were published in 2024 alone — a new record. But what exactly is a CVE, how does the system behind it work, and why isn’t patching enough?

This article explains the CVE system from the ground up: what a CVE is, what CVSS scores and the NVD mean, and how the dangerous exploit window between vulnerability disclosure and patching is created. Most importantly, it shows how organizations can use Privileged Access Management (PAM) to effectively reduce their attack surface even when a patch hasn’t been applied yet.

What Is a CVE?

CVE stands for Common Vulnerabilities and Exposures — a public registry of standardized identifiers for known security flaws in software and hardware. Each vulnerability receives a unique CVE ID in the format CVE-YEAR-NUMBER, for example CVE-2021-44228 (Log4Shell) or CVE-2023-44487 (HTTP/2 Rapid Reset).

The CVE system was created in 1999 by MITRE Corporation and is now the global standard referenced by security researchers, vendors, government agencies, and IT teams worldwide. Without this common framework, coordinated response to security vulnerabilities would be nearly impossible.

How Is a CVE Created? The Disclosure Process

A CVE typically goes through three phases:

1. Discovery: A security researcher, organization, or government agency identifies a vulnerability in a product.
2. Coordinated Disclosure: The vulnerability is reported to the vendor, who develops a patch. The vulnerability is only made public after the patch is available — or after an agreed deadline passes.
3. CVE Assignment: A CVE Numbering Authority (CNA) — which can be MITRE, the vendor itself, or an accredited organization — assigns an official CVE ID and publishes it in the NVD.

Not every vulnerability gets patched immediately. Not every vulnerability gets a patch at all. And between the publication of a CVE and widespread patch deployment, many organizations face a dangerous exposure window.

CVE, CVSS, NVD, and CISA KEV: What Each Means

These terms are frequently confused but refer to different things:

• CVE (Common Vulnerabilities and Exposures): The unique ID and description of a vulnerability. CVE doesn’t rate how dangerous it is — just that it exists and how it manifests.
• CVSS (Common Vulnerability Scoring System): A scoring framework that assigns a numeric score from 0 to 10 to a CVE. A score of 9.0–10.0 is Critical, 7.0–8.9 is High. CVSS evaluates attack complexity, required privileges, user interaction, and impact on confidentiality, integrity, and availability.
• NVD (National Vulnerability Database): The NIST database that enriches CVEs with CVSS scores, patch information, affected product versions, and additional metadata. The NVD is the primary reference for vulnerability management tools worldwide.
• CISA KEV (Known Exploited Vulnerabilities): A list maintained by the US Cybersecurity and Infrastructure Security Agency of CVEs being actively exploited in the wild. An entry on this list means: immediate action required.

"In 2024, 29,065 CVEs were published — more than ever before. Over 13% were rated Critical. And new ones arrive every day." — NIST / NVD Annual Report 2024

Zero-Day Vulnerabilities: The Special Case

A zero-day is a vulnerability for which no patch exists at the time it is being exploited. The name comes from the fact that the vendor had “zero days” to respond. Zero-days are especially dangerous because:

• No patch is available — patching as a countermeasure is off the table
• Traditional signature-based detection often fails because no known attack pattern exists
• Nation-state actors and APT groups actively buy and deploy zero-days as offensive weapons

For zero-days, PAM isn’t an optional add-on — it’s often the only available protection layer.

The Exploit Window: Why Patching Alone Isn’t Enough

The biggest misconception about CVEs is that patching is the complete solution. In practice, there are three structural problems:

• Time gap: According to IBM Security, the average organization takes 44 days to patch a critical vulnerability after it’s disclosed. Systems are exposed throughout that window.
• Unpatchable systems: Legacy systems, OT/ICS environments, or third-party software often receive no patches — either because support has ended or because patching would disrupt operations.
• Patch fatigue: Security teams are overwhelmed by the sheer volume of CVEs. Prioritizing by CVSS score alone is insufficient — not every Critical CVE is exploitable in your specific environment.

The question therefore is not just: How fast can we patch? But: How do we limit damage when a CVE is exploited before the patch is deployed? More on related risks: Securing RDP: Best Practices Against Remote Desktop Attacks

How PAM Limits the Blast Radius of a CVE

Most serious CVE exploits follow a pattern: an attacker uses a vulnerability to gain initial access or escalate privileges — then moves laterally through the network until reaching their target. Privileged accounts are the preferred target because they provide the broadest access.

PAM limits this blast radius in multiple ways:

• Least privilege: Every user and system has only the rights it needs for its specific task. A compromised component can’t roam freely through the network. More: The Principle of Least Privilege
• Just-in-time access: Privileged access doesn’t exist permanently. It’s granted only for the specific use case and automatically revoked afterward. An attacker finds no persistent credentials to take over.
• Session recording: Even if an attack occurs, every action is fully recorded. Forensic analysis, incident response, and compliance evidence are all guaranteed.
• System-level access control: External vendors and administrators access only the specific systems they need — no broad VPN access to the entire network. More on external access: Securing Third-Party Vendor Access

VISULOX: PAM as a CVE Protection Layer

VISULOX is built as a decentralized remote PAM platform for exactly this situation. When a critical CVE is published and the patch isn’t yet deployed, VISULOX provides an immediate protection layer:

• Immediately restrict access to affected systems: While a patch is pending, access to affected systems can be reduced to the absolute minimum — only authorized, identified users with explicit JIT approval.
• Eliminate the external attack surface: Third-party vendors and external service providers access exclusively through the central VISULOX gateway. No direct system access, no exposed RDP port, no permanent VPN credentials.
• Tamper-proof logging: Every access action on a potentially affected system is fully documented — for internal forensics and NIS-2 reporting obligations (§ 32 BSIG).
• Deployed in under two days: No months-long rollout project. VISULOX is agentless and production-ready within two business days — even as an emergency response to an active CVE threat.

NIS-2 reporting obligations for CVE incidents: NIS-2: What the New EU Directive Means for Your Organization

Checklist: Reduce CVE Risk Systematically in 5 Steps

1. Set up CVE monitoring: Subscribe to CVE feeds (NVD, CISA KEV, vendor advisories) for all products in your environment. Tools like Tenable, Qualys, or OpenVAS automate detection of affected assets.
2. Maintain an asset inventory: You can only assess CVE impact quickly if you know exactly what software and hardware is deployed. An incomplete asset inventory is the most common obstacle to fast patching.
3. Prioritize patches by CVSS score and exploitability: Not every CVE requires immediate action. Prioritize by CVSS score and whether a working exploit is publicly available — the CISA KEV list is the first reference.
4. Control privileged access: While a patch is pending, reduce privileged access to affected systems to the minimum. JIT access via PAM effectively closes the exploit window.
5. Define a CVE incident response plan: Establish in advance who gets notified for a critical CVE, how quickly patching must happen, and what compensating controls apply when immediate patching isn’t possible.

CVEs are inevitable — they exist as long as software is developed. The critical question isn’t whether your organization will be affected, but how you limit the damage when an exploit arrives before the patch. Patching is necessary, but not sufficient.

The combination of fast CVE monitoring, rigorous patch prioritization, and Privileged Access Management reduces your attack surface to a minimum. VISULOX closes the window between CVE disclosure and patch deployment — agentless, deployed in under two days, without disrupting operations.