Common Vulnerabilities and Exposures (CVEs) is the standardized directory of publicly known software flaws that attackers can exploit to carry out cyber attacks. Vulnerability management solutions scan for CVEs to give you a list of all the gaps in your attack surface, but the volume of new vulnerabilities has been growing significantly in recent years. In 2024, there were over 100 security defects announced every day.
Each time one of these software insecurities emerges, organizations must decide whether they’re facing more noise or a legitimate, business-disrupting risk. This dilemma is why organizations are trying to combine broad CVE coverage with threat-aware context, making this combination a mandatory component of their exposure management solutions. Without maximum CVE visibility or a comprehensive, unique understanding of what each vulnerability means to the business, teams are unable to fully protect their attack surface.
The risks of partial visibility
Consider this: An old version of ConnectWise ScreenConnect has a security flaw that attackers can use to bypass authentication controls and breach your network, using it as a launchpad to execute commands, install malware, and move laterally across your environment. Your scanner failed to flag this CVE because it only prioritized “high-risk” or “most exploited” CVEs – a logic that sounded good on paper — but in practice created a blind spot for an attacker to get inside your network.
Adversaries are opportunists, not bound by a curated list of “Top 10 CVEs.” They exploit whatever works, and what works is sometimes what you didn’t know existed. An exposure management solution with broad CVE coverage helps teams reduce the likelihood of exposures because it is more likely to scan a vulnerability that is impactful to your organization, but maybe didn’t make the CISA KEV catalog.
Start with coverage, expand with context
Modern environments are sprawling, complex, and full of surprises. With cloud misconfigurations, forgotten third-party libraries, and ancient PostgreSQL instances that teams assume are “dev-only,” there’s no such thing as a “manageable attack surface” anymore. You should assume everything is fair game for attackers, and think how they think when prioritizing remediation.
This means that “expansive CVE coverage” shouldn’t just mean more CVEs. Your exposure management solution should incorporate internal and external scanning with threat intelligence, so it understands the nuances of how a CVE with a medium severity rating might be trivial in one setup but a disruptive compromise in another that has exposed services, open ports, or overprivileged access controls. Organizations are realizing that they cannot limit vulnerability coverage to criticals and highs because it leaves them one oversight away from the next breach headline.
Legacy vulnerability management tools offer a list of CVEs and their CVSS scores (a severity rating from 0-10). Some exposure management solutions go a bit further by acting as an aggregator of other vulnerability management tools’ findings. A top-tier exposure management platform takes both approaches and automatically incorporates actionable, threat-aware context, such as outlined below:
Consideration | Reasoning |
Is this CVE actively being exploited in the wild? | A theoretical exploit can be less concerning than an active one. |
Is the affected asset internet-facing? | A vulnerable server in a protected lab is probably less of a worry than one broadcasting to the internet. |
Can an attacker chain this CVE with another misconfiguration or weakness to reach a critical asset? | It's often not just about one security flaw, but about a combination of flaws that, stitched together, lead to sensitive data. |
A comprehensive exposure management platform analyzes, correlates, and contextualizes CVEs, and it all starts with having expansive vulnerability coverage to give your analytics engine a rich source of data to work with. This enables security teams to identify exploit chains, uncover hidden dependencies, and forecast attack paths before they’re utilized by cybercriminals.
Think before you remediate
We’ve discussed the value of expansive CVE coverage, but it’s important to note that you don’t have to immediately begin remediating every vulnerability the moment it arises. Knowing key details about each one gives you the power of choice, context, and command. In a threat landscape that never stops changing, organizations are turning to Rapid7’s all-in-one Exposure Command platform that combines the industry’s largest database of CVEs with a threat-aware risk scoring methodology.
For proof, let’s consider the ConnectWise example highlighted earlier. Rapid7 identified the vulnerability on February 20, 2024 and delivered coverage as well as a Metasploit exploit module by February 21st – just a day later. This early information was invaluable, allowing for mitigation before the vulnerability was actively exploited in the wild. CISA later added it to their KEV catalog on February 22. With more than 102,000 vulnerabilities mapped, Rapid7 provides a large database of exposures, trusted by thousands of the world’s leading enterprises who are moving beyond analyzing simple lists of CVEs to understanding the full tapestry of their attack surfaces.
Start taking command of your attack surface: Tour Rapid7’s Exposure Command platform today.