Exploitability

Some vulnerability entries contain information and links about existing exploits. An exploit is a tutorial or software, which helps to execute or automate the exploitation of a vulnerability.

Such an exploit might have a specific level of exploitability, also called exploit code maturity. The exploitability definition on VulDB uses the same metric levels like CVSSv2 and CVSSv3. Our definitions are slightly enhanced and shown in the table below.

TitleCVSSv3CVSSv2DescriptionExample
Not DefinedXNDThe exploitability level is not defined. This is the case when no information about an exploit is available.no information about exploits available
UnprovenUUNo exploit is available, or an exploit is entirely theoretical.exploit is private, no public exploit available
Proof-of-ConceptPPOCA simple exploit is available which illustrates the basic functionality of exploitation, without a certain level of reliability, no customization possibilities, and no error handling.static URL, Curl statement, simple shell skript
FunctionalFFA solid exploit is available which provides mostly reliable exploit capabilities that work in most scenarios.enhanced skript, basic exploit implementation
HighHHA professionalized exploit is available with a very high level of reliability, the possibility to change options, and solid error handling. Such an exploit is easy-to-use by attackers not familiar with the technical details of the underlying vulnerability.Metasploit module, NMAP NSE skript

The exploitability level is one of tha major factor that impacts the calculation of exploit prices.

Do you need the next level of professionalism?

Upgrade your account now!