Exploitability
📌 Article pinned by VulDB Support Team
Some vulnerability entries contain information and links about existing exploits. An exploit is a tutorial or software, which helps to execute or automate the exploitation of a vulnerability.
Exploit Maturity
Such an exploit might have a specific level of exploitability, also called exploit code maturity. The exploitability definition on VulDB uses the same metric levels like CVSSv2 and CVSSv3. CVSSv4 retired this metric and introduced a similar sounding threat metric called exploit maturity which is focussing on exploit activities rather than exploit quality levels. Our definitions are slightly enhanced and shown in the table below.
Symbol | CVSSv4 | CVSSv3 | CVSSv2 | Description | Example |
---|---|---|---|---|---|
High | A / P | H | H | A professionalized exploit is available with a very high level of reliability, the possibility to change options, and solid error handling. Such an exploit is easy-to-use by attackers not familiar with the technical details of the underlying vulnerability. | Metasploit module, NMAP NSE skript |
Functional | A / P | F | F | A solid exploit is available which provides mostly reliable exploit capabilities that work in most scenarios. | enhanced skript, basic exploit implementation |
Proof-of-Concept | P | P | POC | A simple exploit is available which illustrates the basic functionality of exploitation, without a certain level of reliability, no customization possibilities, and no error handling. | static URL, Curl statement, simple shell skript |
Unproven | U | U | U | No exploit is available, or an exploit is entirely theoretical. | exploit is private, no public exploit available |
Not Defined | - | X | ND | The exploitability level is not defined. This is the case when no information about an exploit is available. | no information about exploits available |
Impact and Threats
The exploitability level is one of tha major factor that impacts the calculation of exploit prices. The Known Exploited Vulnerabilities Catalog (KEV) by CISA provides data about detected exploit behavior. We may recommend our unique CTI activity scores for a better and more accurate predictive identification of emerging and executed exploit activities.
Mise à jour: 01/06/2024 par VulDB Documentation Team