Exploitability
Some vulnerability entries contain information and links about existing exploits. An exploit is a tutorial or software, which helps to execute or automate the exploitation of a vulnerability.
Such an exploit might have a specific level of exploitability, also called exploit code maturity. The exploitability definition on VulDB uses the same metric levels like CVSSv2 and CVSSv3. CVSSv4 retired this metric and introduced a similar sounding threat metric called exploit maturity which is focussing on exploit activities rather than exploit quality levels. Our definitions are slightly enhanced and shown in the table below.
Symbol | CVSSv4 | CVSSv3 | CVSSv2 | Description | Example |
---|---|---|---|---|---|
High | A / P | H | H | A professionalized exploit is available with a very high level of reliability, the possibility to change options, and solid error handling. Such an exploit is easy-to-use by attackers not familiar with the technical details of the underlying vulnerability. | Metasploit module, NMAP NSE skript |
Functional | A / P | F | F | A solid exploit is available which provides mostly reliable exploit capabilities that work in most scenarios. | enhanced skript, basic exploit implementation |
Proof-of-Concept | P | P | POC | A simple exploit is available which illustrates the basic functionality of exploitation, without a certain level of reliability, no customization possibilities, and no error handling. | static URL, Curl statement, simple shell skript |
Unproven | U | U | U | No exploit is available, or an exploit is entirely theoretical. | exploit is private, no public exploit available |
Not Defined | - | X | ND | The exploitability level is not defined. This is the case when no information about an exploit is available. | no information about exploits available |
The exploitability level is one of tha major factor that impacts the calculation of exploit prices. We may recommend our unique CTI activity scores for a better and more accurate predictive identification of emerging and executed exploit activities.