Exploitability

Some vulnerability entries contain information and links about existing exploits. An exploit is a tutorial or software, which helps to execute or automate the exploitation of a vulnerability.

Such an exploit might have a specific level of exploitability, also called exploit code maturity. The exploitability definition on VulDB uses the same metric levels like CVSSv2 and CVSSv3. CVSSv4 retired this metric and introduced a similar sounding threat metric called exploit maturity which is focussing on exploit activities rather than exploit quality levels. Our definitions are slightly enhanced and shown in the table below.

SymbolCVSSv4CVSSv3CVSSv2DescriptionExample
High
A / PHHA professionalized exploit is available with a very high level of reliability, the possibility to change options, and solid error handling. Such an exploit is easy-to-use by attackers not familiar with the technical details of the underlying vulnerability.Metasploit module, NMAP NSE skript
Functional
A / PFFA solid exploit is available which provides mostly reliable exploit capabilities that work in most scenarios.enhanced skript, basic exploit implementation
Proof-of-Concept
PPPOCA simple exploit is available which illustrates the basic functionality of exploitation, without a certain level of reliability, no customization possibilities, and no error handling.static URL, Curl statement, simple shell skript
Unproven
UUUNo exploit is available, or an exploit is entirely theoretical.exploit is private, no public exploit available
Not Defined
-XNDThe exploitability level is not defined. This is the case when no information about an exploit is available.no information about exploits available

The exploitability level is one of tha major factor that impacts the calculation of exploit prices. We may recommend our unique CTI activity scores for a better and more accurate predictive identification of emerging and executed exploit activities.

Do you want to use VulDB in your project?

Use the official API to access entries easily!