Where do CVEs come from?

CNAs (CVE Numbering Authorities) - including MITRE, vendors, CERT/CC, and security researchers - request and assign CVE IDs. The National Vulnerability Database (NVD) at NIST then enriches each CVE with CVSS scoring and CPE metadata.

Does our device need its own CNA?

Not unless you frequently disclose vulnerabilities in your own products. Most MedTech manufacturers coordinate disclosure through MITRE's root CNA or via CERT/CC.

All terms

CybersecurityConnected & Cyber-Physical DevicesCVE

Common Vulnerabilities and Exposures

A globally unique identifier for a publicly disclosed cybersecurity vulnerability.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

Common Vulnerabilities and Exposures (CVE) is a public catalog of disclosed cybersecurity vulnerabilities, each assigned a unique CVE ID (e.g., CVE-2024-12345). The program is operated by MITRE and sponsored by CISA. CVE IDs are the lingua franca of vulnerability management - they let manufacturers, hospitals, researchers, and security tooling refer to the same vulnerability unambiguously across SBOMs, advisories, vulnerability scanners, and patch notes.

What the regulation says

FDA expects manufacturers to monitor CVEs against the components in their SBOM as a continuous post-market activity, and to assess each CVE's exploitability in their device using a VEX document or equivalent. CISA's Known Exploited Vulnerabilities (KEV) catalog flags CVEs with confirmed in-the-wild exploitation; CVEs on the KEV list typically warrant accelerated triage. ICS-CERT (now part of CISA) issues medical-device-specific advisories that reference CVE IDs.

What this means in practice

Modern MedTech vulnerability programs ingest CVE feeds (NVD, OSV.dev, vendor advisories) automatically, match them against each device's SBOM, and route confirmed-applicable CVEs into the existing CAPA or post-market surveillance workflow. VEX statements communicate exploitability decisions to operators so hospitals don't have to triage every CVE themselves.

Common pitfalls

•Treating CVSS score alone as the prioritization signal - exploitability and reachability matter more than headline severity.
•Manually tracking CVEs without automation against the SBOM - humans miss them.
•Failing to publish VEX statements, leaving hospitals to assume every CVE in the SBOM is exploitable.

Frequently asked questions

CVE is the unique identifier for a specific vulnerability instance. CVSS is a 0–10 severity score. CWE (Common Weakness Enumeration) classifies the underlying type of weakness (e.g., CWE-79 cross-site scripting). All three are MITRE-coordinated programs.

Cross-references

Uses

Concepts or artefacts this term builds on.

Common Vulnerability Scoring System(CVSS)

Primary references

3 sources

Link health: 3 verified· last checked 2026-05-09

MITRE·1NIST·1CISA·1

Inline markers like [1] jump to the matching reference above.