Common Vulnerabilities and Exposures
A globally unique identifier for a publicly disclosed cybersecurity vulnerability.
Definition
Common Vulnerabilities and Exposures (CVE) is a public catalog of disclosed cybersecurity vulnerabilities, each assigned a unique CVE ID (e.g., CVE-2024-12345). The program is operated by MITRE and sponsored by CISA. CVE IDs are the lingua franca of vulnerability management - they let manufacturers, hospitals, researchers, and security tooling refer to the same vulnerability unambiguously across SBOMs, advisories, vulnerability scanners, and patch notes.What this means in practice
Modern MedTech vulnerability programs ingest CVE feeds (NVD, OSV.dev, vendor advisories) automatically, match them against each device's SBOM, and route confirmed-applicable CVEs into the existing CAPA or post-market surveillance workflow. VEX statements communicate exploitability decisions to operators so hospitals don't have to triage every CVE themselves.- •Treating CVSS score alone as the prioritization signal - exploitability and reachability matter more than headline severity.
- •Manually tracking CVEs without automation against the SBOM - humans miss them.
- •Failing to publish VEX statements, leaving hospitals to assume every CVE in the SBOM is exploitable.
Frequently asked questions
Cross-references
Related terms
Shared paths + categoryAn industry-standard 0–10 score that quantifies the severity of a software vulnerability.
A machine-readable statement that explains whether a known vulnerability is actually exploitable in a specific product.
A machine-readable inventory of all software components, including open-source and third-party libraries, used to build a medical device.
A documented process for receiving, triaging, and responsibly disclosing security vulnerabilities reported by external researchers.
The designed-in ability to deploy security updates to a fielded medical device in a timely, controlled, and verifiable manner.
A lightweight, OWASP-maintained SBOM format designed for application security and supply-chain use cases.
Latest in MedTech
Primary references
3 sources- 1CVE.orgVerifiedMITREcve.org
- 2National Vulnerability Database (NVD)VerifiedNISTnvd.nist.gov
- 3CISA Known Exploited Vulnerabilities CatalogVerifiedCISAcisa.gov
Inline markers like [1] jump to the matching reference above.