Getting
Started

01
Overview

What are Chronic Exploitable Vulnerabilities (CEV)?

Chronic

CVE:
The CVEs that we are already familiar with, are unique IDs assigned to vulnerabilities in the products and solutions. CVEs are short lived, which means the CVEs' relevance to any organization is from the time it is published until it is patched.

CEV:
The "Chronic" in Chronic Exploitable Vulnerabilities (CEV) refers to the vulnerabilities & weaknesses that stays relevant for longer periods of time because they have possibilities to resurface even after this has been remediated before. 

  • Stays relevant for a longer period (Unlike CVE)
  • Has possibility to resurface even after it is remediated once

Exploitable

Only the list of vulnerabilities that can be practically exploited are qualified as CEVs. The vulnerabilities listed as CEV will be one of the following categories. The vulnerability should:

  • Be exploitable on its own (or)
  • Be exploitable with additional pre-requisites (or)
  • Serve as a pre-requisite for the exploitation of another vulnerability.
  • Practical Exploitable Vulnerabilities

Vulnerabilities

CVE:
CVEs are typically assigned to vendor product flaws (e.g., bugs or design issues) that will be fixed by the vendor.  Many vulnerabilities commonly exploited by adversaries, penetration testers, and red teamers do not have CVE identifiers is because they are not flaws in the product itself, but rather weaknesses caused by insecure configuration or improper implementation within an environment.

CEV:
The vulnerabilities commonly exploited by adversaries, penetration testers and red teamers that are not related to security patches but rather related to improper implementation or configuration are the ones qualified as CEVs. 

  • Vulnerabilities introduced due to improper implementation or configurations
  • Vulnerabilities that does not qualify for CVE. (Since it is not a product flaw)
02
Platform
Terminologies

Reference Guide

Exploitability

The CEV are categorized into 3 categories based on their exploitability:

  • Self-Sufficient: Vulnerabilities that are exploitable on their own without any pre-requisites of additional vulnerabilities.
  • Subject to Prerequisites: Vulnerabilities that are exploitable subject to additional pre-requisites. These could be additional vulnerabilities and conditions that needs to be met, before it can be exploited. 
  • Serves as a Prerequisite: Vulnerabilities that are not exploitable on their own but serves as pre-requisite for the exploitation of other vulnerability. 
  • Self-Sufficient
  • Subject to Prerequisites
  • Serves as a Prerequisite

Impact Category

The vulnerabilities are also categorized based on the type of technical impact that the vulnerability can cause when exploited. Given below are the types:

  • Domain Privilege Escalation: A domain user will be able to perform horizontal or vertical privilege escalation to obtain privileges of other domain accounts /deviecs. 
  • Domain Privilege Escalation

Vulnerability Mappings

The vulnerabilities are mapped to category, sub-category, vendor , service of the product and also to the associated MITRE ATT&CK Tactics, Techniques and Sub-Techniques.

  • Product Category
  • Product Subcategory
  • Product
  • Vendor
  • Service
  • Mitre ATT&CK Tactic
  • Mitre ATT&CK Technique
  • Mitre ATT&CK Sub-technique