Skip to content

Module 03 — Vulnerability Identification

Type 9 · Tool-Build — build vuln_assess.py to walk a service/version through CVE→CWE→CVSS→KEV→PoC and emit a prioritised vuln-assessment.md. (Secondary: Decision/ADR — defend the P1-vs-P2 ranking against real-world exploitability, not just CVSS.) Go to the hands-on lab →

Last reviewed: 2026-06

Offensive Securityfrom "this host runs X 1.2.3" to "here's the known way in, and how urgent it is."

Difficulty: Intermediate  ·  Estimated time: ~4–6 hrs (study + lab)  ·  Prerequisites: Foundations

In 60 seconds

A service version is trivia until you connect it to its weaknesses — and the real skill isn't finding CVEs (a search box does that), it's judging which ones actually matter. Get the vocabulary straight: a CVE is a named vulnerability, a CWE is the weakness type behind it, CVSS scores how bad it is if exploited. The classic mistake is treating CVSS as a worst-first to-do list — KEV (confirmed exploited in the wild) and EPSS (probability of exploitation) are what turn a wall of scores into real prioritisation.

Why this matters

A service version is only interesting if you know its weaknesses. This module connects enumeration to the real vulnerability ecosystem — CVEs, CWEs, exploit databases, and (crucially) which vulnerabilities are actually being exploited in the wild. Anyone can paste a version into a search box; the skill is judging real exploitability and urgency, not just collecting CVSS scores.

Objective

Map a service/version to its known vulnerabilities, and assess real-world exploitability and urgency using authoritative sources.

The core idea

A service version is trivia until you connect it to its weaknesses — and the real skill isn't finding CVEs (a search box does that), it's judging which ones actually matter. Get the vocabulary straight, because people blur it constantly: a CVE is a specific named vulnerability; a CWE is the weakness type behind it (CVE-2021-44228 is an instance of CWE-502); CVSS scores how bad it is if exploited.

The mental model

The classic mistake is treating CVSS as a to-do list, worst-first — a 9.8 that nobody exploits is less urgent than a 7.5 that's in every breach report this month. KEV and EPSS close that gap: CISA's Known Exploited Vulnerabilities catalog is "confirmed exploited in the wild — this is real, fix it"; EPSS estimates the probability something will be exploited. Together they turn a wall of CVSS numbers into actual prioritisation.

This is the same triage a defender does in vulnerability management — the other side of this exact coin — so learning to read NVD/KEV/EPSS makes you bilingual: you can tell a defender not just "you run CVE-X" but "it's in KEV, here's the urgency."

The gotcha

A public PoC on Exploit-DB is a lead, not a guarantee — it may target a different build, be deliberately defanged, or be malware aimed at lazy attackers. Read it before you run it.

AI caveat

Models are dangerously fluent here: they will state a wrong affected-version range or invent a plausible-looking CVE ID with complete confidence. In vulnerability work a hallucinated "fact" costs you hours or sends you down a dead end — confirm against NVD/KEV directly, every time.

Learn (~3 hrs)

The vulnerability ecosystem - NIST National Vulnerability Database (NVD) — search a product/version for its CVEs; the canonical record, with CVSS scoring. - MITRE CWE — the weakness type a CVE maps back to (e.g. CWE-89, SQL injection).

What actually matters - CISA Known Exploited Vulnerabilities (KEV) catalog — vulnerabilities confirmed exploited in the wild; your real-world prioritisation signal. - Exploit-DB — public proof-of-concept exploits mapped to CVEs (and the backend for searchsploit).

Key concepts

  • CVE, CWE, and CVSS — what each is and isn't
  • Mapping a service/version to known CVEs
  • KEV and EPSS: exploited-in-the-wild and exploitation-likelihood signals
  • Finding and judging public proof-of-concept exploits
  • Prioritising by real risk, not raw CVSS

AI acceleration

Models summarise a CVE and its impact well — and will also confidently state a wrong version range or invent a CVE ID. Always confirm against NVD/KEV directly; in vulnerability work a hallucinated "fact" wastes hours or sends you down a dead end.

Check yourself

  • What's the difference between a CVE, a CWE, and a CVSS score?
  • Why can a CVSS 7.5 be more urgent than a 9.8, and which signals tell you that?
  • You find a public PoC on Exploit-DB for your target's version — why isn't that a confirmed finding yet?

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).