07.07.2023
24 min
3434
When it comes to vulnerability, it’s simple to lose your way with CVE lists, CVSS scores, and countless reports. The fact of the matter is, not all vulnerabilities have equal potential for harm. Many only exist “on paper,” while many are already being actively exploited by attackers in the wild through malicious campaigns, breaches, and targeted attacks.
To provide the best possible protection from real world attacks, it is crucial to understand how to identify which vulnerabilities are actually being exploited, as opposed to simply documented. There are numerous databases, catalogs, and services that track vulnerabilities “in the wild” (those that have been used in breaches, campaigns, and targeted attacks).
This article provides a summary of reliable sources utilized by security researchers, analysts, and security operations center (SOC) teams to provide clarity as to what should be an immediate priority and what does not need to be given a high level of priority. Plain language, no theoretical discussions, and a focus solely on current threats.
A service that tries to automatically determine whether a vulnerability can be exploited in practice. You provide a CVE or details about the issue, and the service analyzes whether it’s worth digging deeper – for example, whether exploits exist or whether the vulnerability is actually usable in real attacks.
This is an official list from CISA that includes vulnerabilities already being actively exploited in attacks. If a CVE appears on this list, it means the issue has been used in practice, not just described in documentation.
There’s a wide mix here, from outdated exploits to fully up-to-date examples. People often browse it not to carry out attacks, but to understand the underlying attack logic and see what it looks like “in code.”
A tool for situations where you need to quickly narrow down a list of vulnerabilities. It immediately shows whether an exploit exists and whether a CVE has real value for an attack. Useful when working with large volumes of data and you don’t want to get lost in the details.
“In the Wild” is interesting because it largely ignores formal scores and ratings. What matters here is a simple fact: whether the vulnerability has been seen in real attacks or not. This source is useful if you want to understand the real threat landscape, without the lab-style idealisation.
The Attacker Knowledge Base shows how vulnerabilities are used by attackers in practice. What matters here isn’t the CVE itself, but where and at what stage of an attack it’s applied. This helps you understand the attack logic, rather than just looking at a list of issues.
VulnCheck KEV DB is often used by those who are tired of the noise around CVEs. The database helps distinguish vulnerabilities that can actually be exploited from those that exist only in reports. It works well for quick checks before a pentest or threat analysis.
CIRCL Sightings isn’t a primary source, but rather a way to validate a hypothesis. It collects mentions of vulnerability exploitation from various reports and observations. It’s useful when you want to confirm that a CVE is actually “alive” and not just listed in a single database.
The service shows whether a vulnerability has a working proof of concept and where to find it. It’s useful when you don’t want to waste time on CVEs that are well documented but difficult to reproduce in practice.
When the basic CISA list is no longer enough, the Securin dashboard comes in handy. It doesn’t just mirror the KEV catalog, but adds context – timing, links to exploits, and the bigger picture overall.
