Exploit Maturity
Exploit Maturity v2.0.0
This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.
| Value | Definition |
|---|---|
| Unreported | Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply) |
| Proof-of-Concept | Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply) |
| Attacked | Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits) |
| Not Defined | This metric value is not defined. See CVSS documentation for details. |
Exploit Maturity v2.0.0 JSON Example
{
"namespace": "cvss",
"version": "2.0.0",
"schemaVersion": "1-0-1",
"key": "E",
"name": "Exploit Maturity",
"description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.",
"values": [
{
"key": "U",
"name": "Unreported",
"description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
},
{
"key": "P",
"name": "Proof-of-Concept",
"description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
},
{
"key": "A",
"name": "Attacked",
"description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
},
{
"key": "X",
"name": "Not Defined",
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
}
Previous Versions
Following are the previous versions of the decision point:
Exploitability v1.0.0
This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.
| Value | Definition |
|---|---|
| Unproven | No exploit code is yet available or an exploit method is entirely theoretical. |
| Proof of Concept | Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems. |
| Functional | Functional exploit code is available. The code works in most situations where the vulnerability is exploitable. |
| High | Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus). |
Exploitability v1.0.0 JSON Example
{
"namespace": "cvss",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "E",
"name": "Exploitability",
"description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
"values": [
{
"key": "U",
"name": "Unproven",
"description": "No exploit code is yet available or an exploit method is entirely theoretical."
},
{
"key": "P",
"name": "Proof of Concept",
"description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
},
{
"key": "F",
"name": "Functional",
"description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
},
{
"key": "H",
"name": "High",
"description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
}
]
}
Exploitability v1.1.0
This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.
| Value | Definition |
|---|---|
| Unproven | No exploit code is yet available or an exploit method is entirely theoretical. |
| Proof of Concept | Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems. |
| Functional | Functional exploit code is available. The code works in most situations where the vulnerability is exploitable. |
| High | Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus). |
| Not Defined | This metric value is not defined. See CVSS documentation for details. |
Exploitability v1.1.0 JSON Example
{
"namespace": "cvss",
"version": "1.1.0",
"schemaVersion": "1-0-1",
"key": "E",
"name": "Exploitability",
"description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
"values": [
{
"key": "U",
"name": "Unproven",
"description": "No exploit code is yet available or an exploit method is entirely theoretical."
},
{
"key": "P",
"name": "Proof of Concept",
"description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
},
{
"key": "F",
"name": "Functional",
"description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
},
{
"key": "H",
"name": "High",
"description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
},
{
"key": "ND",
"name": "Not Defined",
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
}
Exploit Code Maturity v1.2.0
measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation
| Value | Definition |
|---|---|
| Unproven | No exploit code is available, or an exploit is theoretical. |
| Proof-of-Concept | Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker. |
| Functional | Functional exploit code is available. The code works in most situations where the vulnerability exists. |
| High | Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools. |
| Not Defined | This metric value is not defined. See CVSS documentation for details. |
Exploit Code Maturity v1.2.0 JSON Example
{
"namespace": "cvss",
"version": "1.2.0",
"schemaVersion": "1-0-1",
"key": "E",
"name": "Exploit Code Maturity",
"description": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation",
"values": [
{
"key": "U",
"name": "Unproven",
"description": "No exploit code is available, or an exploit is theoretical."
},
{
"key": "POC",
"name": "Proof-of-Concept",
"description": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."
},
{
"key": "F",
"name": "Functional",
"description": "Functional exploit code is available. The code works in most situations where the vulnerability exists."
},
{
"key": "H",
"name": "High",
"description": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools."
},
{
"key": "X",
"name": "Not Defined",
"description": "This metric value is not defined. See CVSS documentation for details."
}
]
}