How to read a CVE identifier
Every CVE has the same shape: CVE-YEAR-NUMBER. The year is when the identifier was reserved, not always when the flaw was disclosed, and the number is a unique sequence with no meaning of its own. CVE-2021-34527 is the 34,527th identifier reserved in the 2021 block, better known as PrintNightmare.
The CVE program is run by MITRE with sponsorship from CISA. A CVE is just the name and a short description. The severity scoring, exploitation data, and fix details come from other sources, which is why one vulnerability is described across several systems at once.
How CVEs are scored: CVSS severity
CVSS, the Common Vulnerability Scoring System, gives a vulnerability a base score from 0.0 to 10.0. It answers one question: if this is exploited, how bad is it? It does not say how likely exploitation is. The score falls into four severity bands.
| Severity | CVSS range | What it usually means |
|---|---|---|
| Critical | 9.0 to 10.0 | Often remote, unauthenticated, and high impact. Patch on an emergency timeline. |
| High | 7.0 to 8.9 | Serious, but may need some access, interaction, or conditions to exploit. |
| Medium | 4.0 to 6.9 | Real risk, usually with meaningful preconditions or limited impact. |
| Low | 0.1 to 3.9 | Hard to exploit or low impact. Patch in normal cycles. |
The score is built from a vector string that records the attack vector (network, adjacent, local, physical), attack complexity, privileges required, user interaction, scope, and the impact on confidentiality, integrity, and availability. A network-reachable flaw needing no privileges and no user interaction scores highest, which is why remote code execution bugs cluster at the top.
Beyond CVSS: the signals that show real-world risk
A severity score alone over-counts. There are tens of thousands of High and Critical CVEs, and only a small fraction are ever exploited. These signals separate the dangerous from the merely scary.
Siemserva by Senserva blends all of these into one repeatable, defensible ranking, so you work the top of the list instead of chasing every Critical. See how the ranking works.
A defensible patching order
When everything is labeled urgent, nothing is. This order puts evidence of real-world risk ahead of raw severity, and you can defend every step of it to an auditor.
- Actively exploited first. Anything in CISA KEV or tied to ransomware, on any reachable device.
- High exploitation probability next. High EPSS, even before it reaches KEV.
- Then by severity. Critical, then High CVSS, on exposed systems.
- Weighted by exposure. How long it has been open, and how much of the fleet it touches.
Glossary
Common Vulnerabilities and Exposures. The unique public name for one vulnerability.
Common Vulnerability Scoring System. Severity from 0.0 to 10.0.
Exploit Prediction Scoring System. Probability of exploitation in the next 30 days.
Known Exploited Vulnerabilities catalog. Confirmed exploited in the wild.
Remote code execution. Running attacker code on a target, often the most severe class.
Elevation of privilege. Gaining higher rights than intended, for example becoming admin.
Server-side request forgery. Making a server send requests an attacker controls.
A vulnerability exploited before, or on, the day a fix is available.
Exploitable with no user interaction, so it can spread machine to machine on its own.
A Microsoft Knowledge Base update that delivers the fix for one or more CVEs.
Microsoft Security Response Center, the source of Microsoft's CVE and patch data.
National Vulnerability Database (NIST), the U.S. repository of CVE and CVSS data.
Frequently asked questions
A CVE (Common Vulnerabilities and Exposures) is a unique public identifier for a specific security vulnerability, written as CVE-YEAR-NUMBER, for example CVE-2021-34527. The CVE program, run by MITRE, assigns one identifier per flaw so vendors, researchers, and defenders all refer to the same issue.
CVSS, the Common Vulnerability Scoring System, rates a vulnerability's severity from 0.0 to 10.0. The bands are Low (0.1 to 3.9), Medium (4.0 to 6.9), High (7.0 to 8.9), and Critical (9.0 to 10.0). The score is derived from a vector describing attack vector, attack complexity, privileges required, user interaction, and the impact on confidentiality, integrity, and availability.
The CISA Known Exploited Vulnerabilities catalog lists CVEs confirmed to be actively exploited in the real world. A vulnerability in the KEV catalog should be patched first, because attackers are already using it, regardless of its CVSS score.
CVSS measures how severe a vulnerability is if exploited. EPSS, the Exploit Prediction Scoring System, estimates how likely it is to be exploited in the next 30 days as a daily-updated probability. A Critical CVSS with low EPSS may be less urgent than a High CVSS that is being actively weaponized.
Patch actively exploited vulnerabilities first (CISA KEV), then those with high EPSS probability, then by CVSS severity, then factor in how long the exposure has been open and how many of your devices are affected. This puts real-world risk ahead of raw severity.
No. This is a curated reference of notable, historically significant Microsoft CVEs for learning and search. The full, current set of CVEs affecting your own environment is enriched live from NVD, CISA KEV, EPSS, and Microsoft MSRC inside Siemserva by Senserva, ranked by real-world risk.
Find these CVEs in your own environment
Siemserva by Senserva reports the CVEs and missing patches across your Microsoft estate, enriches each one from NVD, CISA KEV, EPSS, and MSRC, and ranks them by real-world risk. Run the demo free, no registration, no access to your tenant.
Download and go, freeAuthoritative sources
- The CVE Program (MITRE): the catalog of CVE identifiers
- NIST National Vulnerability Database (NVD): standards-based vulnerability and CVSS data
- CISA KEV Catalog: known exploited vulnerabilities
- FIRST EPSS: the Exploit Prediction Scoring System
- Microsoft Security Update Guide (MSRC): Microsoft's authoritative source for security updates and CVEs