For many years, security professionals have relied heavily on the CVE (Common Vulnerabilities and Exposures) system to catalog and address security flaws. However, using this traditional approach leaves a significant category of threats undetected: CVE-less threats. These threats, which do not have an associated CVE signature, pose a hidden danger to applications and can cause extensive damage if not properly addressed. In this blog, we'll explore what CVE-less threats are, why they are becoming more prevalent, and how organizations can protect themselves against these insidious risks.

CVE-Less is a Bigger Threat Than You Think

Over 60% of exploits between 2021-2022 were CVE-Less, meaning they had no disclosed CVE at the time of the exploit.

What are CVE-Less Threats?

CVE-less threats refer to vulnerabilities that do not have a CVE-signature. The CVE system, managed by MITRE, provides a reference-method for publicly known information-security vulnerabilities and exposures. While incredibly valuable, the system has its limitations. CVE-less threats include:

• Unreported vulnerabilities: Some security flaws are discovered but never reported to a central authority for inclusion in the CVE database.
• Reported but not published vulnerabilities: Before a CVE is published, it has to be discovered, reported to the NVD, assigned a CVE-ID, analyzed, and published before it can be detected by code scanning solutions. This leaves a window of exposure where the application is vulnerable to attacks.
  • Raven’s analysis of 28,660 CVEs published in 2023, reveals that it takes a CVE 103 days on average from assigned date to publish date.
  • Flashpoint’s 2024 Global Threat Intelligence Report states “One major blind spot occurs when enterprises strictly rely on the Common Vulnerabilities and Exposure (CVE) database, which is missing over 100,000 vulnerabilities—nearly a third of known vulnerability risk.”
• Homegrown libraries with vulnerabilities: Homegrown libraries might have unique vulnerabilities that will never be covered by a CVE entry.
• Zero-day vulnerabilities: These are newly discovered flaws that developers are unaware of and for which no patch yet exists.
• Library misconfigurations: Issues that arise from improper library configurations in the code that will never get formal CVE signatures.
• Malicious packages: Software components intentionally designed to harm systems, steal data, or exploit vulnerabilities. They are often disguised as legitimate libraries or dependencies, making them difficult to detect. Attackers upload these malicious packages to popular repositories like npm, PyPI, or Maven, where developers might inadvertently include them in their projects. Once integrated, these packages execute harmful actions such as data exfiltration, installing backdoors, or compromising the application's security. The number of malicious packages has been growing exponentially over the past five years, with 2023 having twice the amount of malicious packages as the four previous years combined.

• AI package hallucinations: This phenomenon occurs when AI systems, particularly those used in automated software development and deployment processes, incorrectly identify or generate references to software packages that do not exist or are maliciously altered.

Conclusion

In order to keep up with sophisticated attackers and ensure the security of modern cloud applications, organizations are now required to add a security layer which can detect CVE-Less attacks.

For more information on advanced threat detection and mitigation, explore Raven’s Runtime ADR. Book a demo today.

‍