Multiple Lines
Multiple LinesMultiple Lines
Up Arrow
Back to Blog
Security

What are CVE-Less Threats?

By 
Roi Abitboul

For many years, security professionals have relied on the CVE system to identify vulnerable OSS libraries. This approach relies on  a database of known CVEs. Static scanners analyze codebases and flag CVEs for developers to address. However, the primary limitation of signature-based scanners is that they can only detect vulnerabilities that have already been documented and given a CVE ID. This traditional approach leaves a significant category of threats undetected: CVE-less threats, which surprisingly, are responsible for the majority of exploited vulnerabilities.

In this blog, we will explore the concept of CVE-less threats, examining why they are becoming increasingly prevalent and emerging as one of the most significant risks to cloud environments.

CVE-Less is a Bigger Threat Than You Think

CVE Less And Security Vulnerabilities
Mandiant: Analysis of Time-to-Exploit Trends 2021-2022 (September 28, 2023)

Over 60% of exploits between 2021-2022 were CVE-Less, meaning they had no disclosed CVE at the time of the exploit.

What are CVE-Less Threats?

Simply put, CVE-less threats refer to vulnerabilities that do not have a CVE-signature. CVE-less threats include:

The Basics You Might Already Know:

  • Unreported Vulnerabilities: Security flaws that are discovered but never reported to a central authority for inclusion in the CVE database.
  • Homegrown Libraries with Vulnerabilities: Homegrown libraries might have unique vulnerabilities that will never be covered by a CVE entry.
  • Zero-Day Vulnerabilities: Software flaws that are unknown to the vendor and have no available patch.

Threats That Might Surprise You:

  • Reported But Not (yet) Published Vulnerabilities: A CVE has to be discovered, reported to the NVD, assigned a CVE-ID, analyzed, and published before it can be detected by code scanning solutions. This leaves a window of exposure where the application is vulnerable to attacks.
    • Raven’s analysis of 28,660 CVEs published in 2023, reveals that it takes a CVE 103 days on average from assigned date to publish date.
    • Flashpoint’s 2024 Global Threat Intelligence Report states “One major blind spot occurs when enterprises strictly rely on the Common Vulnerabilities and Exposure (CVE) database, which is missing over 100,000 vulnerabilities—nearly a third of known vulnerability risk.”
  • Library Misconfigurations: Issues that arise from improper library configurations in the code. These will never get a formal CVE signature.
  • Malicious Packages: Software components intentionally designed to harm systems, steal data, or exploit vulnerabilities. They are often disguised as legitimate libraries or dependencies, making them difficult to detect. Attackers upload these malicious packages to popular repositories like npm, PyPI, or Maven, where developers might inadvertently include them in their projects. Once integrated, these packages execute harmful actions such as data exfiltration, installing backdoors, or compromising the application's security. The number of malicious packages has been growing exponentially over the past five years, with 2023 having twice the amount of malicious packages as the four previous years combined and 2024 having almost twice the amount of the five previous years combined.
Sonatype: 10th Annual State of the Software Supply Chain (October, 2024)

Conclusion

To combat sophisticated attackers and ensure the security of modern cloud applications, organizations must implement a security layer capable of detecting CVE-less attacks. Just as antivirus solutions evolved into endpoint detection and response (EDR) systems, there is a growing need for a solution that inspects applications at runtime, focusing on library-level activities to identify anomalies. This approach moves beyond reliance on CVE databases and instead monitors the behavior of libraries directly. This is where Application Detection and Response (ADR) comes into play.

For more information on advanced threat detection and mitigation, explore Raven’s Runtime ADR. Book a demo today.

Share this post
Yellow Lines
Contents
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Get a Demo

Meeting Booked!
See you soon!
Until we meet, you might want to check out our blog
Oops! Something went wrong while submitting the form.
Ellipse
Security

7 Reasons Why Attackers Shifted Towards Cloud Applications

Attackers are increasingly shifting their focus from infrastructure to applications, exploiting vulnerabilities that traditional security measures cannot protect.
Read more
Security

The Critical Need for Cloud Runtime Application Security

While shift left strategies are essential for building secure applications, they are not sufficient on their own. Cloud runtime application security, or protect right, is crucial especially as attackers are increasingly shifting their focus to applications.
Read more
Security

What are CVE-Less Threats?

What CVE-less threats are, why they are becoming more prevalent, and how organizations can protect themselves against these insidious risks.
Read more
View all
Yellow Lines
Product
Runtime Vulnerability ManagementRuntime PatchingRuntime ADR
Use Cases
Delay a Fix and Stay ProtectedEliminate the Exposure WindowCVSS 10 With No RiskStop AttackProtect Third-Party Applications Independently
Company
About
Resources
Blog
© 2024 Raven
Privacy PolicyTerms of ServiceTerms and Conditions
SOC in AICPA
SOC in AICPA
{ "@context": "https://schema.org", "@graph": [ { "@type": ["Organization"], "@id": "https://raven.io/#organization", "name": "Raven - Runtime Application Protection", "url": "https://raven.io/", "sameAs": [ "https://x.com/Ravencloudinc", "https://www.linkedin.com/company/raven-cloud/about/" ], "logo": { "@type": "ImageObject", "@id": "https://raven.io/#logo", "inLanguage": "en-US", "url": "https://cdn.prod.website-files.com/65a4638e376d11af3056eaeb/66563d1d5dbe6bab908ce612_7%20Reasons%20why.png", "contentUrl": "https://cdn.prod.website-files.com/65a4638e376d11af3056eaeb/66563d1d5dbe6bab908ce612_7%20Reasons%20why.png", "width": 218, "height": 416, "caption": "Raven - Runtime Application Protection" } }, { "@type": "WebSite", "@id": "https://raven.io/#website", "url": "https://raven.io/", "name": "Raven - Runtime Application Protection", "description": "De-prioritize 93% of vulnerabilities, stop application attacks early in the kill chain and prevent vulnerabilities in the first place with runtime patching.", "publisher": { "@id": "https://raven.io/" }, "potentialAction": [ { "@type": "SearchAction", "target": { "@type": "EntryPoint", "urlTemplate": "https://raven.io/?s={search_term_string}" }, "query-input": "required name=search_term_string" } ], "inLanguage": "en-US" }, { "@type": "WebPage", "@id": "https://raven.io/blog/cve-less-threats-what-you-dont-know-will-hurt-your-application#webpage", "url": "https://raven.io/blog/cve-less-threats-what-you-dont-know-will-hurt-your-application", "name": "CVE-Less Threats: The Unseen Risks Hurt Your App | Raven.io", "isPartOf": { "@id": "https://raven.io/#website" }, "primaryImageOfPage": { "@id": "https://raven.io/blog/cve-less-threats-what-you-dont-know-will-hurt-your-application#primaryimage" }, "datePublished": "2024-02-06", "dateModified": "2024-09-24", "description": "Explore CVE-less threats and learn how unknown vulnerabilities can impact your application security. Stay informed to protect your software. Get in touch!", "inLanguage": "en-US", "copyrightYear": "2024", "copyrightHolder": { "@id": "https://raven.io/#organization" }, "potentialAction": [ { "@type": "ReadAction", "target": [ "https://raven.io/blog/cve-less-threats-what-you-dont-know-will-hurt-your-application" ] } ], "about":[ { "@type":"Thing", "name":"runtime", "sameAs":[ "https://en.wikipedia.org/wiki/Execution_(computing)", "https://www.google.com/search?q=runtime&kgmid=/m/0260xm" ] }, { "@type":"Thing", "name":"cloud", "sameAs":[ "https://en.wikipedia.org/wiki/Cloud_computing", "https://www.google.com/search?q=cloud&kgmid=/m/02y_9m3" ] }, { "@type":"Thing", "name":"kubernetes", "sameAs":[ "https://en.wikipedia.org/wiki/Kubernetes", "https://www.google.com/search?q=kubernetes&kgmid=" ] }, { "@type":"Thing", "name":"vulnerabilities", "sameAs":[ "https://en.wikipedia.org/wiki/Vulnerability_(computing)", "https://www.google.com/search?q=vulnerabilities&kgmid=/m/048vgs" ] }, { "@type":"Thing", "name":"cloud security", "sameAs":[ "https://en.wikipedia.org/wiki/Cloud_computing_security", "https://www.google.com/search?q=cloud+security&kgmid=/m/09v8lc9" ] }, { "@type":"Thing", "name":"infrastructure", "sameAs":[ "https://en.wikipedia.org/wiki/Infrastructure", "https://www.google.com/search?q=infrastructure&kgmid=/m/017kvv" ] }, { "@type":"Thing", "name":"the cloud", "sameAs":[ "https://en.wikipedia.org/wiki/Cloud_computing", "https://www.google.com/search?q=the+cloud&kgmid=/m/02y_9m3" ] }, { "@type":"Thing", "name":"cloud-native", "sameAs":[ "https://en.wikipedia.org/wiki/Cloud-native_computing", "https://www.google.com/search?q=cloud-native&kgmid=" ] }, { "@type":"Thing", "name":"tools", "sameAs":[ "https://en.wikipedia.org/wiki/Tool", "https://www.google.com/search?q=tools&kgmid=/m/07k1x" ] }, { "@type":"Thing", "name":"visibility", "sameAs":[ "https://en.wikipedia.org/wiki/Visibility", "https://www.google.com/search?q=visibility&kgmid=/m/05xqwk" ] }, { "@type":"Thing", "name":"application security", "sameAs":[ "https://en.wikipedia.org/wiki/Application_security", "https://www.google.com/search?q=application+security&kgmid=/m/07nsdp" ] }, { "@type":"Thing", "name":"risks", "sameAs":[ "https://en.wikipedia.org/wiki/Risk", "https://www.google.com/search?q=risks&kgmid=/m/06d5f" ] }, { "@type":"Thing", "name":"aikido", "sameAs":[ "https://en.wikipedia.org/wiki/Aikido", "https://www.google.com/search?q=aikido&kgmid=/m/0jjc" ] }, { "@type":"Thing", "name":"attack surface", "sameAs":[ "https://en.wikipedia.org/wiki/Attack_surface", "https://www.google.com/search?q=attack+surface&kgmid=/m/0fdmd9" ] }, { "@type":"Thing", "name":"crowdstrike", "sameAs":[ "https://en.wikipedia.org/wiki/CrowdStrike", "https://www.google.com/search?q=crowdstrike&kgmid=" ] }, { "@type":"Thing", "name":"cluster", "sameAs":[ "https://en.wikipedia.org/wiki/Computer_cluster", "https://www.google.com/search?q=cluster&kgmid=/m/01svq" ] }, { "@type":"Thing", "name":"lifecycle", "sameAs":[ "https://en.wikipedia.org/wiki/Life-cycle_assessment", "https://www.google.com/search?q=lifecycle&kgmid=/m/02vqxy" ] }, { "@type":"Thing", "name":"compliance", "sameAs":[ "https://en.wikipedia.org/wiki/Regulatory_compliance", "https://www.google.com/search?q=compliance&kgmid=/m/053ldb" ] }, { "@type":"Thing", "name":"best practices", "sameAs":[ "https://en.wikipedia.org/wiki/Best_practice", "https://www.google.com/search?q=best+practices&kgmid=/m/03dbq0" ] }, { "@type":"Thing", "name":"security", "sameAs":[ "https://en.wikipedia.org/wiki/Computer_security", "https://www.google.com/search?q=security&kgmid=/m/022x_" ] }, { "@type":"Thing", "name":"behavior", "sameAs":[ "https://en.wikipedia.org/wiki/Behavior", "https://www.google.com/search?q=behavior&kgmid=/m/01jbm" ] }, { "@type":"Thing", "name":"assets", "sameAs":[ "https://en.wikipedia.org/wiki/Asset", "https://www.google.com/search?q=assets&kgmid=/m/0z1j" ] }, { "@type":"Thing", "name":"security", "sameAs":[ "https://en.wikipedia.org/wiki/Security", "https://www.google.com/search?q=security&kgmid=/m/0bg2p" ] }, { "@type":"Thing", "name":"rasp", "sameAs":[ "https://en.wikipedia.org/wiki/Rasp", "https://www.google.com/search?q=rasp&kgmid=/m/050s45" ] } ] }, { "@type": "TechArticle", "@id": "https://raven.io/blog/cve-less-threats-what-you-dont-know-will-hurt-your-application#TechArticle", "isPartOf": { "@id": "https://raven.io/blog/cve-less-threats-what-you-dont-know-will-hurt-your-application#webpage" }, "wordCount": 563, "publisher": { "@id": "https://raven.io/#organization" }, "image": { "@id": "https://raven.io/blog/cve-less-threats-what-you-dont-know-will-hurt-your-application#primaryimage" }, "thumbnailUrl": "https://cdn.prod.website-files.com/65a4638e376d11af3056eaeb/66563d92d902374aff7e8658_CVE-less.png", "keywords": [ "CVE-Less Threats", "Application Security" ], "articleSection":[ "CVE-Less Threats: What You Don’t Know WILL Hurt Your Application", "CVE-Less is a Bigger Threat Than You Think", "What are CVE-Less Threats?", "Conclusion" ] } ] } ] }