Back
Back to Blog

How To Track Exploited CVEs With Real-World Incident Context

On this page

In May 2025, VenariX launched a CVE enrichment layer that links exploited vulnerabilities to real incidents.

When a security flaw is discovered in software or hardware, it’s often assigned a CVE ID (short for Common Vulnerabilities and Exposures). This identifier provides a consistent way to reference and track vulnerabilities across different tools, vendors, and communities. As of 2025, the CVE program is managed by the Cybersecurity and Infrastructure Security Agency (CISA), which assumed responsibility from MITRE to ensure its continued public operation and accessibility. Around the same time, ENISA launched the EU Vulnerability Database (EUVD) to support regional coordination and strengthen European visibility into vulnerability disclosures.

Many CVEs are published yearly, but only a small fraction are ever exploited in real-world attacks. Some vulnerability scanners and threat intelligence platforms flag known exploited vulnerabilities, but typically rely on public sources like the CISA KEV list or vendor bulletins, which lack context around how the vulnerability is being used in actual attacks.

Our CVE enrichment layer links CVEs to real incidents, including details such as affected organizations, threat actors, tangible impacts, and timelines. This shows how a vulnerability is being used, not just exploited.

To limit noise and focus on observable threat activity, we include only vulnerabilities with confirmed or suspected exploitation.
We include a CVE in the platform only if:

  • An organization has reported an incident caused by an unpatched vulnerability with a CVE ID, or

  • A threat actor is actively exploiting a vulnerability, whether it’s a zero-day or a known issue.


This enrichment is meant to complement, not replace, existing vulnerability management practices. Vulnerabilities should still be patched regularly, but not all carry the same level of urgency.

Linking CVEs to Real Incidents

Each CVE we track is linked to incident records and, where applicable, to threat actors. Once a vulnerability is confirmed as exploited, it becomes part of the incident view.

image.png
Screenshot showing Threat Actor CVE Table

If a threat actor is known to use it, that connection is also shown.

image (2).png
Screenshot showing an Incident Profile Section

New CVE Filters

We also added a CVE ID filter to both the Incidents page and the dashboard. When a user selects a CVE from the filter panel, the results show only incidents where that vulnerability was the method of compromise. These are typically cases of zero-day exploitation or other forms of unauthorized access.

👉 Explore the CVE feature now, included in Pro and Business plans.

photo_2026-07-08_15-23-07.jpg
Screenshot showing the Exploited Vulnerability (CVE) filter in the Dashboard

What the CVE Filter Does and Doesn’t Show

The CVE ID filter applies only to incidents where the selected vulnerability was used to gain access to the affected organization. These are typically zero-day or known exploited vulnerabilities tied to unauthorized access.

Incidents involving downstream victims, organizations affected indirectly through a third-party breach that was caused by a CVE, are not included in CVE filter results, since the vulnerability was not used to breach them directly. These incidents are still tracked in VenariX and can be found using the Major Incident filter or in the Global Incidents section.

photo_2026-07-08_15-24-47.jpg
Screenshot showing the Major Incident filter in the Dashboard

photo_2026-07-08_15-26-05.jpg
Screenshot showing the Global Incidents Tab

New Widgets for CVE Analysis

We introduced four new widgets to help visualize how CVEs are showing up in real incidents, who is using them, which sectors are affected, and more:

  • Top CVEs by Number of Incidents: Shows which exploited vulnerabilities are linked to the most incidents in our dataset. Useful for identifying which CVEs are most active right now and should be reviewed for potential exposure.

  • CVEs Exploited by Sector: Shows which sectors are being targeted through specific vulnerabilities. Helps teams assess whether exploitation is concentrated in their industry or spreading across others.

  • Threat Actors Linked to CVEs: Maps exploited vulnerabilities to the threat actors using them. Helps track whether a CVE is tied to a single campaign or being reused across multiple groups.

  • Monthly Breakdown of CVE-Related Incidents: Shows how exploitation linked to each CVE is changing over time. Useful for identifying emerging threats, periods of peak activity, or whether a vulnerability is still being used in current attacks.

👉 Explore the CVE feature now, included in Pro and Business plans.

photo_2026-07-08_15-29-44.jpg
Screenshot showing Dashboard widgets for CVE analysis

photo_2026-07-08_16-12-15.jpg
Screenshot showing Dashboard widgets for CVE analysis

These widgets are fully interactive. When a CVE is selected from the filter panel, each view updates to reflect only incidents involving that CVE, giving users a focused view of how that vulnerability is playing out across the threat landscape.

Use Case: MOVEit and CVE-2023–34362.

CVE-2023–34362 was a zero-day vulnerability in MOVEit Transfer, exploited in a large-scale campaign in 2023 by the Cl0p ransomware group. Multiple organizations were compromised directly through the vulnerability, with attackers gaining access to sensitive files stored on their MOVEit servers. These incidents, where entities had vulnerable versions of MOVEit in their environment and were breached through the CVE, were tagged with CVE-2023–34362 in VenariX.

image 3.png
Screenshot showing a dashboard about CVE-2023–34362

However, the impact of the MOVEit campaign extended well beyond the organizations directly breached via the CVE. Many other companies were affected when their data, held by vendors using MOVEit, was accessed and leaked. These downstream incidents are not linked to the CVE, since the vulnerability wasn’t the method of compromise.

In cases like this, where a single campaign results in widespread impact across multiple organizations, we classify the event as a Major Incident. This designation isn’t specific to MOVEit; it’s used across the platform to group large-scale incidents that affect many entities, whether directly or indirectly. In the case of MOVEit, the scale of the exploitation and the number of affected organizations met that threshold.

image 6.png
Screenshot showing a dashboard about the MOVEit incident

This lets users view both direct exploitation and downstream impact in one place, providing a more complete view of large-scale incidents.

How to Use the CVE Feature

The CVE enrichment layer is available only on the Pro and Business plans. Here’s how to get started with CVE tracking in VenariX:

View CVEs on Incident Pages

Where to find it: Go to the Incidents tab and select an incident.

What to look for: If a CVE was exploited, it will appear in the “Incident Profile” section under the label Exploited CVE.

Interaction: Clicking on the CVE ID opens a confirmation modal. You can proceed to the official CVE page (e.g., NVD) or close the modal.

Filter Incidents by CVE ID

Where to find it: On the Incidents or Dashboard pages.

How it works: Use the “Exploited CVE” filter (in the “More filters” section). This is only available if incidents contain at least one CVE.

image 10.png
Screenshot showing where to find (CVE) filter in the Dashboard

image 11.png
Screenshot showing Exploited Vulnerability (CVE) filter in the Dashboard

Analyze CVE Trends on the Dashboard

VenariX includes new widgets to visualize vulnerability exploitation patterns:

  • Top CVEs by Number of Linked Incidents (Bar Chart)

  • Monthly Breakdown by Exploited CVE (Line Chart)

  • CVEs Exploited by Sector (Heatmap)

  • Threat Actors by CVE (Heatmap)

Each graph is interactive and allows users to drill into the data for further context.

image 12.png
Image showing CVE Exploited by Sector Heat-Map

Threat Actor CVE Table

Where to find it: In the Threat Actor Group profiles.

What you get: A sortable table listing CVEs exploited by the actor, including:

  • CVE ID

  • Affected product

  • Total victims

  • First seen date

  • Direct/indirect exploitation counts

image (3).png
Screenshot showing Threat Actor CVE Table

API Access for CVE-Linked Incidents

For users integrating VenariX data into their workflows:

  • CVE metadata is included in incident API responses

  • You can filter incidents via the CVE ID query parameter

0_bnHzuZRCgkFphVaw.webp
Screenshot showing API access for CVE-Linked Incidents

Connecting CVEs to Real-World Impacts

This feature connects exploited CVEs to real incidents, threat actors, and affected organizations, providing a clear basis for prioritization and response.

👉 Explore the CVE feature now, included in Pro and Business plans.

VenariX

Every security decision,
backed by real data.

Start with a free plan or try Pro free for one week.