5,100 Flashpoint Known Exploited Vulnerabilities (KEV): Another Major Milestone for VulnDB

Security teams need vulnerability intelligence they can trust. With tens of thousands of new CVEs disclosed each year, the challenge isn’t finding vulnerabilities, it’s understanding which ones truly matter. In this noise and fragmentation, prioritizing by known exploited vulnerabilities (vulnerabilities that have been observed by threat actors in real-world attacks), helps to filter out some of that noise. Reaching 5,100 KEV, just over 700 of which do not have a CVE ID, isn’t just a milestone, it’s a wake-up call.

This isn’t a static achievement. It’s an ongoing signal of risks demanding immediate action, and how intelligence-driven security strategy can shift organizations from being overwhelmed to proactive.

What This Milestone Means For You

Crossing this milestone is not only a measure based on quantity, it’s also about precision, context, and confidence in risk-based decision making.

• Validated Threats: These vulnerabilities aren’t theoretical. Each one has been exploited in the wild—by advanced persistent threat (APT) groups, cybercriminals, hacktivists, and/or automated botnets.
• Exploit-Aware Prioritization: Of the ~406,000 vulnerabilities tracked across thousands of sources, 1.26% known to be exploited. Using the FP KEV, organizations gain needed visibility and insights into those issues that matter most to them.
• Human-Curated Intelligence: Unlike databases that rely heavily on automation, this dataset is expert-reviewed, continuously validated, and supplemented with adversary behavior context.

VulnDB’s new milestone allows security teams to better allocate their limited resources by concentrating on vulnerabilities that are actively being exploited. It also enables them to develop more effective security strategies based on real-world attacker behaviors.

The State of Vulnerability Noise

In recent years, on average, over 30,000 new CVEs are published annually. However, CISA’s Known Exploited Vulnerability Catalog (KEV) confirms that less than 1,400 of these are exploited in the wild, representing less than 0.5%. However, Flashpoint is observing thousands more.

While the CISA KEV is an important public resource, it’s also incomplete. It focuses mostly on government and critical infrastructure targets, is U.S.-centric, and lacks deep context on attacker motives, exploit code maturity, lateral movement potential, and remediation alternatives.

By contrast, VulnDB covers a much broader scope, including:

• Coverage of CVE and non-CVE vulnerabilities
• Adversary usage attribution (e.g., Conti, Lazarus Group, Turla, FIN12)
• Exploit maturity scoring
• Affected product breakdown (down to build and patch version)
• Known malware leveraging the vulnerability
• Workarounds, upgrades, and patch status when available

Using Flashpoint’s advanced vulnerability intelligence, security teams aren’t given just a list, rather an operational dataset that’s designed to enhance readiness. Vulnerability intelligence shouldn’t be confined to a narrow focus. Software and the internet have a global reach, and your insights into vulnerabilities should be equally comprehensive.

Going Beyond CVE

Flashpoint’s VulnDB goes beyond typical CVE and NVD replications by fully and comprehensively mapping to them, detailing vulnerabilities in IoT, OT, SaaS, APIs, and third-party components with over 105,000+ without CVE IDs.

Unlike other offerings, VulnDB is not a minor interface change with the same underlying CVE data that is prevalent. It is independently curated by expert researchers who actively monitor thousands of sources. This thorough process of collecting, normalizing, and detailing each disclosed vulnerability provides customers with a complete vulnerability intelligence picture, enabling faster and more efficient risk identification and remediation.

VulnDB sources include:

• Public advisories
• Vendor disclosures
• Developer resources
• Private threat intelligence communities
• Social media
• Threat actor chatter
• Illicit marketplaces
• Insights from threat hunters, incident response teams, and malware analysis

This ensures organizations have complete visibility into the risks automation might miss, such as:

• Shadow vulns in legacy software
• Zero-day follow-ups and reuse of existing exploits
• Exploit chains across multiple flaws in a stack

Why Human Curation Matters

In a landscape dominated by automated vulnerability scanners and public databases like CVE and NVD, it’s easy to assume that all vulnerability data is created equal. It’s not. These public sources, while valuable in their own right, often suffer from inherent limitations: delays in disclosure, incomplete information, lack of context, and a susceptibility to inaccuracies. This is where the Flashpoint advantage emerges.

Our vulnerability intelligence is entirely human-curated. A dedicated team of expert analysts reviews every single vulnerability that is disclosed, regardless of its perceived criticality or source. This meticulous, hands-on approach ensures:

• Unrivaled Accuracy: Human analysts can identify nuances, discrepancies, and even outright errors that automated systems would miss. The team verifies information against multiple sources, cross-reference data, and validates claims, leading to unparalleled data integrity.
• Contextual Understanding: We don’t just log a vulnerability; we understand its complexities. Our analysts delve into the technical specifics, the exploit vectors, and the potential impact, providing a level of understanding that goes beyond a mere description.
• Illuminating the Unknown: Incomplete data is far too common in sources like NVD, human curation is essential to reveal the unknown vulnerabilities that automated systems miss. Our analysts bridge the visibility gap by identifying and contextualizing threats beyond the standard CVE-approach, ensuring teams focus on the complete risk landscape.
• Proactive Identification: By constantly monitoring the global threat landscape with a human eye, our analysts can often spot emerging trends or early indicators of exploitation that automated systems might only flag reactively or require additional organizations/sources to deliver similar insights.

How Flashpoint Publishes Vulnerabilities with Rich Context and Deep Enrichment

The human touch doesn’t stop at verification. Once a vulnerability is thoroughly reviewed, our analysts publish each vulnerability with context and deep enrichment designed to provide organizations with actionable intelligence.

For every vulnerability in VulnDB, you’ll find comprehensive details that, when known, include:

• Affected Versions: Pinpointing the exact software, hardware, or firmware versions susceptible to the vulnerability, enabling precise patching and mitigation.
• Exploit Availability: We identify whether public exploits exist, whether they are theoretical, or if they are actively being used by threat actors. This directly informs your prioritization efforts, especially through our Known Exploited Vulnerabilities (KEV) intelligence.
• Detailed Remediation Guidance: Beyond simply stating “patch,” we provide actionable steps and recommendations for mitigation, often including vendor-specific advice or workarounds where patches aren’t immediately available.
• Vendor Statements & Advisories: Consolidating official communications from affected vendors, saving your teams valuable research time.
• Threat Actor Attribution & Activity: Where applicable, we tie vulnerabilities to specific threat groups or campaigns, leveraging Flashpoint’s deep expertise in illicit communities and threat intelligence.
• MITRE ATT&CK Framework Mapping: We map vulnerabilities to the tactics and techniques used by adversaries, providing a strategic understanding of how a vulnerability might be leveraged in a real-world attack scenario.
• Temporal Metrics & Risk Scoring: Our analysts contribute to comprehensive risk scoring that evolves over time, reflecting changes in exploitability, prevalence, and threat actor interest. Check out our new product update on our Social Risk Score enhancements.
• Continuously Updated: VulnDB, a continually updated, “living” database, encompasses both newly discovered and previously known vulnerabilities. The team consistently revisits entries to incorporate fresh information, revised analysis, and evolving exploitation trends, among other updates.
• Risk Scoring: Each vulnerability may include CVSSv2, CVSSv3, CVSSv4, EPSS, Ransomware Likelihood, and Social Risk Scores giving you the most scoring data to make a better informed choice as to how a vulnerability impacts your network.

What You Can Do With This Data

Here’s how organizations can leverage Flashpoint’s vulnerability intelligence to drive better outcomes:

For Vulnerability Management

• Align patching SLAs to exploit activity, not CVSS score
• Use E2E (Exploitability-to-Exposure) ratios as a program KPI
• Track risk reduction velocity across high-priority vulnerabilities

For Threat Intelligence Teams

• Map exploited vulns to threat actor campaigns
• Feed exploit data into SIEMs for detection tuning
• Enables proactive hunting for post-exploitation behaviors

For Red and Purple Teams

• Build scenarios using real-world TTPs tied to active exploits
• Validate defense readiness against known exploited paths
• Measure remediation effectiveness in live environments

For Executive and Board Reporting

• Justify prioritization with attacker-proof data
• Show measurable progress with exploit-aware dashboards
• Report closure aligned with the current threat landscape

Proactively Address Vulnerability Risk Using Flashpoint

With new vulnerabilities being published every hour and attackers innovating their exploitation, defenders need more than a static database. Security teams and practitioners need continuously updated intelligence that is backed by human-validated insights, along with real-time context and integrations across ASM, VM, CAASM, red teaming, and detection platforms. Request a demo and learn more today.