Show HN: CISA CVEs with Precondition Reasoning and Default Exploitability

3 months ago 5

This repository provides contextual information for CISA’s Known Exploited Vulnerabilities (KEV), with a focus on determining whether a CVE is exploitable on default configurations. This helps teams prioritize vulnerabilities more effectively by filtering for threats that do not require custom setups or niche attack surfaces.

Many CVEs in the wild are only exploitable under specific or uncommon configurations. In contrast, vulnerabilities that are exploitable on default installations pose a higher risk to the average environment, since:

  • No special hardening bypass is needed.
  • The attack surface is more universally present.
  • They are often leveraged in opportunistic and mass exploitation campaigns.

By surfacing this context, the data in this repo helps:

  • Prioritize patching based on real-world exploitability.
  • Improve risk scoring systems (e.g., for CVSS/EPSS tuning).
  • Accelerate triage during vulnerability reviews.

Here’s a sample entry from cve_kb.json:

{ "cve_id": "CVE-2025-24813", "vulnerability_name": "Apache Tomcat Path Equivalence Vulnerability", "date_added": "2025-04-01", "short_description": "Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.", "preconditions_to_trigger": [ "The Apache Tomcat default servlet must have write permissions enabled (disabled by default)", "Partial PUT requests must be enabled (enabled by default)", "The web application must use Tomcat's file-based session persistence with the default storage location", "A deserialization-vulnerable library must be present in the application", "Attacker must be able to upload a serialized Java payload via HTTP PUT", "Attacker must know or be able to guess the filename and directory structure used for session storage" ], "reasoning": "The most critical precondition for exploitation, the default servlet's write permission, is disabled by default in Apache Tomcat. Unless an administrator has explicitly enabled this write capability, the vulnerability cannot be exploited as described. While other conditions may align with default setups, exploitation is not possible without write permissions being enabled.[1][2]", "exploitable_on_default_configurations": false, "citations": [ "https://www.recordedfuture.com/blog/apache-tomcat-cve-2025-24813-vulnerability-analysis", "https://www.akamai.com/blog/security-research/march-apache-tomcat-path-equivalence-traffic-detections-mitigations", "https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cve-2025-29891/", "https://www.cvedetails.com/cve/CVE-2025-24813/", "https://www.cisa.gov/news-events/alerts/2025/04/01/cisa-adds-one-known-exploited-vulnerability-catalog" ] }
  • cve_kb.json: Main knowledge base with CVEs, context, and default config exploitability.
  • script.py: Utility scripts for data collection or enrichment.
  1. Loads existing enriched CVEs from cve_kb.json hosted in the GitHub repo.
  2. Fetches the latest KEV catalog from CISA.
  3. Identifies new CVEs in the CISA KEV feed that aren't already enriched.
  4. Enriches each new CVE using the Perplexity AI API:
    • Lists preconditions required to trigger the vulnerability.
    • Determines if it’s exploitable on default configurations (Yes, No, or Don't know).
    • Includes a concise reasoning behind the above decision.
    • Captures citations (if provided by Perplexity).
  5. Appends the enriched entries to the existing knowledge base.
  6. Updates the cve_kb.json file on GitHub using the GitHub API (no local git required).
  • GitHub personal access token with repo scope (for updating files)
  • Perplexity API key
  • Python 3.7+

Removed CVEs Not Handled: If a CVE is removed from the CISA KEV catalog, this script does not remove it from the cve_kb.json file. This may lead to stale entries.

Read Entire Article
  1. Homepage
  2. Technology
  3. Show HN: CISA CVEs with Precondition Reasoning and Default Exploitability

Related

GPT-5.1 Instant and GPT-5.1 Thinking System Card Addendum [pdf]

GPT-5.1 Instant and GPT-5.1 Thinking System Card Addendum [p...

9 minutes ago 0
SBoM Diffing: Next Frontier for Supply Chain Security

SBoM Diffing: Next Frontier for Supply Chain Security

10 minutes ago 0
Show HN: The Prompt Engineering Bible – Complete Guide to AI Communication

Show HN: The Prompt Engineering Bible – Complete Guide to AI...

12 minutes ago 0
Hostinger Web Hosting