We recently released the CrowdSec CVE Explorer. It’s an exciting new way to explore the data collected by our Threat Intelligence Network.
In this article, we take a closer look behind the veil and demonstrate how CrowdSec leverages the threat data we collect to provide a comprehensive evaluation of over 400 vulnerabilities (CVEs). All enriched with real-world exploit data. This allows cybersecurity teams to stay ahead of current threats and helps patch management teams prioritize vulnerabilities that are actively exploited in the wild.
Overview
The CVE Explorer contains a dedicated page for each of the 400+ CVEs detected and tracked by CrowdSec. For each CVE, the page contains the following key elements to help cybersecurity professionals assess a given vulnerability or alert:
- A detailed description of the exploit and its recent exploitation trends.
- CISA enrichment data, such as the CVSS, a list of affected devices and products, and a detailed list of references and related MITRE CWE weaknesses.
- A timeline of exploitations observed in the wild and a selection of known IoCs observed by the CrowdSec community.
- A vulnerability score assigned by CrowdSec based on the observed real-world data.
CrowdSec Blocklist customers can also request a CVE-specific custom blocklist directly from the CVE Explorer page.
Providing actionable Cyber Threat Intelligence
Up to this point, our threat intelligence offering has been focused on IP address feeds. CrowdSec Blocklists provide a simple and effective way to prevent cyberattacks. While the Threat Intelligence API offers large, mature organizations data to enrich and improve their SOC automation.
However, threat intelligence can also serve other needs beyond simple enrichment and filtering. Security professionals are often tasked with patching vulnerabilities in software used by their employers. As hundreds of vulnerabilities are discovered and published daily, prioritization becomes a critical issue. To assist with this, the cyber defense industry has developed various methods to support the process. Most new vulnerabilities are scored using the CVSS framework. Additionally, national agencies such as CISA and ENISA publish catalogs of Known Exploited Vulnerabilities (KEV).
With the CVE Explorer, CrowdSec provides a new tool to serve these needs. Leveraging the massive data collected in collaboration with the CrowdSec community, we offer a more comprehensive view of real-world exploitation for a given CVE. Our exploit timeline enables analysts to assess at a glance whether a given vulnerability poses a risk to their organization or whether other vulnerabilities should take priority for mitigation.
Replacing hype with hard data
Clear, reliable data is essential for effective security. Whether it is research or reporting, the cybersecurity community often struggles to provide clear numbers and data. This often leads to broad estimates of the number of vulnerable devices or overestimated CVSS scores capturing headlines and causing frantic email threads within the security organization. CrowdSec’s CVE Explorer aims to replace this hype with actionable data rooted in real-world exploitation.
Cutting through the noise
Another key use case of threat intelligence data is enriching alerts received by a security operation center (SOC). SOC analysts often face the difficult task of determining whether a given attack is done by an opportunistic actor or whether the attack is part of a targeted campaign against their organization. Determining which scenario a given alert falls into is often a difficult and time-consuming process. To help analysts with this task, we introduced indicators such as the background noise score, which helps filter out attacks from IPs that are engaged in low-complexity opportunistic attacks.
With the CVE Explorer, we expand on this effort by providing a score for each tracked vulnerability that allows SOC analysts to assess what the typical attacker looks like. Older vulnerabilities that see broad opportunistic campaigns on a daily basis, such as CVE-2021-44228, typically have lower scores compared to fresh vulnerabilities that see more sophisticated exploits, such as CVE-2025-25257.
Discover the CVE Explorer
Starting today, the CVE Explorer is publicly available alongside our existing IP search. Whether you want to look up a specific vulnerability or just browse the day’s trending vulnerabilities, you can access the CVE Explorer today. Happy exploring!
