Vulnerability Register · Cenedril Wiki

The vulnerability register documents all known technical vulnerabilities in your IT infrastructure. From unpatched operating systems to misconfigured firewalls to outdated libraries — every vulnerability is captured, assessed, and tracked to resolution.

ISO 27001 Control A.8.8 requires structured management of technical vulnerabilities. Information about vulnerabilities must be obtained in a timely manner, assessed, and addressed through appropriate measures. The register is the operational tool for this.

What does it contain?

The CSV template covers the lifecycle of a vulnerability from discovery to remediation:

Vulnerability ID and CVE reference — unique identifier, optionally linking to the public CVE database
Description — what is the vulnerability and how can it be exploited?
Severity — critical, high, medium, low (e.g. based on CVSS)
Affected assets — which systems are impacted?
Owner — who coordinates remediation?
Remediation action and deadline — what is being done, by when?
Status — open, in progress, remediated, accepted (with justification)

How to use it

Automated discovery as a foundation. Vulnerability scanners (Nessus, OpenVAS, Qualys, or cloud-native services) provide the baseline. Their results flow into the register regularly — ideally automated. Supplement with manually discovered vulnerabilities and penetration test findings.

Assessment and deadline assignment. Every new vulnerability is assessed and assigned a remediation deadline. Define clear SLAs upfront: e.g. critical within 72 hours, high within 14 days, medium within 30 days. These SLAs belong in your vulnerability management policy and are tracked in the register.

Handle exceptions deliberately. Sometimes a patch is not feasible in the short term — the legacy system has no vendor support, or the patch breaks a critical application. In these cases, document a compensating control (network segmentation, additional monitoring, access restriction) and a review date.

ID	CVE	Titel	Produkt	Betroffenes Asset	CVSS v3.1	EPSS	Schweregrad	Entdeckt	Quelle	Patch verfügbar	Behebungsfrist	Status	Verantwortlich	Anmerkungen
VUL-2025-001	CVE-2025-21293	Windows Kernel Elevation of Privilege	Microsoft Windows 10/11 Server 2019/2022	AST-005 AST-004	7.8	0.08	Hoch	2025-01-14	MS Patch Tuesday	Ja	2025-02-14	Geschlossen	IT-Betriebsleitung	Gepatcht via WSUS 2025-01-18
VUL-2025-002	CVE-2025-29813	Azure DevOps Privilege Escalation Variable Groups	Azure DevOps Services	AST-013 (GitLab CI aber Azure DevOps für Altprojekt genutzt)	10.0	0.12	Kritisch	2025-05-08	MSRC Advisory	Ja	2025-05-15	Geschlossen	Head of Engineering	Microsoft-seitig gepatcht - Tenant verifiziert
VUL-2024-210	CVE-2024-38200	Microsoft Office NTLM Hash Disclosure	Microsoft Office 2019/2021/365	AST-003 AST-006	7.5	0.21	Hoch	2024-08-13	MS Patch Tuesday	Ja	2024-09-13	Geschlossen	IT-Betriebsleitung	Flotte via Intune gepatcht
VUL-2025-003	CVE-2025-24989	Microsoft Power Pages Auth Bypass	Microsoft Power Pages	Kundenportal (Power Pages)	8.2	0.35	Hoch	2025-02-19	MSRC KEV	Ja (anbieterseitig)	N/A	Geschlossen	Head of Engineering	Anbieter hat gepatcht - verifiziert
VUL-2025-004	CVE-2025-22224	VMware ESXi Heap Overflow	VMware ESXi 7.0/8.0	AST-004 AST-005 (Hypervisor)	9.3	0.28	Kritisch	2025-03-04	CISA KEV	Ja	2025-03-18	Geschlossen	IT-Betriebsleitung	Notfall-Change EC-2025-003
VUL-2025-005	CVE-2025-30397	Microsoft Scripting Engine RCE (Edge/Chakra)	Microsoft Edge Legacy	AST-006	8.8	0.15	Hoch	2025-05-13	MS Patch Tuesday	Ja	2025-06-13	Geschlossen	IT-Betriebsleitung	Auto-Update
VUL-2025-006	CVE-2024-7971	Google Chrome V8 Type Confusion	Google Chrome	AST-006	8.8	0.88	Kritisch	2024-08-21	Chrome Release	Ja	2024-08-28	Geschlossen	IT-Betriebsleitung	Chrome-Auto-Update erzwungen
VUL-2025-007	CVE-2025-20281	Cisco IOS XE Privilege Escalation	Cisco IOS XE	AST-010 (falls Cisco - Anwendbarkeit prüfen)	6.7	0.03	Mittel	2025-06-25	Cisco PSIRT	Ja	2025-07-25	N/A	IT-Betriebsleitung	Nicht anwendbar - Fortinet-Stack
VUL-2025-008	CVE-2025-26633	Microsoft Management Console Bypass	Microsoft Windows	AST-005 AST-004 AST-006	7.0	0.42	Hoch	2025-03-11	CISA KEV	Ja	2025-04-11	Geschlossen	IT-Betriebsleitung	Via WSUS gepatcht
VUL-2025-009	CVE-2024-3094	XZ Utils Backdoor (liblzma)	xz-utils 5.6.0-5.6.1	Interne Linux-Buildserver (2x)	10.0	0.62	Kritisch	2024-03-29	Debian Advisory	Ja (Downgrade)	2024-03-30	Geschlossen	IT-Betriebsleitung	Rollback auf 5.4.6 innerhalb Stunden
VUL-2025-010	CVE-2025-32756	Fortinet FortiOS Stack Overflow	Fortinet FortiOS 7.2/7.4	AST-010	9.8	0.71	Kritisch	2025-05-13	CISA KEV	Ja	2025-05-20	Geschlossen	IT-Betriebsleitung	Notfall-Change EC-2025-011
VUL-2025-011	CVE-2025-24201	Apple WebKit Out-of-Bounds Write	macOS/iOS Safari	AST-006 AST-014	8.1	0.11	Hoch	2025-03-11	Apple Advisory	Ja	2025-04-11	Geschlossen	IT-Betriebsleitung	MDM-erzwungenes Update
VUL-2025-012	CVE-2025-22457	Ivanti Connect Secure Stack Overflow	Ivanti Connect Secure	AST-011 (falls Ivanti - prüfen)	9.0	0.55	Kritisch	2025-04-03	CISA KEV	Ja	2025-04-10	N/A	IT-Betriebsleitung	Nicht anwendbar - Fortinet VPN im Einsatz
VUL-2025-013	CVE-2025-29824	Windows CLFS Driver Privilege Escalation	Microsoft Windows	AST-005 AST-004	7.8	0.25	Hoch	2025-04-08	MS Patch Tuesday	Ja	2025-05-08	Geschlossen	IT-Betriebsleitung	Via WSUS gepatcht
VUL-2025-014	CVE-2025-3248	Langflow Missing Authentication Remote Code Execution	Langflow (interner PoC)	Interne PoC-Umgebung	9.8	0.47	Kritisch	2025-04-07	Horizon3 Advisory	Ja	2025-04-10	Geschlossen	Head of Engineering	PoC stillgelegt

ID	CVE	Title	Product	Affected Asset	CVSS v3.1	EPSS	Severity	Discovered	Source	Patch Available	Remediation Deadline	Status	Owner	Notes
VUL-2025-001	CVE-2025-21293	Windows Kernel Elevation of Privilege	Microsoft Windows 10/11 Server 2019/2022	AST-005 AST-004	7.8	0.08	High	2025-01-14	MS Patch Tuesday	Yes	2025-02-14	Closed	IT Operations Lead	Patched via WSUS 2025-01-18
VUL-2025-002	CVE-2025-29813	Azure DevOps privilege escalation variable groups	Azure DevOps Services	AST-013 (GitLab CI but Azure DevOps used for one legacy project)	10.0	0.12	Critical	2025-05-08	MSRC advisory	Yes	2025-05-15	Closed	Head of Engineering	Microsoft hosted patched - verified tenant
VUL-2024-210	CVE-2024-38200	Microsoft Office NTLM hash disclosure	Microsoft Office 2019/2021/365	AST-003 AST-006	7.5	0.21	High	2024-08-13	MS Patch Tuesday	Yes	2024-09-13	Closed	IT Operations Lead	Patched fleet via Intune
VUL-2025-003	CVE-2025-24989	Microsoft Power Pages auth bypass	Microsoft Power Pages	Customer portal (Power Pages)	8.2	0.35	High	2025-02-19	MSRC KEV	Yes (vendor side)	N/A	Closed	Head of Engineering	Vendor patched - verified
VUL-2025-004	CVE-2025-22224	VMware ESXi heap overflow	VMware ESXi 7.0/8.0	AST-004 AST-005 (hypervisor)	9.3	0.28	Critical	2025-03-04	CISA KEV	Yes	2025-03-18	Closed	IT Operations Lead	Emergency change EC-2025-003
VUL-2025-005	CVE-2025-30397	Microsoft Scripting Engine RCE (Edge/Chakra)	Microsoft Edge legacy	AST-006	8.8	0.15	High	2025-05-13	MS Patch Tuesday	Yes	2025-06-13	Closed	IT Operations Lead	Auto-update
VUL-2025-006	CVE-2024-7971	Google Chrome V8 type confusion	Google Chrome	AST-006	8.8	0.88	Critical	2024-08-21	Chrome release	Yes	2024-08-28	Closed	IT Operations Lead	Chrome auto-update enforced
VUL-2025-007	CVE-2025-20281	Cisco IOS XE privilege escalation	Cisco IOS XE	AST-010 (if Cisco - check applicability)	6.7	0.03	Medium	2025-06-25	Cisco PSIRT	Yes	2025-07-25	N/A	IT Operations Lead	Not applicable - Fortinet stack
VUL-2025-008	CVE-2025-26633	Microsoft Management Console bypass	Microsoft Windows	AST-005 AST-004 AST-006	7.0	0.42	High	2025-03-11	CISA KEV	Yes	2025-04-11	Closed	IT Operations Lead	Patched via WSUS
VUL-2025-009	CVE-2024-3094	XZ Utils backdoor (liblzma)	xz-utils 5.6.0-5.6.1	Internal Linux build servers (2x)	10.0	0.62	Critical	2024-03-29	Debian advisory	Yes (downgrade)	2024-03-30	Closed	IT Operations Lead	Rolled back to 5.4.6 within hours
VUL-2025-010	CVE-2025-32756	Fortinet FortiOS stack overflow	Fortinet FortiOS 7.2/7.4	AST-010	9.8	0.71	Critical	2025-05-13	CISA KEV	Yes	2025-05-20	Closed	IT Operations Lead	Emergency change EC-2025-011
VUL-2025-011	CVE-2025-24201	Apple WebKit out-of-bounds write	macOS/iOS Safari	AST-006 AST-014	8.1	0.11	High	2025-03-11	Apple advisory	Yes	2025-04-11	Closed	IT Operations Lead	MDM enforced update
VUL-2025-012	CVE-2025-22457	Ivanti Connect Secure stack overflow	Ivanti Connect Secure	AST-011 (if Ivanti - check)	9.0	0.55	Critical	2025-04-03	CISA KEV	Yes	2025-04-10	N/A	IT Operations Lead	Not applicable - Fortinet VPN used
VUL-2025-013	CVE-2025-29824	Windows CLFS driver privilege escalation	Microsoft Windows	AST-005 AST-004	7.8	0.25	High	2025-04-08	MS Patch Tuesday	Yes	2025-05-08	Closed	IT Operations Lead	Patched via WSUS
VUL-2025-014	CVE-2025-3248	Langflow missing authentication remote code execution	Langflow (internal POC)	Internal POC environment	9.8	0.47	Critical	2025-04-07	Horizon3 advisory	Yes	2025-04-10	Closed	Head of Engineering	Decommissioned POC

Sources

ISO/IEC 27001:2022, A.8.8 — management of technical vulnerabilities
ISO/IEC 27002:2022, Section 8.8 — implementation guidance for vulnerability management
NIST NVD — National Vulnerability Database with CVSS ratings

Frequently asked questions

What is the difference between a vulnerability and a threat?

A vulnerability is a property of a system that can be exploited (e.g. an unpatched web server, a weak password, a missing firewall rule). A threat is the potential cause of an incident — e.g. an attacker, malware, or a natural event. Only the combination of threat and vulnerability creates a risk.

Does every CVE need to go into the register?

Every CVE that affects a system within your scope belongs in the register — even if you decide not to patch. In that case, document the justification (e.g. compensating control, isolated system, exploitation unlikely). Auditors check whether the decision was conscious and traceable.

How often should I scan for new vulnerabilities?

Continuously. Automated vulnerability scanners deliver regular results. Additionally, subscribe to security advisories from your software vendors and public CVE feeds. Penetration tests complement automated detection — typically at least once a year.