Skip to main content

Reports on CVEs exploited in the wild

This service provides detailed per-day reports on CVE identifiers associated with new malware in the Spectra Intelligence system. These identifiers are related to files that target vulnerabilities (i.e. that contain exploits), not files that are vulnerable. These files have been collected in the wild and indicate exploitation of their respective vulnerability. We do not have information on the efficacy, targeting or prevalence of the exploit.

The report for each CVE identifier includes information about files tagged with that CVE, number of scans for each file, SHA1, MD5, and SHA256 hashes of each file, the threat name that the file received when it was scanned, and previous CVE identifiers for the file.

If a sample has already been included in the feed sometime in the past, but has received a fresh antivirus scan, and - based on that scan - can be categorized as a CVE exploit, then that sample will be present in the results again. In other words, the same sample can be included in the results for different dates, provided that it has received a fresh scan on those dates. New scans are usually performed when a sample is uploaded from a new source, or if a rescan is requested by a customer.

An exploit is an application that uses a vulnerability or a flaw in another component (be it software or hardware) to impact the target's behavior in some way. In other words, it uses or communicates with its target in an unexpected or improperly handled way, usually resulting in a behavior change in the targeted program. Exploits can be remote or local, and the payload can range from allowing remote access or gaining elevated privileges, to downloading or dropping other malware. All known exploits are described in the Common Vulnerabilities and Exposures (CVE) system. The best way to deal with exploits is to prevent attacks by regularly updating software, but there is no efficient way to cope with the threats coming from the exploits that have not yet been patched, also known as zero-day exploits.

The feed stores records for the last 365 days.

Daily CVE Report Query

This query returns a document containing the list of malware hashes (SHA1, SHA256, MD5), threat names, and threat counts associated with CVE identifiers for the requested day.

If the requested day is not within the last 365 days, the service will respond with the status code 400 Bad Request.

GET /api/report/cve/daily/v1/query/{time_format}/{time_value}[?format=xml|json]

Path parameters:

  • time_format
    • Specifies the time format for the time_value parameter. Supported values: timestamp (Unix epoch time as the number of seconds since 1970-01-01 00:00:00); date (YYYY-MM-DD).
    • Required
  • time_value
    • Accepts values formatted according to the format set in the time_format parameter. It must not be the current date. If it is set to the current date, the service responds with the HTTPS status code 400. Values that are not provided as a full day will be rounded to midnight of the same day (for example, if the format is timestamp, querying 1430983979 is the same as querying 1430956800).
    • The date range behavior is different from the behavior of TCF-0201. If you query a date, you will get the results starting with midnight before that date, and ending with 00:00 on that date. For example, 2023-04-20 will include results from 2023-04-19T00:00:00 to 2023-04-20T00:00:00. In other words, the date specifies the end of a 24 hour period.
    • Required

Query parameters:

  • format
    • Defines the response format. Accepts the following options: xml (default), or json
    • Optional

"Latest" query

The endpoint below returns the results from the latest full 24-hour period (midnight to midnight) for which we have data:

GET /api/report/cve/daily/v1/query/latest[?format=xml|json]

Response Format

An empty entries field means there were no new CVE samples in the requested day

rl > cve_daily_report

  • cve_id
    • Mandatory field. This value represents a group of samples with the same exploit classification.
  • total_count
    • Mandatory field. This is the total count of samples in the cve_id exploit classification category.
  • single_scan
    • A group of samples that are scanned for the first time. If a sample is scanned multiple times on the day it was first seen, it will count as a single scan item. This field will be present only if not empty.
  • multiple_scan
    • A group of samples that were scanned multiple times. This field will be present only if not empty.

Single_scan and multiple_scan share the same schema:

rl > cve_daily_report > single_scan/multiple_scan

  • count
    • Mandatory field. An integer value that corresponds to the number of samples in the samples field.
  • samples
    • Mandatory field. A list of samples related to an exploit.

rl > cve_daily_report > single_scan/multiple_scan > samples

  • sha1, sha256, md5
    • Mandatory field. Hash values of the sample.
  • threat_names
    • Mandatory field. Shows a list of unique threat names the sample received when it was scanned. If the sample was scanned multiple times in a day, it can have multiple threat names. However, the large majority of samples have only one entry in this list. The last received threat name is in the last place.
  • previous_cve_ids
    • Optional field. A list of unique previous classifications for this sample, different from the current cve_id (for example, two scans that show two different results and classifications).

Examples

Retrieving new exploits from 2015-05-07 00:00:00 till 2015-05-08 00:00:00

/api/report/cve/daily/v1/query/timestamp/1430956800
/api/report/cve/daily/v1/query/date/2015-05-07

In this case, the hour value in the timestamp format will be floor rounded to midnight of the requested day (same as querying 1430956800):

/api/report/cve/daily/v1/query/timestamp/1430983979