Skip to main content

CVEs exploited in the wild (TCF-0201)

Daily CVE Exploit Feed returns all Common Vulnerabilities and Exposures (CVE) identifiers detected in the Spectra Intelligence system in a single day. These identifiers are related to files that target vulnerabilities (i.e. that contain exploits), not files that are vulnerable. These files have been collected in the wild and indicate exploitation of their respective vulnerability. We do not have information on the efficacy, targeting or prevalence of the exploit. This feed returns an overview of CVEs on any given day. The basis for this overview is TCF-0202: Reports on CVEs Exploited in the Wild, which also contains hashes and additional information related to these CVEs.

An exploit is an application that uses a vulnerability or a flaw in another component (be it software or hardware) to impact the target's behavior in some way. In other words, it uses or communicates with its target in an unexpected or improperly handled way, usually resulting in a behavior change in the targeted program. Exploits can be remote or local, and the payload can range from allowing remote access or gaining elevated privileges, to downloading or dropping other malware. All known exploits are described in the Common Vulnerabilities and Exposures (CVE) system. The best way to deal with exploits is to prevent attacks by regularly updating software, but there is no efficient way to cope with the threats coming from the exploits that have not yet been patched, also known as zero-day exploits.

The feed stores records for the last 365 days.

Request

This query returns an overview of all detected CVE identifiers (for the requested day).

GET /api/cve/v1/{date}[?format={json|xml}]

Request parameters:

date
Required path parameter. It can be:

  • a specific date in the format YYYY-MM-DD
  • latest
  • all_cves

If it is a specific date, the response includes results from 00:00 that day until 00:00 the next day. For example, 2023-04-20 will include results from 2023-04-20T00:00:00 to 2023-04-21T00:00:00. Note that how you specify the date range is different from how you do it in the "Reports on CVEs Exploited in the Wild" feed (TCF-0202), on which this feed is based (see TCF-0202 documentation for more details). The date must be in the last 365 days, excluding the current day. If the date is older than 365 days, the current day, or a day in the future, the service will respond with the status code 400 Bad Request.

If it is the string latest, the response is equivalent to passing yesterday's date. In other words, it includes the last complete 24-hour period between last midnight and the midnight before it.

If it is the string all_cves, this is a special case where the response of the service is not based on a single day. Using this value will return all CVE identifiers found since the creation of this feed (2015-05-07). This request will take longer to complete. Depending on the network throughput and service availability, it may take over 30 minutes to complete.

format
Optional query parameter which defines the response format. It can be either xml or json. If this parameter is not provided, the response will be a plaintext response with CVE identifiers separated by a newline character.

Response

If the response format is JSON or XML, the response is a rl.feed object which contains:

  • entries: an array of CVE identifiers
  • name: feed name
  • time_range:
    • to: end time for the query
    • from: start time for the query

Examples

Example request

curl 'https://data.reversinglabs.com/api/cve/v1/2023-04-20?format=json'

Example response

{
"rl": {
"feed": {
"entries": [
"CVE-2006-3649",
"CVE-2006-3590",
"CVE-2006-3431",
"CVE-2006-1359",
"CVE-2006-1016",
"CVE-2006-0022",
"CVE-2006-0009",
"CVE-2005-1790",
"CVE-2004-1050",
"CVE-2003-0347"
],
"name": "Daily CVE Exploit",
"time_range": {
"to": "2023-04-21T00:00:00",
"from": "2023-04-20T00:00:00"
}
}
}
}