In [1]:
# Jupyter notebook for runZero's KEVology and KEV Collider
# Copyright (c) 2026 runZero, Inc.
#
# Paper:  https://www.runzero.com/kevology
# App:    https://runzero.com/kev-collider
# GitHub: https://github.com/runZeroInc/kev-collider-data

# Each cell should be run in order, since later cells tend to depend on earlier ones for requires, populated dataframes, shared variables, etc

# Yes, this is written in Ruby. You're welcome, haters.

require 'json'
require 'csv'
require 'date'
require 'iruby'
require 'base64'
require 'daru'
require 'gruff'

COLLIDER_JSON_DIR = './json/*.json'
json_files = Dir.glob(COLLIDER_JSON_DIR)

title = "<h1>Setup: All the things we care about</h1>"
IRuby.display IRuby.html(title)

records = json_files.map do |file|
  data = JSON.parse(File.read(file)) rescue next
  kev = data['kev'] || {}
  cve = data['cve'] || {}
  cve_metadata = cve['metadata'] || {}
  assertions = cve.dig('assertions') || {}
  cvss = assertions['cvss'] || {}
  ssvc = assertions.dig('ssvc','options') || {}
  epss = data['epss'] || {}
  metasploit = data.dig('metasploit','modules') || []
  nuclei = data.dig('nuclei','templates') || []
  attck_enterprise = data.dig('attck','enterprise') || []
  attck_mobile = data.dig('attck','mobile') || []

  date_generated = begin
    DateTime.parse(data['dateGenerated']) if data['dateGenerated']
  rescue
    nil
  end

  kev_date_added = begin
    Date.parse(kev['dateAdded']) if kev['dateAdded']
  rescue
    nil
  end

  kev_date_due = begin
    Date.parse(kev['dateDue']) if kev['dateDue']
  rescue
    nil
  end

    # CVE data    
    cve_date_added =
    if !data['cveDataPresent'] || cve_metadata['datePublished'].nil?
      nil
    else
      DateTime.parse(cve_metadata['datePublished']) rescue nil
    end

  metasploit_first_commit =
    metasploit
      .map { |m| m['firstCommitDate'] }
      .compact
      .map { |d| DateTime.parse(d) rescue nil }
      .compact
      .min

      nuclei_first_commit =
    nuclei
      .map { |m| m['firstCommitDate'] }
      .compact
      .map { |d| DateTime.parse(d) rescue nil }
      .compact
      .min

    first_commodity_commit = [metasploit_first_commit, nuclei_first_commit].compact.min


  {
    # Top-level metadata
    cve_id: data['cveID'],
    schema_version: data['schemaVersion'],
    date_generated: date_generated,
    cve_data_present: data['cveDataPresent'],

    # KEV fields
    kev_vulnerability_name: kev['vulnerabilityName'],
    kev_vendor_project: kev['vendorProject'],
    kev_date_added: kev_date_added,
    kev_day_added: kev['dayAdded'],
    kev_date_due: kev_date_due,
    kev_days_allotted: kev['daysAllotted'],
    kev_short_deadline: kev['daysAllotted'] && kev['daysAllotted'] < 21,
    kev_ransomware: kev['ransomware'],
    kev_holiday: kev['holidayAdded'],

    # CVE data
    cve_date_added: cve_date_added,
    
    # CVSS fields
    cvss_version: cvss['version'],
    cvss_attack_vector: cvss['attackVector'],
    cvss_attack_complexity: cvss['attackComplexity'],
    cvss_privileges_required: cvss['privilegesRequired'],
    cvss_scope: cvss['scope'],
    cvss_user_interaction: cvss['userInteraction'],
    cvss_confidentiality_impact: cvss['confidentialityImpact'],
    cvss_integrity_impact: cvss['integrityImpact'],
    cvss_availability_impact: cvss['availabilityImpact'],
    cvss_vector_string: cvss['vectorString'],
    cvss_base_score: cvss['baseScore'],
    cvss_base_severity: cvss['baseSeverity'],

    # CWE fields
    kev_cwes: (kev['cwes'] || []).join('|'),
    cve_cwes: (cve['cwes'] || []).join('|'),

    # SSVC fields
    ssvc_exploitation: ssvc['exploitation'],
    ssvc_automatable: ssvc['automatable'],
    ssvc_technical_impact: ssvc['technicalImpact'],
      
    # Metasploit
    has_metasploit: !metasploit.empty?,
    metasploit_modules: metasploit,
    metasploit_module_count: metasploit.size,
    metasploit_first_commit: metasploit_first_commit,
    min_metasploit_delta: metasploit.map { |m| m['deltaFromKev'] }.compact.min,
    
    # Nuclei
    has_nuclei: !nuclei.empty?,
    nuclei_template_count: nuclei.size,
    nuclei_first_commit: nuclei_first_commit,
    min_nuclei_delta: nuclei.map { |t| t['deltaFromKev'] }.compact.min,
    
    # Commodity exploits
    has_commodity_exploit: (!nuclei.empty? || !metasploit.empty?),
    commodity_exploit_first_commit: first_commodity_commit,
      
    # EPSS fields
    epss_today: epss['todayScore'],
    epss_percentile: epss['todayPercentile'],
    epss_delta: epss['deltaScore'],

    # ATT&CK
    attck_enterprise: attck_enterprise,
    has_attck_enterprise: !attck_enterprise.empty?,
    attck_enterprise_technique_count: attck_enterprise.size,
    attck_enterprise_capability_groups: attck_enterprise.map { |t| t['capabilityGroup'] }.uniq.join('|'),
    attck_mobile: attck_mobile,
    has_attck_mobile: !attck_mobile.empty?,
    has_attck: (!attck_enterprise.empty? || !attck_mobile.empty?),
    attck_mobile_technique_count: attck_mobile.size,
    attck_mobile_capability_groups: attck_mobile.map { |t| t['capabilityGroup'] }.uniq.join('|')
  }
end.compact

df = Daru::DataFrame.new(records)

vectors = df.vectors.to_a
puts vectors.inspect
df.where(df[:cve_id].eq('CVE-2021-44228'))


[:cve_id, :schema_version, :date_generated, :cve_data_present, :kev_vulnerability_name, :kev_vendor_project, :kev_date_added, :kev_day_added, :kev_date_due, :kev_days_allotted, :kev_short_deadline, :kev_ransomware, :kev_holiday, :cve_date_added, :cvss_version, :cvss_attack_vector, :cvss_attack_complexity, :cvss_privileges_required, :cvss_scope, :cvss_user_interaction, :cvss_confidentiality_impact, :cvss_integrity_impact, :cvss_availability_impact, :cvss_vector_string, :cvss_base_score, :cvss_base_severity, :kev_cwes, :cve_cwes, :ssvc_exploitation, :ssvc_automatable, :ssvc_technical_impact, :has_metasploit, :metasploit_modules, :metasploit_module_count, :metasploit_first_commit, :min_metasploit_delta, :has_nuclei, :nuclei_template_count, :nuclei_first_commit, :min_nuclei_delta, :has_commodity_exploit, :commodity_exploit_first_commit, :epss_today, :epss_percentile, :epss_delta, :attck_enterprise, :has_attck_enterprise, :attck_enterprise_technique_count, :attck_enterprise_capability_group

Unnamed: 0,cve_id,schema_version,date_generated,cve_data_present,kev_vulnerability_name,kev_vendor_project,kev_date_added,kev_day_added,kev_date_due,kev_days_allotted,kev_short_deadline,kev_ransomware,kev_holiday,cve_date_added,cvss_version,cvss_attack_vector,cvss_attack_complexity,cvss_privileges_required,cvss_scope,cvss_user_interaction,cvss_confidentiality_impact,cvss_integrity_impact,cvss_availability_impact,cvss_vector_string,cvss_base_score,cvss_base_severity,kev_cwes,cve_cwes,ssvc_exploitation,ssvc_automatable,ssvc_technical_impact,has_metasploit,metasploit_modules,metasploit_module_count,metasploit_first_commit,min_metasploit_delta,has_nuclei,nuclei_template_count,nuclei_first_commit,min_nuclei_delta,has_commodity_exploit,commodity_exploit_first_commit,epss_today,epss_percentile,epss_delta,attck_enterprise,has_attck_enterprise,attck_enterprise_technique_count,attck_enterprise_capability_groups,attck_mobile,has_attck_mobile,has_attck,attck_mobile_technique_count,attck_mobile_capability_groups
889,CVE-2021-44228,1.0.0-dev,2026-01-28T16:28:41+00:00,True,Apache Log4j2 Remote Code Execution,Apache,2021-12-10,Friday,2021-12-24,14,True,True,,2021-12-10T00:00:00+00:00,3.1,NETWORK,LOW,NONE,CHANGED,NONE,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H,10.0,CRITICAL,CWE-20|CWE-400|CWE-502,,active,yes,total,True,"[{""module""=>""auxiliary/scanner/http/log4shell_scanner.rb"", ""firstCommitDate""=>""2021-12-13T17:36:45.000Z"", ""deltaFromCve""=>3, ""deltaFromKev""=>3}, {""module""=>""exploits/multi/http/log4shell_header_injection.rb"", ""firstCommitDate""=>""2021-12-16T16:27:46.000Z"", ""deltaFromCve""=>6, ""deltaFromKev""=>6}, {""module""=>""exploits/multi/http/vmware_vcenter_log4shell.rb"", ""firstCommitDate""=>""2022-01-12T20:34:45.000Z"", ""deltaFromCve""=>33, ""deltaFromKev""=>33}, {""module""=>""exploits/multi/http/ubiquiti_unifi_log4shell.rb"", ""firstCommitDate""=>""2022-01-14T15:12:02.000Z"", ""deltaFromCve""=>35, ""deltaFromKev""=>35}, {""module""=>""exploits/linux/http/mobileiron_core_log4shell.rb"", ""firstCommitDate""=>""2022-07-29T17:31:15.000Z"", ""deltaFromCve""=>231, ""deltaFromKev""=>231}]",5,2021-12-13T17:36:45+00:00,3,True,44,2021-12-11T19:26:50+00:00,1,True,2021-12-11T19:26:50+00:00,0.94358,0.99959,0.0,"[{""mappingType""=>""exploitation_technique"", ""id""=>""T1190"", ""name""=>""Exploit Public-Facing Application"", ""capabilityGroup""=>""code_execution"", ""source""=>""CTID-7/28/2025""}, {""mappingType""=>""secondary_impact"", ""id""=>""T1496"", ""name""=>""Resource Hijacking"", ""capabilityGroup""=>""code_execution"", ""source""=>""CTID-7/28/2025""}, {""mappingType""=>""secondary_impact"", ""id""=>""T1486"", ""name""=>""Data Encrypted for Impact"", ""capabilityGroup""=>""code_execution"", ""source""=>""CTID-7/28/2025""}, {""mappingType""=>""secondary_impact"", ""id""=>""T1608.001"", ""name""=>""Upload Malware"", ""capabilityGroup""=>""code_execution"", ""source""=>""CTID-7/28/2025""}, {""mappingType""=>""secondary_impact"", ""id""=>""T1505.003"", ""name""=>""Web Shell"", ""capabilityGroup""=>""code_execution"", ""source""=>""CTID-7/28/2025""}]",True,5,code_execution,[],False,True,0,


In [2]:
recent_cves = %w[
CVE-2025-14847
CVE-2023-52163
CVE-2025-14733
CVE-2025-20393
CVE-2025-40602
CVE-2025-59374
CVE-2025-59718
CVE-2025-14611
CVE-2025-43529
CVE-2018-4063
CVE-2025-14174
CVE-2025-6218
]

title = "<h1>Table 2: Straight Shot KEVs among the last 12</h1>"
IRuby.display IRuby.html(title)

order_index = recent_cves.each_with_index.to_h

subset = df.where(df[:cve_id].in(recent_cves))

subset[:_order] = subset[:cve_id].map { |id| order_index[id] }

subset = subset.sort([:_order])

subset[:straight_shot_rce] =
  subset.map_rows do |row|
    row[:cvss_attack_vector] == 'NETWORK' &&
      row[:cvss_privileges_required] == 'NONE' &&
      row[:cvss_user_interaction] == 'NONE' &&
      row[:cvss_integrity_impact] == 'HIGH'
  end

display_df = subset[
  :cve_id,
  :kev_vendor_project,
  :cvss_vector_string,
  :cvss_base_severity,
  :straight_shot_rce
]

table_html = display_df.to_html
IRuby.html("#{table_html}")

Unnamed: 0,cve_id,kev_vendor_project,cvss_vector_string,cvss_base_severity,straight_shot_rce
1351,CVE-2025-14847,MongoDB,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N,HIGH,False
1171,CVE-2023-52163,Digiever,CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,HIGH,False
1350,CVE-2025-14733,WatchGuard,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,CRITICAL,True
1358,CVE-2025-20393,Cisco,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H,CRITICAL,True
1430,CVE-2025-40602,SonicWall,CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H,MEDIUM,False
1470,CVE-2025-59374,ASUS,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,CRITICAL,True
1472,CVE-2025-59718,Fortinet,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C,CRITICAL,True
1349,CVE-2025-14611,Gladinet,CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N,MEDIUM,False
1436,CVE-2025-43529,Apple,CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H,HIGH,False
394,CVE-2018-4063,Sierra Wireless,CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,HIGH,False


In [3]:
subset = df.where(df[:cvss_vector_string])

subset[:straight_shot_rce] =
  subset.map_rows do |row|
    row[:cvss_attack_vector] == 'NETWORK' &&
      row[:cvss_privileges_required] == 'NONE' &&
      row[:cvss_user_interaction] == 'NONE' &&
      row[:cvss_integrity_impact] == 'HIGH'
  end

title = "<h1>Finding: straight shot RCE</h1>"
IRuby.display IRuby.html(title)

[
total = subset[:straight_shot_rce].size,
rce = subset[:straight_shot_rce].count(true),
rce_pct = (rce/total.to_f).round(4) * 100,
].inspect

"[1500, 489, 32.6]"

In [4]:
title = "<h1>Figure 1: KEVs by Days Allotted</h1>"
IRuby.display IRuby.html(title)

# Reusable helper to display a Gruff-generated RMagick image inline in Jupyter
def hacky_render(gruff_obj)
  # Gruff::Base subclasses have #to_image which returns an RMagick::Image
  png_data = gruff_obj.to_image.to_blob
  encoded = Base64.strict_encode64(png_data)
  IRuby.html("<img src='data:image/png;base64,#{encoded}' alt='Chart' />")
end

def plot_kev_days_allotted(df)
  # Define buckets as [label, range]
  buckets = [
    ["< 7 days", 0..6],
    ["7–13 days", 7..13],
    ["14–20 days", 14..20],
    ["21 days", 21..21], #lol
    ["22–30 days", 22..30],
    ["31–60 days", 31..60],
    ["61-179 days", 61..179],
    ["180+ days", 180..Float::INFINITY]
  ]

  # Initialize counts
  counts = Hash[buckets.map { |label, _| [label, 0] }]

  # Tally values
  df[:kev_days_allotted].each do |days|
    next if days.nil?

    days = days.to_i
    bucket_label = buckets.find { |_, range| range.include?(days) }&.first
    counts[bucket_label] += 1 if bucket_label
  end

  puts "Counts by bucket: #{counts.inspect}"

  # Build bar chart
  g = Gruff::Bar.new(800)
  g.title = "KEV Counts by Days Allotted"

  labels = counts.keys.each_with_index.map { |k, i| [i, k] }.to_h
  g.labels = labels
  g.data(:count, counts.values)

  hacky_render(g)
end

plot_kev_days_allotted(df)


Counts by bucket: {"< 7 days"=>17, "7–13 days"=>25, "14–20 days"=>199, "21 days"=>996, "22–30 days"=>2, "31–60 days"=>5, "61-179 days"=>0, "180+ days"=>257}


In [5]:

title = "<h1>Figure 2: KEVs added by Day of Week</h1>"
IRuby.display IRuby.html(title)

# Example usage with a pie chart because who doesn't love pie charts.

def plot_kev_days_pie(df)
  day_counts = Hash.new(0)
  df[:kev_day_added].each do |day|
    next if day.nil? || day.to_s.empty?
    day_counts[day] += 1
  end
  return if day_counts.empty?

  # Build pie chart
  g = Gruff::Pie.new(600)
  g.title = "KEVs Added by Day of Week"

  day_counts.each do |day, count|
    g.data(day, count)
  end

  puts day_counts.inspect
  hacky_render(g)
end

plot_kev_days_pie(df)

{"Monday"=>282, "Thursday"=>295, "Friday"=>167, "Wednesday"=>488, "Tuesday"=>268, "Sunday"=>1}


In [6]:
# KEVs with a Friday add that have a short deadline
mask =
  df[:kev_day_added].eq('Friday') &
  df[:kev_days_allotted].lt(21)

filtered = df.where(mask)

result = filtered[
  :cve_id,
  :kev_vulnerability_name,
  :cvss_base_severity,
  :kev_days_allotted,
  :kev_date_added
]

result = result.sort([:kev_date_added], ascending: false)

title = "<h1>Friday KEVs with Short Deadlines (&lt;21 days), #{result.size} total</h1>"
table_html = result.to_html
IRuby.html("#{title}#{table_html}")


Unnamed: 0,cve_id,kev_vulnerability_name,cvss_base_severity,kev_days_allotted,kev_date_added
1350,CVE-2025-14733,WatchGuard Firebox Out of Bounds Write,CRITICAL,7,2025-12-19
1463,CVE-2025-55182,Meta React Server Components Remote Code Execution,CRITICAL,7,2025-12-05
1482,CVE-2025-64446,Fortinet FortiWeb Path Traversal,CRITICAL,7,2025-11-14
1372,CVE-2025-22457,"Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow",CRITICAL,7,2025-04-04
1240,CVE-2024-3400,Palo Alto Networks PAN-OS Command Injection,CRITICAL,7,2024-04-12
1210,CVE-2024-21762,Fortinet FortiOS Out-of-Bound Write,CRITICAL,7,2024-02-09
940,CVE-2022-24682,Synacor Zimbra Collaborate Suite (ZCS) Cross-Site Scripting,MEDIUM,14,2022-02-25
920,CVE-2022-22620,"Apple iOS, iPadOS, and macOS Webkit Use-After-Free",HIGH,14,2022-02-11
911,CVE-2022-21882,Microsoft Win32k Privilege Escalation,MEDIUM,14,2022-02-04
706,CVE-2021-20038,SonicWall SMA 100 Appliances Stack-Based Buffer Overflow,CRITICAL,14,2022-01-28


In [7]:
title = "<h1>Table 3: Short Deadlines</h1>"
IRuby.display IRuby.html(title)

subset =
  df
    .where(df[:kev_days_allotted].lt(7))
    .dup

# Sort by urgency (fewest days allotted first)
subset = subset.sort([:kev_days_allotted])

# Classify straight-shot RCE
subset[:straight_shot_rce] =
  subset.map_rows do |row|
    row[:cvss_attack_vector] == 'NETWORK' &&
      row[:cvss_privileges_required] == 'NONE' &&
      row[:cvss_user_interaction] == 'NONE' &&
      row[:cvss_confidentiality_impact] == 'HIGH'
  end

# Final table
subset[
  :cve_id,
  :kev_date_added,
  :kev_day_added,
  :kev_days_allotted,
  :kev_vendor_project,
  :cvss_base_severity,
  :straight_shot_rce
]


Unnamed: 0,cve_id,kev_date_added,kev_day_added,kev_days_allotted,kev_vendor_project,cvss_base_severity,straight_shot_rce
1354,CVE-2025-20333,2025-09-25,Thursday,1,Cisco,CRITICAL,False
1357,CVE-2025-20362,2025-09-25,Thursday,1,Cisco,MEDIUM,False
1450,CVE-2025-49704,2025-07-22,Tuesday,1,Microsoft,HIGH,False
1451,CVE-2025-49706,2025-07-22,Tuesday,1,Microsoft,MEDIUM,False
1455,CVE-2025-53770,2025-07-20,Sunday,1,Microsoft,CRITICAL,True
1464,CVE-2025-5777,2025-07-10,Thursday,1,Citrix,CRITICAL,True
1212,CVE-2024-21893,2024-01-31,Wednesday,2,Ivanti,HIGH,True
1488,CVE-2025-7775,2025-08-26,Tuesday,2,Citrix,CRITICAL,True
1500,CVE-2026-24858,2026-01-27,Tuesday,3,Fortinet,CRITICAL,True
945,CVE-2022-26134,2022-06-02,Thursday,4,Atlassian,CRITICAL,True


In [8]:
title = "<h1>Finding: KEVs by DoW</h1>"
IRuby.display IRuby.html(title)

# Total number of KEVs
total = df.nrows.to_f

# All days of the week
weekdays = %w[Monday Tuesday Wednesday Thursday Friday Saturday Sunday]

# Build rows
rows = weekdays.map do |day|
  count = df.where(df[:kev_day_added].eq(day)).nrows
  [day, count, (count / total).round(4)]
end

# Weekend total
weekend_count = df.where(df[:kev_day_added].in(%w[Saturday Sunday])).nrows
rows << ["Weekend (Sat+Sun)", weekend_count, (weekend_count / total).round(2)]

# US holidays
holiday_count = df.where(df[:kev_holiday].eq(true)).nrows
rows << ["US Holiday", holiday_count, (holiday_count / total).round(2)]

# Create Daru DataFrame
table = Daru::DataFrame.rows(
  rows,
  order: [:Day, :Count, :Percent]
)

table


Unnamed: 0,Day,Count,Percent
0,Monday,282,0.1879
1,Tuesday,268,0.1785
2,Wednesday,488,0.3251
3,Thursday,295,0.1965
4,Friday,167,0.1113
5,Saturday,0,0.0
6,Sunday,1,0.0007
7,Weekend (Sat+Sun),1,0.0
8,US Holiday,0,0.0


In [9]:
title = "<h1>Figure 2: KEVs by DoW</h1>"
IRuby.display IRuby.html(title)

def plot_kev_weekday_bezier(df)
  weekdays = %w[Monday Tuesday Wednesday Thursday Friday Saturday Sunday]
  counts = weekdays.map { |day| df.where(df[:kev_day_added].eq(day)).nrows }

  puts "Counts by weekday: #{weekdays.zip(counts).to_h.inspect}"

  g = Gruff::Bezier.new(800)
  g.title = "KEV Additions by Day of Week"
  g.labels = weekdays.each_with_index.map { |day, i| [i, day] }.to_h
  g.data(:kev_count, counts)
  g.theme = {
    colors: ['#0077cc'],       # blue line
    marker_color: 'black',
    background_colors: 'white'
  }

  hacky_render(g)
end

plot_kev_weekday_bezier(df)


Counts by weekday: {"Monday"=>282, "Tuesday"=>268, "Wednesday"=>488, "Thursday"=>295, "Friday"=>167, "Saturday"=>0, "Sunday"=>1}


In [10]:

title = "<h1>Figure 3: KEVs by Ransomware</h1>"
IRuby.display IRuby.html(title)

total = df.nrows.to_f
ransomware_count = df.where(df[:kev_ransomware].eq(true)).nrows
non_ransomware_count = total - ransomware_count
ransomware_label = "Ransomware (#{(ransomware_count / total * 100).round(2)}%)"
non_label = "Non-Ransomware (#{(non_ransomware_count / total * 100).round(2)}%)"

g = Gruff::Pie.new(500)
g.title = "KEV Entries: Ransomware vs Non-Ransomware"

g.data(ransomware_label, ransomware_count, '#cc3333')      # red
g.data(non_label, non_ransomware_count, '#3399cc')         # blue

g.theme = {
  marker_color: 'black',
  background_colors: 'white'
}

hacky_render(g)


In [11]:
title = "<h1>Figure 4: KEVs by CVSS Severity</h1>"
IRuby.display IRuby.html(title)

# Count CVEs by severity
severity_buckets = %w[NONE LOW MEDIUM HIGH CRITICAL]

counts = severity_buckets.each_with_object({}) do |sev, h|
  h[sev] = df.where(df[:cvss_base_severity].eq(sev)).nrows
end

total = df.nrows.to_f

# Compute percentages
percentages = counts.transform_values { |c| (c / total * 100).round(2) }

# Print counts and percentages
puts "KEV Entries by CVSS Base Severity:"
severity_buckets.each do |sev|
  puts "#{sev}: #{counts[sev]} (#{percentages[sev]}%)"
end

# Build labels including percentages
labels = counts.map do |sev, count|
  label = "#{sev} (#{percentages[sev]}%)"
  [label, count]
end.to_h

# Optional colors for pie slices
colors = ['#cccccc', '#66ccff', '#ffcc33', '#ff9933', '#cc3333'] # None→Critical

# Create the pie chart
g = Gruff::Pie.new(500)
g.title = "KEV Entries by CVSS Base Severity"

# Add each slice with explicit color
labels.each_with_index do |(label, count), idx|
  g.data(label, count, colors[idx])
end

# Theme tweaks
g.theme = {
  marker_color: 'black',
  background_colors: 'white'
}

hacky_render(g)


KEV Entries by CVSS Base Severity:
NONE: 0 (0.0%)
LOW: 9 (0.6%)
MEDIUM: 237 (15.79%)
HIGH: 763 (50.83%)
CRITICAL: 491 (32.71%)


In [12]:
exact_impact_mask = df[:cvss_confidentiality_impact].eq('NONE') &
                    df[:cvss_integrity_impact].eq('NONE') &
                    df[:cvss_availability_impact].eq('HIGH')

exact_impact_df = df.where(exact_impact_mask)

matching_count = exact_impact_df.nrows
total_count = df.nrows
percentage = (matching_count.to_f / total_count * 100).round(2)

title = "<h1>Finding: KEVs by Ransomware</h1>"
IRuby.display IRuby.html(title)

puts "CVEs with C:N, I:N, A:H: #{matching_count} / #{total_count} (#{percentage}%)"

ransomware_count = exact_impact_df.where(exact_impact_df[:kev_ransomware].eq(true)).nrows
ransomware_percentage = (ransomware_count.to_f / matching_count * 100).round(2)

puts "Of these, ransomware-tagged: #{ransomware_count} / #{matching_count} (#{ransomware_percentage}%)"


CVEs with C:N, I:N, A:H: 47 / 1501 (3.13%)
Of these, ransomware-tagged: 3 / 47 (6.38%)


In [13]:
# Filter for exact impact AND ransomware
subset = df.where(
  df[:cvss_confidentiality_impact].eq('NONE') &
  df[:cvss_integrity_impact].eq('NONE') &
  df[:cvss_availability_impact].eq('HIGH') &
  df[:kev_ransomware].eq(true)
)

# Keep only desired columns
ransomware_df = subset[
  :cve_id,
  :kev_vendor_project,
  :cvss_vector_string
]

title = "<h1>Table 4: DOS Ransomware KEVs</h1>"
IRuby.display IRuby.html(title)

ransomware_df


Unnamed: 0,cve_id,kev_vendor_project,cvss_vector_string
274,CVE-2017-10271,Oracle,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
505,CVE-2019-2725,Oracle,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
873,CVE-2021-41379,Microsoft,CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C


In [14]:
all_cwes = df.map_rows do |row|
  cwe_str = if row[:cve_cwes] && !row[:cve_cwes].empty?
              row[:cve_cwes]
            else
              row[:kev_cwes] || ''
            end
  # Split on '|' and reject empty strings
  cwe_str.split('|').reject(&:empty?)
end.flatten

cwe_counts = all_cwes.each_with_object(Hash.new(0)) { |cwe, h| h[cwe] += 1 }
cwe_df = Daru::DataFrame.new({
  cwe: cwe_counts.keys,
  count: cwe_counts.values
})

cwe_df = cwe_df.sort([:count], ascending: false)

title = "<h1>Finding: CWEs by Count</h1>"
IRuby.display IRuby.html(title)

cwe_df

Unnamed: 0,cwe,count
0,CWE-20,114
6,CWE-787,97
23,CWE-78,97
14,CWE-416,86
2,CWE-119,80
7,CWE-22,69
27,CWE-502,58
4,CWE-94,56
9,CWE-843,36
3,CWE-264,31


In [15]:
# Count occurrences of each vendor/project
counts = df[:kev_vendor_project].to_a.compact.each_with_object(Hash.new(0)) do |vp, h|
  h[vp] += 1
end

# Convert to Daru::DataFrame
vendor_df = Daru::DataFrame.new({
  kev_vendor_project: counts.keys,
  count: counts.values
})

# Sort descending by count
vendor_df = vendor_df.sort([:count], ascending: false)

title = "<h1>Finding: KEVs by Vendor</h1>"
IRuby.display IRuby.html(title)

vendor_df

Unnamed: 0,kev_vendor_project,count
1,Microsoft,353
25,Apple,86
2,Cisco,83
6,Adobe,76
36,Google,67
7,Oracle,42
4,Apache,38
80,Ivanti,30
73,VMware,26
16,D-Link,25


In [16]:
# Filter CWEs with count >= 20
top_cwes = cwe_df.where(cwe_df[:count].map { |c| c >= 20 })

# Build a hash CWE ID => count
cwe_counts = top_cwes[:cwe].to_a.zip(top_cwes[:count].to_a).to_h

# For Gruff, labels need integer keys (position on axis) => label text
labels = {}
cwe_counts.keys.each_with_index { |cwe, i| labels[i] = cwe }

counts = cwe_counts.values

puts cwe_counts.inspect   # CWE => count mapping

g = Gruff::SideBar.new(1000)
g.title = "Most Frequent CWEs (≥20 mentions)"
g.labels = labels
g.data(:count, counts)

g.theme = {
  colors: ['#3399cc'],
  marker_color: 'black',
  background_colors: 'white'
}

title = "<h1>Figure 5: Top CWEs in the KEV</h1>"
IRuby.display IRuby.html(title)

puts cwe_counts.map {|k,v| [k, v].join(',')}
hacky_render(g)


{"CWE-20"=>114, "CWE-787"=>97, "CWE-78"=>97, "CWE-416"=>86, "CWE-119"=>80, "CWE-22"=>69, "CWE-502"=>58, "CWE-94"=>56, "CWE-843"=>36, "CWE-264"=>31, "CWE-287"=>31, "CWE-284"=>30, "CWE-122"=>30, "CWE-306"=>30, "CWE-79"=>29, "CWE-77"=>26, "CWE-89"=>24, "CWE-200"=>23}


CWE-20,114
CWE-787,97
CWE-78,97
CWE-416,86
CWE-119,80
CWE-22,69
CWE-502,58
CWE-94,56
CWE-843,36
CWE-264,31
CWE-287,31
CWE-284,30
CWE-122,30
CWE-306,30
CWE-79,29
CWE-77,26
CWE-89,24
CWE-200,23


In [17]:
all_cwes = df.map_rows do |row|
  cwes = row[:cve_cwes].to_s.strip
  cwes = row[:kev_cwes].to_s.strip if cwes.empty?
  cwes.split('|')
end.flatten.compact

unique_cwes = all_cwes.uniq

title = "<h1>Finding: All CWEs mentioned</h1>"
IRuby.display IRuby.html(title)

puts "Total CWEs observed: #{all_cwes.size}"
puts "Unique CWEs: #{unique_cwes.size}"

unique_cwes


Total CWEs observed: 1426
Unique CWEs: 170


["CWE-20", "CWE-120", "CWE-119", "CWE-264", "CWE-94", "CWE-399", "CWE-787", "CWE-22", "CWE-77", "CWE-843", "CWE-189", "CWE-310", "CWE-601", "CWE-79", "CWE-416", "CWE-255", "CWE-200", "CWE-125", "CWE-362", "CWE-191", "CWE-352", "CWE-284", "CWE-269", "CWE-78", "CWE-254", "CWE-287", "CWE-19", "CWE-502", "CWE-88", "CWE-190", "CWE-89", "CWE-611", "CWE-704", "CWE-326", "CWE-434", "CWE-552", "CWE-281", "CWE-522", "CWE-388", "CWE-732", "CWE-285", "CWE-749", "CWE-80", "CWE-36", "CWE-415", "CWE-404", "CWE-59", "CWE-74", "CWE-134", "CWE-521", "CWE-122", "CWE-306", "CWE-798", "CWE-863", "CWE-918", "CWE-807", "CWE-295", "CWE-91", "CWE-288", "CWE-917", "CWE-178", "CWE-1188", "CWE-347", "CWE-330", "CWE-706", "CWE-73", "CWE-131", "CWE-665", "CWE-427", "CWE-400", "CWE-23", "CWE-121", "CWE-697", "CWE-755", "CWE-1285", "CWE-667", "CWE-1173", "CWE-390", "CWE-782", "CWE-470", "CWE-95", "CWE-138", "CWE-912", "CWE-425", "CWE-39", "CWE-862", "CWE-193", "CWE-497", "CWE-823", "CWE-790", "CWE-1220", "CWE-1390", 

In [30]:
# This uses net/http. Might be risky. Uncomment cwe_df lines if you actually want this to run.

require 'net/http'
require 'uri'
require 'openssl'

def fetch_cwe_ids
    
cwe_ids = ["CWE-120", "CWE-20", "CWE-119", "CWE-264", "CWE-94"] # etc.

counts = Hash[cwe_ids.map { |cwe| [cwe, 1] }] # replace 1 with real counts if you have

results = []


cwe_ids.each do |cwe|
  number = cwe.split('-').last
  url = URI("https://cwe.mitre.org/data/definitions/#{number}.html")
  puts "Fetching #{cwe} from #{url}..."

  begin
    # Setup HTTP request
    http = Net::HTTP.new(url.host, url.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE # skip SSL verification
    http.open_timeout = 5
    http.read_timeout = 5

    req = Net::HTTP::Get.new(url)
    res = http.request(req)

  if res.is_a?(Net::HTTPSuccess)
    # Extract title
    title_match = res.body.match(/<title>\s*([^\(]*)/im)
    desc = title_match ? title_match[1].strip : "N/A"

    # Strip the leading "CWE - " if present
    desc = desc.sub(/^CWE\s*-\s*/, '')
  else
    desc = "Error: #{res.code} #{res.message}"
  end


  rescue => e
    desc = "Error: #{e.class} #{e.message}"
  end

  results << { cwe_id: cwe, count: counts[cwe], desc: desc }
end
results
end

title = "<h1>Finding: CWE name mappings</h1>"
warning = "<b><p>Note, this depends on an external HTTP call to the CWE people.</p></b>"
IRuby.display IRuby.html(title+warning)

# Uncomment this to actually run the net/http connections
# results = fetch_cwe_ids

cwe_df = Daru::DataFrame.new(results)
cwe_df


Unnamed: 0,cwe_id,count,desc
0,CWE-120,1,CWE-120: Buffer Copy without Checking Size of Input
1,CWE-20,1,CWE-20: Improper Input Validation
2,CWE-119,1,CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
3,CWE-264,1,"CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls"
4,CWE-94,1,CWE-94: Improper Control of Generation of Code


In [31]:
target_cwes = %w[CWE-521 CWE-1393 CWE-259]

rows =
  df.map_rows do |row|
    cwes = row[:cve_cwes].to_s.strip
    cwes = row[:kev_cwes].to_s.strip if cwes.empty?

    match = cwes.split('|').find { |cwe| target_cwes.include?(cwe) }
    match ? [row[:cve_id], row[:kev_vulnerability_name], match] : nil
  end.compact

title = "<h1>Table 6: Sample bottom CWEs</h1>"
IRuby.display IRuby.html(title)

rows.each {|r| puts CSV.generate_line(r)}


CVE-2019-18988,TeamViewer Desktop Bypass Remote Login,CWE-521
CVE-2022-28810,Zoho ManageEngine ADSelfService Plus Remote Code Execution,CWE-259
CVE-2023-45249,Acronis Cyber Infrastructure (ACI) Insecure Default Password,CWE-1393


[["CVE-2019-18988", "TeamViewer Desktop Bypass Remote Login", "CWE-521"], ["CVE-2022-28810", "Zoho ManageEngine ADSelfService Plus Remote Code Execution", "CWE-259"], ["CVE-2023-45249", "Acronis Cyber Infrastructure (ACI) Insecure Default Password", "CWE-1393"]]

In [32]:
# Select only rows with EPSS scores
epss_df = df.where(df[:epss_today])

# Sort descending by EPSS score
top_epss = epss_df.sort([:epss_today], ascending: false)

# Take the top 10 and select columns of interest
top_epss_view = top_epss[
  :cve_id,
  :kev_vendor_project,
  :kev_vulnerability_name,
  :epss_today,
  :epss_percentile
].head(10)

# Compute average EPSS
average_epss = epss_df[:epss_today].mean

puts "Average EPSS across all KEVs: #{average_epss.round(4)}"

median_epss = epss_df[:epss_today].median
puts "Median EPSS: #{median_epss.round(4)}"

title = "<h1>Table 7: Top EPSS Scores</h1>"
IRuby.display IRuby.html(title)

top_epss_view


Average EPSS across all KEVs: 0.5613
Median EPSS: 0.7292


Unnamed: 0,cve_id,kev_vendor_project,kev_vulnerability_name,epss_today,epss_percentile
1221,CVE-2024-27198,JetBrains,JetBrains TeamCity Authentication Bypass,0.94579,1.0
1052,CVE-2023-23752,Joomla!,Joomla! Improper Access Control,0.94517,1.0
272,CVE-2017-1000353,Jenkins,Jenkins Remote Code Execution,0.94508,1.0
407,CVE-2018-7600,Drupal,Drupal Core Remote Code Execution,0.94489,0.99999
737,CVE-2021-22986,F5,F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution,0.94485,0.99999
1104,CVE-2023-35078,Ivanti,Ivanti Endpoint Manager Mobile Authentication Bypass,0.94482,0.99998
364,CVE-2018-13379,Fortinet,Fortinet FortiOS SSL VPN Path Traversal,0.94475,0.99998
507,CVE-2019-3396,Atlassian,Atlassian Confluence Server and Data Center Server-Side Template Injection,0.94471,0.99998
203,CVE-2016-10033,PHP,PHPMailer Command Injection,0.9447,0.99997
505,CVE-2019-2725,Oracle,"Oracle WebLogic Server, Injection",0.9447,0.99997


In [33]:
# Select only rows with EPSS scores
epss_df = df.where(df[:epss_today])

# Sort descending by EPSS score
bottom_epss = epss_df.sort([:epss_today], ascending: true)

# Take the top 10 and select columns of interest
bottom_epss_view = bottom_epss[
  :cve_id,
  :kev_vendor_project,
  :kev_vulnerability_name,
  :epss_today,
  :epss_percentile
].head(10)

title = "<h1>Table 8: Bottom EPSS Scores</h1>"
IRuby.display IRuby.html(title)

bottom_epss_view

Unnamed: 0,cve_id,kev_vendor_project,kev_vulnerability_name,epss_today,epss_percentile
1436,CVE-2025-43529,Apple,Apple Multiple Products Use-After-Free WebKit,0.00025,0.0602
1089,CVE-2023-32373,Apple,Apple Multiple Products WebKit Use-After-Free,0.00042,0.12712
1148,CVE-2023-42916,Apple,Apple Multiple Products WebKit Out-of-Bounds Read,0.00047,0.14415
795,CVE-2021-30762,Apple,Apple iOS WebKit Use-After-Free,0.00049,0.15098
1124,CVE-2023-37450,Apple,Apple Multiple Products WebKit Code Execution,0.00054,0.16953
1149,CVE-2023-42917,Apple,Apple Multiple Products WebKit Memory Corruption,0.00068,0.20946
1069,CVE-2023-28205,Apple,Apple Multiple Products WebKit Use-After-Free,0.0007,0.21599
1366,CVE-2025-21479,Qualcomm,Qualcomm Multiple Chipsets Incorrect Authorization,0.00074,0.22575
1051,CVE-2023-23529,Apple,Apple Multiple Products WebKit Type Confusion,0.0008,0.23695
1216,CVE-2024-23296,Apple,Apple Multiple Products Memory Corruption,0.00082,0.24276


In [34]:
no_cwe_df =
  df.where(
    df.map_rows do |row|
      cve_cwes = row[:cve_cwes].to_s.strip
      kev_cwes = row[:kev_cwes].to_s.strip
      cve_cwes.empty? && kev_cwes.empty?
    end
  )

no_cvss_df =
  df.where(
    df.map_rows do |row|
      cve_cvss = row[:cvss_base_score].to_s.strip
      cve_cvss.empty?
    end
  )

title = "<h1>Finding: KEVs with no CVSS scores: #{no_cvss_df.nrows}</h1>"
IRuby.display IRuby.html(title)
puts "KEVs with no KEV-defined CWE IDs: #{no_cwe_df.nrows}"

no_cvss_df = no_cvss_df.sort([:kev_date_added], ascending: false)
no_cvss_df[:cve_id, :kev_vulnerability_name]

KEVs with no KEV-defined CWE IDs: 166


Unnamed: 0,cve_id,kev_vulnerability_name
0,CVE-1969-1234,FakeCorp FakeApp Test


In [35]:
epss_vals = df[:epss_today].to_a.compact
bins = (0..10).map { |i| (i/10.0).round(1) }

epss_counts = Hash.new(0)
epss_vals.each do |v|
  next if v.nil? || v.nan?
  bin = [(v / 0.1).floor * 0.1, 0.9].min
  bin = bin.round(4)
  epss_counts[bin] += 1
end

lines = epss_counts.sort.map { |bin, count| "#{bin},#{count}" }
puts lines.join("\n")

sorted_bins = epss_counts.keys.sort
counts = sorted_bins.map { |b| epss_counts[b] }

g_score = Gruff::Bar.new(800)
g_score.title = "KEV Distribution by EPSS Score"
g_score.labels = sorted_bins.each_with_index.map { |b,i| [i, "#{b}-#{(b+0.1).round(1)}"] }.to_h
g_score.data(:KEVs, counts)
g_score.theme = {
  colors: ['#3399cc'],
  marker_color: 'black',
  background_colors: 'white'
}


title = "<h1>Figure X: KEV EPPS Score Distribution</h1>"
IRuby.display IRuby.html(title)
puts epss_counts.sort.inspect
hacky_render(g_score)


0.0,355
0.1,92
0.2,68
0.3,58
0.4,57
0.5,43
0.6,56
0.7,78
0.8,145
0.9,548


[[0.0, 355], [0.1, 92], [0.2, 68], [0.3, 58], [0.4, 57], [0.5, 43], [0.6, 56], [0.7, 78], [0.8, 145], [0.9, 548]]


In [36]:

percentile_vals = df[:epss_percentile].to_a.compact
pct_bins = (0..10).map { |i| i / 10.0 }

pct_counts = Hash.new(0)
percentile_vals.each do |v|
  bin = pct_bins.select { |b| v >= b }.max
  pct_counts[bin] += 1
end

sorted_pct_bins = pct_counts.keys.sort
pct_counts_arr = sorted_pct_bins.map { |b| pct_counts[b] }

g_pct = Gruff::Bar.new(800)
g_pct.title = "KEV Distribution by EPSS Percentile"
g_pct.labels = sorted_pct_bins.each_with_index.map { |b,i| [i, "#{(b*100).to_i}-#{((b+0.1)*100).to_i}"] }.to_h
g_pct.data(:KEVs, pct_counts_arr)
g_pct.theme = {
  colors: ['#cc3333'],
  marker_color: 'black',
  background_colors: 'white'
}

title = "<h1>Figure 6: KEV EPPS Percentile Distribution</h1>"
IRuby.display IRuby.html(title)

puts pct_counts.sort.inspect

lines = pct_counts.sort.map {|bin, count| "#{bin},#{count}"}
puts lines.join("\n")

hacky_render(g_pct)

[[0.0, 1], [0.1, 4], [0.2, 15], [0.3, 18], [0.4, 17], [0.5, 16], [0.6, 22], [0.7, 67], [0.8, 126], [0.9, 1211], [1.0, 3]]
0.0,1
0.1,4
0.2,15
0.3,18
0.4,17
0.5,16
0.6,22
0.7,67
0.8,126
0.9,1211
1.0,3


In [37]:
# Only KEVs with Metasploit modules
df_with_ms = df.where(df[:has_metasploit].eq(true))

# Total number of KEVs with modules
total_kevs_with_modules = df_with_ms.nrows

title = "<h1>Finding: Metasploitable KEVs</h1>"
IRuby.display IRuby.html(title)

puts "Total KEVs with Metasploit modules: #{total_kevs_with_modules}"

# Count modules by prefix
prefix_counts = { 'exploits' => 0, 'auxiliary' => 0, 'post' => 0 }

df_with_ms[:metasploit_modules].each do |mods|
  mods.each do |m|
    path = m['module'].to_s.downcase
    prefix_counts.each_key do |prefix|
      prefix_counts[prefix] += 1 if path.start_with?(prefix)
    end
  end
end


puts "Exploit modules: #{prefix_counts['exploits']}"
puts "Aux modules: #{prefix_counts['auxiliary']}"
puts "Post modules: #{prefix_counts['post']}"


Total KEVs with Metasploit modules: 466
Exploit modules: 446
Aux modules: 97
Post modules: 7


In [38]:
title = "<h1>Finding: Nucleiable KEVs</h1>"
IRuby.display IRuby.html(title)

df.where(df[:has_nuclei].eq(true)).nrows


403

In [39]:
msf_kevs = df.where(df[:has_metasploit].eq(true))[:cve_id].to_a
nuclei_kevs = df.where(df[:has_nuclei].eq(true))[:cve_id].to_a

both = msf_kevs & nuclei_kevs
only_msf = msf_kevs - both
only_nuclei = nuclei_kevs - both

title = "<h1>Finding: Metasploitable and Nucleiable KEVs</h1>"
IRuby.display IRuby.html(title)
puts "KEVs unique to MSF: #{only_msf.size}"
puts "KEVs unique to Nuclei: #{only_nuclei.size}"
puts "KEVs in both: #{both.size}"



KEVs unique to MSF: 230
KEVs unique to Nuclei: 167
KEVs in both: 236


In [40]:
title = "<h1>Finding: KEVs with ATT&CK mappings</h1>"
IRuby.display IRuby.html(title)

df_with_attck = df.where(
  df[:attck_enterprise_technique_count].gt(0) |
  df[:attck_mobile_technique_count].gt(0)
)

puts "KEVs with any ATT&CK mappings: #{df_with_attck.nrows}"


KEVs with any ATT&CK mappings: 424


In [41]:
title = "<h1>Finding: Unique ATT&CK mappings</h1>"
IRuby.display IRuby.html(title)

all_mappings = []

df_with_attck.each_row do |row|
  cve = row[:cve_id]

  row[:attck_enterprise].each do |t|
    all_mappings << t.merge(
      'cve_id' => cve,
      'platform' => 'enterprise'
    )
  end

  row[:attck_mobile].each do |t|
    all_mappings << t.merge(
      'cve_id' => cve,
      'platform' => 'mobile'
    )
  end
end

puts "Total ATT&CK mapping entries: #{all_mappings.size}"

unique_techniques = all_mappings.map { |t| t['id'] }.uniq
puts "Unique ATT&CK techniques: #{unique_techniques.size}"

enterprise_unique = all_mappings
  .select { |t| t['platform'] == 'enterprise' }
  .map { |t| t['id'] }
  .uniq
  .size

mobile_unique = all_mappings
  .select { |t| t['platform'] == 'mobile' }
  .map { |t| t['id'] }
  .uniq
  .size

puts "Unique enterprise techniques: #{enterprise_unique}"
puts "Unique mobile techniques: #{mobile_unique}"



Total ATT&CK mapping entries: 1228
Unique ATT&CK techniques: 174
Unique enterprise techniques: 155
Unique mobile techniques: 19


In [42]:
title = "<h1>Table 9: Top 20 enterprise ATT&CK techniques</h1>"
IRuby.display IRuby.html(title)

enterprise_mappings = all_mappings.select { |t| t['platform'] == 'enterprise' }

enterprise_counts = Hash.new(0)
enterprise_mappings.each do |t|
  key = [
    t['id'],
    t['name'],
    t['platform'],
    t['mappingType']
  ]
  enterprise_counts[key] += 1
end

enterprise_rows = enterprise_counts.map do |(id, name, platform, mapping_type), count|
  {
    attck_id: id,
    attck_name: name,
    platform: platform,
    mapping_type: mapping_type,
    count: count
  }
end

enterprise_df = Daru::DataFrame.new(enterprise_rows)

enterprise_df.sort([:count], ascending: [false]).head(20)


Unnamed: 0,attck_id,attck_name,platform,mapping_type,count
1,T1190,Exploit Public-Facing Application,enterprise,exploitation_technique,154
32,T1059,Command and Scripting Interpreter,enterprise,primary_impact,141
46,T1068,Exploitation for Privilege Escalation,enterprise,exploitation_technique,40
82,T1078,Valid Accounts,enterprise,exploitation_technique,34
26,T1203,Exploitation for Client Execution,enterprise,exploitation_technique,32
0,T1204.002,Malicious File,enterprise,exploitation_technique,31
19,T1068,Exploitation for Privilege Escalation,enterprise,primary_impact,27
39,T1005,Data from Local System,enterprise,primary_impact,24
4,T1105,Ingress Tool Transfer,enterprise,primary_impact,23
21,T1133,External Remote Services,enterprise,exploitation_technique,23


In [43]:
df_with_any_attck = df.where(df[:has_attck].eq(true))


title = "<h1>Figure 9: KEVs with ATT&CK, Metasploit, Nuclei (figure not included)</h1>"
IRuby.display IRuby.html(title)

puts "KEVs with at least one ATT&CK technique: #{df_with_any_attck.size}"

df_with_any_attck_and_exploits = df.where(
  df[:has_attck].eq(true) &
  (
    df[:has_metasploit].eq(true) |
    df[:has_nuclei].eq(true)
  )
)

puts "  KEVs with ATT&CK + Metasploit or Nuclei: #{df_with_any_attck_and_exploits.size}"

target_techniques = ['T1190', 'T1059']

df_with_target_attck = df.where(
  df[:attck_enterprise].map do |techs|
    techs.any? { |t| target_techniques.include?(t['id']) }
  end
)

puts "Top two ATT&CK techniques: #{df_with_target_attck.size}"

df_with_exploit_artifacts = df_with_target_attck.where(
  df_with_target_attck[:has_metasploit].eq(true) |
  df_with_target_attck[:has_nuclei].eq(true)
)

puts "  With commodity exploits for the top two: #{df_with_exploit_artifacts.size}"

KEVs with at least one ATT&CK technique: 424
  KEVs with ATT&CK + Metasploit or Nuclei: 211
Top two ATT&CK techniques: 257
  With commodity exploits for the top two: 154


In [44]:
title = "<h1>Table 10: Top 20 mobile ATT&CK techniques</h1>"
IRuby.display IRuby.html(title)

mobile_mappings = all_mappings.select { |t| t['platform'] == 'mobile' }

mobile_counts = Hash.new(0)
mobile_mappings.each do |t|
  key = [
    t['id'],
    t['name'],
    t['platform'],
    t['mappingType']
  ]
  mobile_counts[key] += 1
end

mobile_rows = mobile_counts.map do |(id, name, platform, mapping_type), count|
  {
    attck_id: id,
    attck_name: name,
    platform: platform,
    mapping_type: mapping_type,
    count: count
  }
end

mobile_df = Daru::DataFrame.new(mobile_rows)

mobile_df.sort([:count], ascending: [false]).head(20)


Unnamed: 0,attck_id,attck_name,platform,mapping_type,count
15,T1658,Exploitation for Client Execution,mobile,exploitation_technique,7
5,T1456,Drive-By Compromise,mobile,exploitation_technique,5
9,T1623,Command and Scripting Interpreter,mobile,primary_impact,3
16,T1544,Ingress Tool Transfer,mobile,primary_impact,3
0,T1660,Phishing,mobile,exploitation_technique,2
2,T1658,Exploitation for Client Execution,mobile,primary_impact,2
17,T1629,Impair Defenses,mobile,secondary_impact,2
18,T1575,Native API,mobile,secondary_impact,2
19,T1623,Command and Scripting Interpreter,mobile,secondary_impact,2
20,T1406,Obfuscated Files or Information,mobile,secondary_impact,2


In [45]:
title = "<h1>Table 11: KEV CVEs with mobile ATT&CK mapping and today's EPSS score</h1>"
IRuby.display IRuby.html(title)

mobile_kev = []

df.each_row do |row|
  next unless row[:has_attck_mobile]

  mobile_kev << {
    cve: row[:cve_id],
    epss_today: row[:epss_today],
    epss_percentile: row[:epss_percentile]
  }
end


mobile_kev.each do |e|
  puts [e[:cve],e[:epss_today],e[:epss_percentile]].join(",")
end

puts "Total: #{mobile_kev.size}"


CVE-2021-38000,0.0251,0.84992
CVE-2022-38181,0.24547,0.95963
CVE-2023-4863,0.94083,0.999
CVE-2025-21479,0.00074,0.22575
CVE-2025-24085,0.28136,0.96346
CVE-2025-24200,0.4149,0.97298
CVE-2025-24201,0.00084,0.24517
CVE-2025-27363,0.76675,0.98906
CVE-2025-31200,0.01731,0.82041
CVE-2025-31201,0.04376,0.88664
CVE-2025-43200,0.00323,0.54874
CVE-2025-5419,0.01656,0.81646
CVE-2025-6554,0.00369,0.58269
CVE-2025-6558,0.00094,0.26715
Total: 14


In [46]:
title = "<h1>Figure 10: Timing scatterplot between KEV,CVE,MSF,PDN</h1>"
IRuby.display IRuby.html(title)


rows = df.map_rows do |row|

  exploit_date =
    if row[:has_commodity_exploit]
      row[:commodity_exploit_first_commit].strftime('%Y-%m-%d')
    end

  metasploit_date =
    if row[:metasploit_first_commit]
      row[:metasploit_first_commit].strftime('%Y-%m-%d')
    end

  nuclei_date =
    if row[:nuclei_first_commit]
      row[:nuclei_first_commit].strftime('%Y-%m-%d')
    end

  kev_date =
    row[:kev_date_added] ? Date.parse(row[:kev_date_added].to_s).strftime('%Y-%m-%d') : nil

  cve_date =
    row[:cve_data_present] && row[:cve_date_added] ? row[:cve_date_added].strftime('%Y-%m-%d') : nil

  [
    row[:cve_id],
    kev_date,
    cve_date,
    exploit_date,
    metasploit_date,
    nuclei_date
  ]
end

# Sort by KEV date added (YYYY-MM-DD)
rows.sort_by! { |r| r[1] || '9999-12-31' }

puts CSV.generate_line([
  'CVE',
  'KEV published',
  'CVE published',
  'Exploit commit',
  'Metasploit commit',
  'Nuclei commit',
])

# Uncomment to get the 1500-line table
# rows.each {|row| puts CSV.generate_line(row)}

# Comment this if you want just the table above
rows[0,20].each {|row| puts CSV.generate_line(row)}

rows.size

CVE,KEV published,CVE published,Exploit commit,Metasploit commit,Nuclei commit
CVE-2021-23874,2021-11-03,2021-02-10,,,
CVE-2021-33771,2021-11-03,2021-07-14,,,
CVE-2016-9563,2021-11-03,2016-11-23,,,
CVE-2020-1147,2021-11-03,2020-07-14,2020-07-29,2020-07-29,
CVE-2020-10987,2021-11-03,2020-07-13,2025-05-29,,2025-05-29
CVE-2020-1054,2021-11-03,2020-05-21,2020-11-26,2020-11-26,
CVE-2020-1040,2021-11-03,2020-07-14,,,
CVE-2017-0143,2021-11-03,2017-03-17,2017-03-29,2017-03-29,
CVE-2020-10221,2021-11-03,2020-03-08,,,
CVE-2020-1020,2021-11-03,2020-04-15,,,
CVE-2020-10199,2021-11-03,2020-04-01,2020-04-04,2020-04-04,2021-01-02
CVE-2020-10189,2021-11-03,2020-03-06,2020-03-10,2020-03-10,2024-04-16
CVE-2017-0199,2021-11-03,2017-04-12,2017-04-15,2017-04-15,
CVE-2020-10181,2021-11-03,2020-03-11,,,
CVE-2020-10148,2021-11-03,2020-12-29,2021-01-02,,2021-01-02
CVE-2021-20090,2021-11-03,2021-04-29,2021-08-10,,2021-08-10
CVE-2021-38647,2021-11-03,2021-09-15,2021-09-15,2021-10-25,2021-09-15
CVE-2020-0986,2021

1501

In [47]:
title = "<h1>Figure 11: Same-day Commodity Exploitation of KEVs</h1>"
IRuby.display IRuby.html(title)

df_same_day_kev_and_cve = df.where(
  df.each_row.map do |row|
    next false unless row[:kev_date_added] && row[:cve_date_added]

    Date.parse(row[:kev_date_added].to_s) == row[:cve_date_added].to_date
  end
)

coordinated_exploits = []

df_same_day_kev_and_cve.each_row do |row|
  cve_day = row[:cve_date_added].to_date

  anchor = DateTime.new(cve_day.year, cve_day.month, cve_day.day, 12, 0, 0)
  window_start = anchor - 7
  window_end   = anchor + 7

  if row[:metasploit_first_commit] &&
     row[:metasploit_first_commit] >= window_start &&
     row[:metasploit_first_commit] <= window_end

    coordinated_exploits << {
      cve: row[:cve_id],
      kev_name: row[:kev_vulnerability_name],
      source: 'metasploit',
      exploit_dt: row[:metasploit_first_commit],
      kev_date: Date.parse(row[:kev_date_added].to_s),
      cve_date: row[:cve_date_added].to_date
    }
  end

  if row[:nuclei_first_commit] &&
     row[:nuclei_first_commit] >= window_start &&
     row[:nuclei_first_commit] <= window_end

    coordinated_exploits << {
      cve: row[:cve_id],
      kev_name: row[:kev_vulnerability_name],
      source: 'nuclei',
      exploit_dt: row[:nuclei_first_commit],
      kev_date: Date.parse(row[:kev_date_added].to_s),
      cve_date: row[:cve_date_added].to_date
    }
  end
end

puts CSV.generate_line([
  'CVE',
  'KEV vulnerability',
  'Exploit source',
  'CVE published',
  'KEV added',
  'Exploit first commit',
  'KEV to CVE Delta',
  'KEV to Exploit Delta'
])

coordinated_exploits.each do |e|
  puts CSV.generate_line([
    e[:cve],
    e[:kev_name],
    e[:source],
    e[:cve_date],
    e[:kev_date],
    e[:exploit_dt].to_date,
    (e[:kev_date] - e[:cve_date]).to_i,
    (e[:exploit_dt].to_date - e[:kev_date]).to_i
  ])
end

title = "<h1>Finding: Coordinated-feeling KEVs</h1>"
IRuby.display IRuby.html(title)

puts "Same-day KEV and CVE publishing: #{df_same_day_kev_and_cve.size}"
puts "Coordinated exploits (inside one day): #{coordinated_exploits.size}"


CVE,KEV vulnerability,Exploit source,CVE published,KEV added,Exploit first commit,KEV to CVE Delta,KEV to Exploit Delta
CVE-2021-44228,Apache Log4j2 Remote Code Execution,metasploit,2021-12-10,2021-12-10,2021-12-13,0,3
CVE-2021-44228,Apache Log4j2 Remote Code Execution,nuclei,2021-12-10,2021-12-10,2021-12-11,0,1
CVE-2022-37042,Synacor Zimbra Collaboration Suite (ZCS) Authentication Bypass,nuclei,2022-08-11,2022-08-11,2022-08-17,0,6
CVE-2023-20198,Cisco IOS XE Web UI Privilege Escalation,nuclei,2023-10-16,2023-10-16,2023-10-18,0,2
CVE-2023-35078,Ivanti Endpoint Manager Mobile Authentication Bypass,nuclei,2023-07-25,2023-07-25,2023-07-28,0,3
CVE-2024-0012,Palo Alto Networks PAN-OS Management Interface Authentication Bypass,metasploit,2024-11-18,2024-11-18,2024-11-19,0,1
CVE-2024-0012,Palo Alto Networks PAN-OS Management Interface Authentication Bypass,nuclei,2024-11-18,2024-11-18,2024-11-19,0,1
CVE-2024-21893,"Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery 

Same-day KEV and CVE publishing: 124
Coordinated exploits (inside one day): 18


In [48]:
title = "<h1>Appendix: Metasploitable KEVs</h1>"
IRuby.display IRuby.html(title)

df_with_ms = df.where(df[:has_metasploit].eq(true))

puts "CVE_ID,KEV_Vulnerability_Name,CVSS_Severity"

df_with_ms.each_row do |row|
  cve_id = row[:cve_id]
  kev_name = row[:kev_vulnerability_name].to_s.gsub(/,/, ';') # sanitize commas
  severity = row[:cvss_base_severity].to_s

  puts [cve_id, kev_name, severity].join(',')
end


CVE_ID,KEV_Vulnerability_Name,CVSS_Severity
CVE-2005-2773,HP OpenView Network Node Manager Remote Code Execution,CRITICAL
CVE-2007-3010,Alcatel OmniPCX Enterprise Remote Code Execution,CRITICAL
CVE-2007-5659,Adobe Acrobat and Reader Buffer Overflow,HIGH
CVE-2008-2992,Adobe Reader and Acrobat Input Validation,HIGH
CVE-2009-0927,Adobe Reader and Adobe Acrobat Stack-Based Buffer Overflow,HIGH
CVE-2009-1151,phpMyAdmin Remote Code Execution,CRITICAL
CVE-2009-3129,Microsoft Excel Featheader Record Memory Corruption,HIGH
CVE-2009-3953,Adobe Acrobat and Reader Universal 3D Remote Code Execution,HIGH
CVE-2009-3960,Adobe BlazeDS Information Disclosure,MEDIUM
CVE-2009-4324,Adobe Acrobat and Reader Use-After-Free,HIGH
CVE-2010-0188,Adobe Reader and Acrobat Arbitrary Code Execution,HIGH
CVE-2010-0232,Microsoft Windows Kernel Exception Handler,HIGH
CVE-2010-0738,Red Hat JBoss Authentication Bypass,MEDIUM
CVE-2010-0840,Oracle JRE Unspecified,CRITICAL
CVE-2010-1297,Adobe Flash Player Memory Corruption

Unnamed: 0,cve_id,schema_version,date_generated,cve_data_present,kev_vulnerability_name,kev_vendor_project,kev_date_added,kev_day_added,kev_date_due,kev_days_allotted,kev_short_deadline,kev_ransomware,kev_holiday,cve_date_added,cvss_version,cvss_attack_vector,cvss_attack_complexity,cvss_privileges_required,cvss_scope,cvss_user_interaction,cvss_confidentiality_impact,cvss_integrity_impact,cvss_availability_impact,cvss_vector_string,cvss_base_score,cvss_base_severity,kev_cwes,cve_cwes,ssvc_exploitation,ssvc_automatable,ssvc_technical_impact,has_metasploit,metasploit_modules,metasploit_module_count,metasploit_first_commit,min_metasploit_delta,has_nuclei,nuclei_template_count,nuclei_first_commit,min_nuclei_delta,has_commodity_exploit,commodity_exploit_first_commit,epss_today,epss_percentile,epss_delta,attck_enterprise,has_attck_enterprise,attck_enterprise_technique_count,attck_enterprise_capability_groups,attck_mobile,has_attck_mobile,has_attck,attck_mobile_technique_count,attck_mobile_capability_groups
4,CVE-2005-2773,1.0.0-dev,2026-01-28T16:28:40+00:00,true,HP OpenView Network Node Manager Remote Code Execution,Hewlett Packard (HP),2022-03-25,Friday,2022-04-15,21,false,false,,2005-09-02T04:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,NONE,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,CRITICAL,,,active,yes,total,true,"[{""module""=>""exploits/unix/webapp/openview_connectednodes_exec.rb"", ""firstCommitDate""=>""2007-01-05T04:28:32.000Z"", ""deltaFromCve""=>490, ""deltaFromKev""=>-5558}]",1,2007-01-05T04:28:32+00:00,-5558,false,0,,,true,2007-01-05T04:28:32+00:00,0.89464,0.99535,0.0,[],false,0,,[],false,false,0,
8,CVE-2007-3010,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Alcatel OmniPCX Enterprise Remote Code Execution,Alcatel,2022-04-15,Friday,2022-05-06,21,false,false,,2007-09-18T21:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,NONE,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,CRITICAL,CWE-20,,active,yes,total,true,"[{""module""=>""exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb"", ""firstCommitDate""=>""2009-09-01T03:43:16.000Z"", ""deltaFromCve""=>714, ""deltaFromKev""=>-4609}]",1,2009-09-01T03:43:16+00:00,-4609,true,1,2023-10-13T16:05:59+00:00,546,true,2009-09-01T03:43:16+00:00,0.94007,0.99888,0.0,[],false,0,,[],false,false,0,
9,CVE-2007-5659,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Adobe Acrobat and Reader Buffer Overflow,Adobe,2022-06-08,Wednesday,2022-06-22,14,true,false,,2008-02-12T18:00:00+00:00,3.1,LOCAL,LOW,NONE,UNCHANGED,REQUIRED,HIGH,HIGH,HIGH,CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H,7.8,HIGH,CWE-119,,active,no,total,true,"[{""module""=>""exploits/windows/fileformat/adobe_collectemailinfo.rb"", ""firstCommitDate""=>""2009-03-28T16:14:32.000Z"", ""deltaFromCve""=>410, ""deltaFromKev""=>-4820}]",1,2009-03-28T16:14:32+00:00,-4820,false,0,,,true,2009-03-28T16:14:32+00:00,0.93512,0.99816,0.0,"[{""mappingType""=>""exploitation_technique"", ""id""=>""T1204.002"", ""name""=>""Malicious File"", ""capabilityGroup""=>""buffer_overflow"", ""source""=>""CTID-7/28/2025""}]",true,1,buffer_overflow,[],false,true,0,
11,CVE-2008-2992,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Adobe Reader and Acrobat Input Validation,Adobe,2022-03-03,Thursday,2022-03-24,21,false,true,,2008-11-04T18:00:00+00:00,3.1,LOCAL,LOW,NONE,UNCHANGED,REQUIRED,HIGH,HIGH,HIGH,CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H,7.8,HIGH,CWE-119,,active,no,total,true,"[{""module""=>""exploits/windows/fileformat/adobe_utilprintf.rb"", ""firstCommitDate""=>""2008-12-03T16:19:25.000Z"", ""deltaFromCve""=>29, ""deltaFromKev""=>-4838}, {""module""=>""exploits/windows/browser/adobe_utilprintf.rb"", ""firstCommitDate""=>""2008-12-15T15:44:02.000Z"", ""deltaFromCve""=>41, ""deltaFromKev""=>-4826}]",2,2008-12-03T16:19:25+00:00,-4838,false,0,,,true,2008-12-03T16:19:25+00:00,0.93739,0.99843,0.0,"[{""mappingType""=>""exploitation_technique"", ""id""=>""T1204.002"", ""name""=>""Malicious File"", ""capabilityGroup""=>""input_validation"", ""source""=>""CTID-7/28/2025""}]",true,1,input_validation,[],false,true,0,
16,CVE-2009-0927,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Adobe Reader and Adobe Acrobat Stack-Based Buffer Overflow,Adobe,2022-03-25,Friday,2022-04-15,21,false,false,,2009-03-19T10:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,REQUIRED,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H,8.8,HIGH,CWE-20,,active,no,total,true,"[{""module""=>""exploits/windows/browser/adobe_geticon.rb"", ""firstCommitDate""=>""2009-03-28T07:40:29.000Z"", ""deltaFromCve""=>9, ""deltaFromKev""=>-4745}, {""module""=>""exploits/windows/fileformat/adobe_geticon.rb"", ""firstCommitDate""=>""2009-03-28T07:40:29.000Z"", ""deltaFromCve""=>9, ""deltaFromKev""=>-4745}]",2,2009-03-28T07:40:29+00:00,-4745,false,0,,,true,2009-03-28T07:40:29+00:00,0.93507,0.99816,0.0,[],false,0,,[],false,false,0,
18,CVE-2009-1151,1.0.0-dev,2026-01-28T16:28:40+00:00,true,phpMyAdmin Remote Code Execution,phpMyAdmin,2022-03-25,Friday,2022-04-15,21,false,false,,2009-03-26T14:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,NONE,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,CRITICAL,CWE-94,,active,yes,total,true,"[{""module""=>""exploits/unix/webapp/phpmyadmin_config.rb"", ""firstCommitDate""=>""2009-11-16T08:42:32.000Z"", ""deltaFromCve""=>235, ""deltaFromKev""=>-4512}]",1,2009-11-16T08:42:32+00:00,-4512,true,1,2021-04-14T12:04:59+00:00,-345,true,2009-11-16T08:42:32+00:00,0.92956,0.99766,0.0,[],false,0,,[],false,false,0,
21,CVE-2009-3129,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Microsoft Excel Featheader Record Memory Corruption,Microsoft,2022-03-03,Thursday,2022-03-24,21,false,false,,2009-11-11T19:00:00+00:00,3.1,LOCAL,LOW,NONE,UNCHANGED,REQUIRED,HIGH,HIGH,HIGH,CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H,7.8,HIGH,CWE-94,,active,no,total,true,"[{""module""=>""exploits/windows/fileformat/ms09_067_excel_featheader.rb"", ""firstCommitDate""=>""2010-02-12T20:52:41.000Z"", ""deltaFromCve""=>93, ""deltaFromKev""=>-4402}]",1,2010-02-12T20:52:41+00:00,-4402,false,0,,,true,2010-02-12T20:52:41+00:00,0.91648,0.99663,0.0,[],false,0,,[],false,false,0,
22,CVE-2009-3953,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Adobe Acrobat and Reader Universal 3D Remote Code Execution,Adobe,2022-06-08,Wednesday,2022-06-22,14,true,false,,2010-01-13T19:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,REQUIRED,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H,8.8,HIGH,CWE-119,,active,no,total,true,"[{""module""=>""exploits/windows/fileformat/adobe_u3d_meshdecl.rb"", ""firstCommitDate""=>""2009-11-25T22:24:10.000Z"", ""deltaFromCve""=>-49, ""deltaFromKev""=>-4578}]",1,2009-11-25T22:24:10+00:00,-4578,false,0,,,true,2009-11-25T22:24:10+00:00,0.90514,0.99591,0.0,"[{""mappingType""=>""exploitation_technique"", ""id""=>""T1204.002"", ""name""=>""Malicious File"", ""capabilityGroup""=>""code_execution"", ""source""=>""CTID-7/28/2025""}]",true,1,code_execution,[],false,true,0,
23,CVE-2009-3960,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Adobe BlazeDS Information Disclosure,Adobe,2022-03-07,Monday,2022-09-07,184,false,true,,2010-02-15T18:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,REQUIRED,HIGH,NONE,NONE,CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N,6.5,MEDIUM,,,active,no,partial,true,"[{""module""=>""auxiliary/scanner/http/adobe_xml_inject.rb"", ""firstCommitDate""=>""2010-11-04T02:11:31.000Z"", ""deltaFromCve""=>262, ""deltaFromKev""=>-4141}]",1,2010-11-04T02:11:31+00:00,-4141,false,0,,,true,2010-11-04T02:11:31+00:00,0.8874,0.99496,0.0,"[{""mappingType""=>""exploitation_technique"", ""id""=>""T1190"", ""name""=>""Exploit Public-Facing Application"", ""capabilityGroup""=>""access_ctrl"", ""source""=>""CTID-7/28/2025""}, {""mappingType""=>""primary_impact"", ""id""=>""T1486"", ""name""=>""Data Encrypted for Impact"", ""capabilityGroup""=>""access_ctrl"", ""source""=>""CTID-7/28/2025""}]",true,2,access_ctrl,[],false,true,0,
24,CVE-2009-4324,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Adobe Acrobat and Reader Use-After-Free,Adobe,2022-06-08,Wednesday,2022-06-22,14,true,false,,2009-12-15T02:00:00+00:00,3.1,LOCAL,LOW,NONE,UNCHANGED,REQUIRED,HIGH,HIGH,HIGH,CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H,7.8,HIGH,CWE-399,,active,no,total,true,"[{""module""=>""exploits/windows/fileformat/adobe_media_newplayer.rb"", ""firstCommitDate""=>""2009-12-15T20:15:08.000Z"", ""deltaFromCve""=>0, ""deltaFromKev""=>-4558}, {""module""=>""exploits/windows/browser/adobe_media_newplayer.rb"", ""firstCommitDate""=>""2009-12-16T20:37:57.000Z"", ""deltaFromCve""=>1, ""deltaFromKev""=>-4557}]",2,2009-12-15T20:15:08+00:00,-4558,false,0,,,true,2009-12-15T20:15:08+00:00,0.93013,0.99771,0.0,"[{""mappingType""=>""exploitation_technique"", ""id""=>""T1204.002"", ""name""=>""Malicious File"", ""capabilityGroup""=>""use_after_free"", ""source""=>""CTID-7/28/2025""}, {""mappingType""=>""primary_impact"", ""id""=>""T1071.001"", ""name""=>""Web Protocols"", ""capabilityGroup""=>""use_after_free"", ""source""=>""CTID-7/28/2025""}]",true,2,use_after_free,[],false,true,0,


In [49]:
df_with_nuclei = df.where(df[:has_nuclei].eq(true))

title = "<h1>Appendix: Nucleiable KEVs</h1>"
IRuby.display IRuby.html(title)

puts "CVE_ID,KEV_Vulnerability_Name,CVSS_Severity"

df_with_nuclei.each_row do |row|
  cve_id = row[:cve_id]
  kev_name = row[:kev_vulnerability_name].to_s.gsub(/,/, ';') # sanitize commas
  severity = row[:cvss_base_severity].to_s

  puts [cve_id, kev_name, severity].join(',')
end

CVE_ID,KEV_Vulnerability_Name,CVSS_Severity
CVE-2007-3010,Alcatel OmniPCX Enterprise Remote Code Execution,CRITICAL
CVE-2009-1151,phpMyAdmin Remote Code Execution,CRITICAL
CVE-2010-2861,Adobe ColdFusion Directory Traversal,CRITICAL
CVE-2012-1823,PHP-CGI Query String Parameter,CRITICAL
CVE-2013-2251,Apache Struts Improper Input Validation,CRITICAL
CVE-2014-3120,Elasticsearch Remote Code Execution,HIGH
CVE-2014-6271,GNU Bourne-Again Shell (Bash) Arbitrary Code Execution,CRITICAL
CVE-2014-6287,Rejetto HTTP File Server (HFS) Remote Code Execution,CRITICAL
CVE-2015-1427,Elasticsearch Groovy Scripting Engine Remote Code Execution,CRITICAL
CVE-2015-1635,Microsoft HTTP.sys Remote Code Execution,CRITICAL
CVE-2015-3035,TP-Link Multiple Archer Devices Directory Traversal,HIGH
CVE-2015-7450,IBM WebSphere Application Server and Server Hypervisor Edition Code Injection.,CRITICAL
CVE-2016-10033,PHPMailer Command Injection,CRITICAL
CVE-2016-1555,NETGEAR Multiple WAP Devices Command Injection,CRITICAL


Unnamed: 0,cve_id,schema_version,date_generated,cve_data_present,kev_vulnerability_name,kev_vendor_project,kev_date_added,kev_day_added,kev_date_due,kev_days_allotted,kev_short_deadline,kev_ransomware,kev_holiday,cve_date_added,cvss_version,cvss_attack_vector,cvss_attack_complexity,cvss_privileges_required,cvss_scope,cvss_user_interaction,cvss_confidentiality_impact,cvss_integrity_impact,cvss_availability_impact,cvss_vector_string,cvss_base_score,cvss_base_severity,kev_cwes,cve_cwes,ssvc_exploitation,ssvc_automatable,ssvc_technical_impact,has_metasploit,metasploit_modules,metasploit_module_count,metasploit_first_commit,min_metasploit_delta,has_nuclei,nuclei_template_count,nuclei_first_commit,min_nuclei_delta,has_commodity_exploit,commodity_exploit_first_commit,epss_today,epss_percentile,epss_delta,attck_enterprise,has_attck_enterprise,attck_enterprise_technique_count,attck_enterprise_capability_groups,attck_mobile,has_attck_mobile,has_attck,attck_mobile_technique_count,attck_mobile_capability_groups
8,CVE-2007-3010,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Alcatel OmniPCX Enterprise Remote Code Execution,Alcatel,2022-04-15,Friday,2022-05-06,21,false,false,,2007-09-18T21:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,NONE,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,CRITICAL,CWE-20,,active,yes,total,true,"[{""module""=>""exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb"", ""firstCommitDate""=>""2009-09-01T03:43:16.000Z"", ""deltaFromCve""=>714, ""deltaFromKev""=>-4609}]",1,2009-09-01T03:43:16+00:00,-4609,true,1,2023-10-13T16:05:59+00:00,546,true,2009-09-01T03:43:16+00:00,0.94007,0.99888,0.0,[],false,0,,[],false,false,0,
18,CVE-2009-1151,1.0.0-dev,2026-01-28T16:28:40+00:00,true,phpMyAdmin Remote Code Execution,phpMyAdmin,2022-03-25,Friday,2022-04-15,21,false,false,,2009-03-26T14:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,NONE,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,CRITICAL,CWE-94,,active,yes,total,true,"[{""module""=>""exploits/unix/webapp/phpmyadmin_config.rb"", ""firstCommitDate""=>""2009-11-16T08:42:32.000Z"", ""deltaFromCve""=>235, ""deltaFromKev""=>-4512}]",1,2009-11-16T08:42:32+00:00,-4512,true,1,2021-04-14T12:04:59+00:00,-345,true,2009-11-16T08:42:32+00:00,0.92956,0.99766,0.0,[],false,0,,[],false,false,0,
34,CVE-2010-2861,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Adobe ColdFusion Directory Traversal,Adobe,2022-03-25,Friday,2022-04-15,21,false,true,,2010-08-11T18:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,NONE,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,CRITICAL,CWE-22,,active,yes,total,true,"[{""module""=>""auxiliary/scanner/http/coldfusion_locale_traversal.rb"", ""firstCommitDate""=>""2010-09-01T01:49:06.000Z"", ""deltaFromCve""=>21, ""deltaFromKev""=>-4223}]",1,2010-09-01T01:49:06+00:00,-4223,true,1,2021-03-01T04:26:27+00:00,-389,true,2010-09-01T01:49:06+00:00,0.94237,0.99922,0.0,"[{""mappingType""=>""exploitation_technique"", ""id""=>""T1190"", ""name""=>""Exploit Public-Facing Application"", ""capabilityGroup""=>""dir_traversal"", ""source""=>""CTID-7/28/2025""}, {""mappingType""=>""secondary_impact"", ""id""=>""T1119"", ""name""=>""Automated Collection"", ""capabilityGroup""=>""dir_traversal"", ""source""=>""CTID-7/28/2025""}, {""mappingType""=>""primary_impact"", ""id""=>""T1105"", ""name""=>""Ingress Tool Transfer"", ""capabilityGroup""=>""dir_traversal"", ""source""=>""CTID-7/28/2025""}]",true,3,dir_traversal,[],false,true,0,
65,CVE-2012-1823,1.0.0-dev,2026-01-28T16:28:40+00:00,true,PHP-CGI Query String Parameter,PHP,2022-03-25,Friday,2022-04-15,21,false,false,,2012-05-11T10:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,NONE,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,CRITICAL,CWE-20,,active,yes,total,true,"[{""module""=>""exploits/multi/http/php_cgi_arg_injection.rb"", ""firstCommitDate""=>""2012-05-04T14:59:40.000Z"", ""deltaFromCve""=>-7, ""deltaFromKev""=>-3612}]",1,2012-05-04T14:59:40+00:00,-3612,true,1,2021-07-20T09:32:27+00:00,-248,true,2012-05-04T14:59:40+00:00,0.94386,0.99968,0.0,[],false,0,,[],false,false,0,
92,CVE-2013-2251,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Apache Struts Improper Input Validation,Apache,2022-03-25,Friday,2022-04-15,21,false,false,,2013-07-18T01:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,NONE,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,CRITICAL,CWE-20,,active,yes,total,true,"[{""module""=>""exploits/multi/http/struts_default_action_mapper.rb"", ""firstCommitDate""=>""2013-07-24T13:52:02.000Z"", ""deltaFromCve""=>6, ""deltaFromKev""=>-3166}]",1,2013-07-24T13:52:02+00:00,-3166,true,1,2021-01-02T04:22:04+00:00,-447,true,2013-07-24T13:52:02+00:00,0.94328,0.99949,0.0,[],false,0,,[],false,false,0,
129,CVE-2014-3120,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Elasticsearch Remote Code Execution,Elastic,2022-03-25,Friday,2022-04-15,21,false,false,,2014-07-28T19:00:00+00:00,3.1,NETWORK,LOW,LOW,UNCHANGED,NONE,HIGH,HIGH,NONE,CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N,8.1,HIGH,CWE-284,,active,no,partial,true,"[{""module""=>""exploits/multi/elasticsearch/script_mvel_rce.rb"", ""firstCommitDate""=>""2014-05-27T23:01:16.000Z"", ""deltaFromCve""=>-62, ""deltaFromKev""=>-2859}]",1,2014-05-27T23:01:16+00:00,-2859,true,1,2021-02-15T13:35:15+00:00,-403,true,2014-05-27T23:01:16+00:00,0.85557,0.99344,0.0,[],false,0,,[],false,false,0,
138,CVE-2014-6271,1.0.0-dev,2026-01-28T16:28:41+00:00,true,GNU Bourne-Again Shell (Bash) Arbitrary Code Execution,GNU,2022-01-28,Friday,2022-07-28,181,false,false,,2014-09-24T18:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,NONE,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,CRITICAL,CWE-78,,active,yes,total,true,"[{""module""=>""exploits/osx/local/vmware_bash_function_root.rb"", ""firstCommitDate""=>""2014-09-24T22:44:14.000Z"", ""deltaFromCve""=>0, ""deltaFromKev""=>-2683}, {""module""=>""auxiliary/scanner/http/apache_mod_cgi_bash_env.rb"", ""firstCommitDate""=>""2014-09-24T23:56:16.000Z"", ""deltaFromCve""=>0, ""deltaFromKev""=>-2683}, {""module""=>""exploits/multi/http/apache_mod_cgi_bash_env_exec.rb"", ""firstCommitDate""=>""2014-09-25T18:26:57.000Z"", ""deltaFromCve""=>1, ""deltaFromKev""=>-2682}, {""module""=>""auxiliary/server/dhclient_bash_env.rb"", ""firstCommitDate""=>""2014-09-26T04:37:00.000Z"", ""deltaFromCve""=>2, ""deltaFromKev""=>-2681}, {""module""=>""exploits/unix/dhcp/bash_environment.rb"", ""firstCommitDate""=>""2014-09-26T06:24:42.000Z"", ""deltaFromCve""=>2, ""deltaFromKev""=>-2681}, {""module""=>""exploits/multi/ftp/pureftpd_bash_env_exec.rb"", ""firstCommitDate""=>""2014-10-01T18:57:40.000Z"", ""deltaFromCve""=>7, ""deltaFromKev""=>-2676}, {""module""=>""exploits/multi/http/cups_bash_env_exec.rb"", ""firstCommitDate""=>""2014-10-19T17:58:49.000Z"", ""deltaFromCve""=>25, ""deltaFromKev""=>-2658}, {""module""=>""exploits/linux/http/advantech_switch_bash_env_exec.rb"", ""firstCommitDate""=>""2015-12-01T17:33:45.000Z"", ""deltaFromCve""=>433, ""deltaFromKev""=>-2250}, {""module""=>""exploits/linux/http/ipfire_bashbug_exec.rb"", ""firstCommitDate""=>""2016-05-30T00:40:12.000Z"", ""deltaFromCve""=>614, ""deltaFromKev""=>-2069}, {""module""=>""exploits/unix/smtp/qmail_bash_env_exec.rb"", ""firstCommitDate""=>""2017-05-04T13:44:18.000Z"", ""deltaFromCve""=>953, ""deltaFromKev""=>-1730}]",10,2014-09-24T22:44:14+00:00,-2683,true,1,2021-01-02T04:22:04+00:00,-391,true,2014-09-24T22:44:14+00:00,0.94213,0.99916,0.0,"[{""mappingType""=>""exploitation_technique"", ""id""=>""T1190"", ""name""=>""Exploit Public-Facing Application"", ""capabilityGroup""=>""code_execution"", ""source""=>""CTID-7/28/2025""}, {""mappingType""=>""exploitation_technique"", ""id""=>""T1133"", ""name""=>""External Remote Services"", ""capabilityGroup""=>""code_execution"", ""source""=>""CTID-7/28/2025""}, {""mappingType""=>""primary_impact"", ""id""=>""T1059.004"", ""name""=>""Unix Shell"", ""capabilityGroup""=>""code_execution"", ""source""=>""CTID-7/28/2025""}]",true,3,code_execution,[],false,true,0,
140,CVE-2014-6287,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Rejetto HTTP File Server (HFS) Remote Code Execution,Rejetto,2022-03-25,Friday,2022-04-15,21,false,false,,2014-10-07T10:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,NONE,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,CRITICAL,CWE-94,,active,yes,total,true,"[{""module""=>""exploits/windows/http/rejetto_hfs_exec.rb"", ""firstCommitDate""=>""2014-10-08T16:55:33.000Z"", ""deltaFromCve""=>1, ""deltaFromKev""=>-2725}]",1,2014-10-08T16:55:33+00:00,-2725,true,1,2023-04-01T18:50:04+00:00,372,true,2014-10-08T16:55:33+00:00,0.94363,0.9996,0.0,[],false,0,,[],false,false,0,
156,CVE-2015-1427,1.0.0-dev,2026-01-28T16:28:40+00:00,true,Elasticsearch Groovy Scripting Engine Remote Code Execution,Elastic,2022-03-25,Friday,2022-04-15,21,false,false,,2015-02-17T15:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,NONE,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,CRITICAL,CWE-284,,active,yes,total,true,"[{""module""=>""exploits/multi/elasticsearch/search_groovy_script.rb"", ""firstCommitDate""=>""2015-03-10T04:04:32.000Z"", ""deltaFromCve""=>21, ""deltaFromKev""=>-2572}]",1,2015-03-10T04:04:32+00:00,-2572,true,1,2021-02-15T18:17:25+00:00,-403,true,2015-03-10T04:04:32+00:00,0.92326,0.99711,0.0,[],false,0,,[],false,false,0,
157,CVE-2015-1635,1.0.0-dev,2026-01-28T16:28:41+00:00,true,Microsoft HTTP.sys Remote Code Execution,Microsoft,2022-02-10,Thursday,2022-08-10,181,false,false,,2015-04-14T20:00:00+00:00,3.1,NETWORK,LOW,NONE,UNCHANGED,NONE,HIGH,HIGH,HIGH,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H,9.8,CRITICAL,CWE-94,,active,yes,total,true,"[{""module""=>""auxiliary/dos/http/ms15_034_ulonglongadd.rb"", ""firstCommitDate""=>""2015-04-15T18:13:16.000Z"", ""deltaFromCve""=>1, ""deltaFromKev""=>-2493}, {""module""=>""auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb"", ""firstCommitDate""=>""2015-06-23T06:08:34.000Z"", ""deltaFromCve""=>70, ""deltaFromKev""=>-2424}]",2,2015-04-15T18:13:16+00:00,-2493,true,1,2023-11-23T15:24:42+00:00,651,true,2015-04-15T18:13:16+00:00,0.9431,0.99943,0.0,[],false,0,,[],false,false,0,


In [50]:
title = '<h1>That\'s all!</h1>'
body = '<p>That\'s it! To mess around with this material in a more pointy-clicky way, try <a href=\'https://runzero.com/kev-collider\'>KEV Collider</a>!</p>'
IRuby.display IRuby.html(title)
IRuby.display IRuby.html(body)