FAQ

No, CVEs do not only apply to software. They can also cover vulnerabilities in hardware, firmware, IoT components, operating systems, or even insecure default configurations. For example, flaws in routers, processors, or industrial equipment can also receive CVE identifiers.

This broad coverage allows for consideration of the various attack vectors in a modern information system. The key is that the vulnerability must be documented, confirmed, and publicly reported to be included in the CVE program. This enables security teams to assess risks across the entire infrastructure.