Reserved But Exploited CVEs

import os
import vulncheck_sdk
import pandas as pd
from dotenv import load_dotenv
from vulncheck_sdk.models.api_exploit_v3_result import ApiExploitV3Result

load_dotenv()

DEFAULT_HOST = "https://api.vulncheck.com"
DEFAULT_API = DEFAULT_HOST + "/v3"
TOKEN = os.environ["VULNCHECK_API_TOKEN"]

# Configure API client
configuration = vulncheck_sdk.Configuration(host=DEFAULT_API)
configuration.api_key["Bearer"] = TOKEN

# Initialize containers
cve = []
exploits = []
nvd_published_date = []
vulncheck_kev_date_added = []
max_exploit_maturity = []
earliest_exploit_ref_date = []
earliest_exploit_ref_url = []
earliest_exploitation_ref_date = []
earliest_exploitation_ref_url = []

with vulncheck_sdk.ApiClient(configuration) as api_client:
    indices_client = vulncheck_sdk.IndicesApi(api_client)
    limit = 2000

    def process_entry(entry: ApiExploitV3Result):
        cve.append(entry.id)
        exploits.append(entry.counts.exploits)
        nvd_published_date.append(entry.timeline.nvd_published[:10] if entry.timeline.nvd_published else None)
        vulncheck_kev_date_added.append(entry.timeline.vulncheck_kev_date_added[:10] if entry.timeline.vulncheck_kev_date_added else None)
        max_exploit_maturity.append(entry.max_exploit_maturity if entry.max_exploit_maturity else None)

        # Earliest exploit reference
        if entry.exploits:
            valid_exploits = [e for e in entry.exploits if e.date_added]
            if valid_exploits:
                earliest = min(valid_exploits, key=lambda x: x.date_added)
                earliest_exploit_ref_date.append(earliest.date_added[:10])
                earliest_exploit_ref_url.append(earliest.url)
            else:
                earliest_exploit_ref_date.append(None)
                earliest_exploit_ref_url.append(None)
        else:
            earliest_exploit_ref_date.append(None)
            earliest_exploit_ref_url.append(None)

        # Earliest exploitation reference
        if entry.reported_exploitation:
            valid_reports = [r for r in entry.reported_exploitation if r.date_added]
            if valid_reports:
                earliest = min(valid_reports, key=lambda x: x.date_added)
                earliest_exploitation_ref_date.append(earliest.date_added[:10])
                earliest_exploitation_ref_url.append(earliest.url)
            else:
                earliest_exploitation_ref_date.append(None)
                earliest_exploitation_ref_url.append(None)
        else:
            earliest_exploitation_ref_date.append(None)
            earliest_exploitation_ref_url.append(None)

    # First API call
    api_response = indices_client.index_exploits_get(start_cursor="true", limit=limit)
    for entry in api_response.data:
        process_entry(entry)

    # Handle pagination
    while api_response.meta.next_cursor is not None:
        api_response = indices_client.index_exploits_get(cursor=api_response.meta.next_cursor, limit=limit)
        for entry in api_response.data:
            process_entry(entry)

# Create DataFrame
df = pd.DataFrame({
    'CVE': cve,
    '# of Exploits': exploits,
    'NVD Published Date': nvd_published_date,
    'VulnCheck KEV Added Date': vulncheck_kev_date_added,
    'Max Exploit Maturity': max_exploit_maturity,
    'Exploit Reference': earliest_exploit_ref_url,
    'Exploit Reference Date': earliest_exploit_ref_date,
    'Exploitation Reference': earliest_exploitation_ref_url,
    'Exploitation Reference Date': earliest_exploitation_ref_date
})

# Convert dates
df['VulnCheck KEV Added Date'] = pd.to_datetime(df['VulnCheck KEV Added Date'], errors='coerce')
df['Exploit Reference Date'] = pd.to_datetime(df['Exploit Reference Date'], errors='coerce')
df['Exploitation Reference Date'] = pd.to_datetime(df['Exploitation Reference Date'], errors='coerce')
df['NVD Published Date'] = pd.to_datetime(df['NVD Published Date'], errors='coerce')


# Build df_vendor_product from vulncheck_kev endpoint
with vulncheck_sdk.ApiClient(configuration) as api_client:
    indices_client = vulncheck_sdk.IndicesApi(api_client)

    limit = 2000
    cve = []
    vendor = []
    product = []

    # Initial API call
    api_response = indices_client.index_vulncheck_kev_get(start_cursor="true", limit=limit)

    # First page
    for entry in api_response.data:
        cve.append(entry.cve[0])
        vendor.append(entry.vendor_project)
        product.append(entry.product)

    # Pagination
    while api_response.meta.next_cursor is not None:
        api_response = indices_client.index_vulncheck_kev_get(cursor=api_response.meta.next_cursor, limit=limit)
        for entry in api_response.data:
            cve.append(entry.cve[0])
            vendor.append(entry.vendor_project)
            product.append(entry.product)

# Create DataFrame with just CVE, Vendor, Product
df_vendor_product = pd.DataFrame({
    'CVE': cve,
    'Vendor': vendor,
    'Product': product
})

# Merge into the main `df` on CVE
df = df.merge(df_vendor_product, on="CVE", how="left")

# Optional preview of merged result
display(df.head())

A list of Reserved CVEs that have not been published that have Evidence of Exploitation, Weaponized Exploits or Exploits. The list is prioritized in this order with exploit counts being used for the exploits section.

from IPython.display import display, HTML

# Step 1: Filter for CVEs where NVD Published Date is missing
df_filtered = df[df["NVD Published Date"].isna()].copy()

# Step 2: Assign sort group priorities
df_filtered["SortGroup"] = 3  # Default: POC

# Group 1: VulnCheck KEV present
df_filtered.loc[df_filtered["VulnCheck KEV Added Date"].notnull(), "SortGroup"] = 1

# Group 2: Weaponized and not in VulnCheck KEV
df_filtered.loc[
    (df_filtered["VulnCheck KEV Added Date"].isnull()) &
    (df_filtered["Max Exploit Maturity"] == "weaponized"),
    "SortGroup"
] = 2

# Step 3: Sort each group
group1 = df_filtered[df_filtered["SortGroup"] == 1].sort_values("VulnCheck KEV Added Date", ascending=False)
group2 = df_filtered[df_filtered["SortGroup"] == 2].sort_values("Exploit Reference Date", ascending=False)
group3 = df_filtered[df_filtered["SortGroup"] == 3].sort_values(
    ["# of Exploits", "Exploit Reference Date"],
    ascending=[False, False]
)

# Step 4: Concatenate and count
df_sorted = pd.concat([group1, group2, group3]).reset_index(drop=True)

# Step 5: Calculate "days since" values
today = pd.Timestamp.now().normalize()

def days_since(date):
    if pd.isnull(date) or date.year == 1970:
        return "-"
    return (today - date).days

df_sorted["Days Since Exploitation Reported"] = df_sorted["Exploitation Reference Date"].apply(days_since)
df_sorted["Days Since Exploit Published"] = df_sorted["Exploit Reference Date"].apply(days_since)

# Step 6: Conditional filtering based on exploitation or exploit date
def include_row(row):
    exp_days = row["Days Since Exploitation Reported"]
    poc_days = row["Days Since Exploit Published"]

    # If exploitation reported and it's older than 1 day → include
    if isinstance(exp_days, int) and exp_days > 1:
        return True

    # Else, if there's no valid exploitation, include only if exploit date is > 1
    if (pd.isnull(row["Exploitation Reference Date"]) or exp_days == "-") and isinstance(poc_days, int) and poc_days > 1:
        return True

    return False

df_filtered_days = df_sorted[df_sorted.apply(include_row, axis=1)]

# Step 7: Truncate to Top 50
total_reserved = len(df_filtered_days)
top_50 = df_filtered_days.head(50).copy()

# Step 8: Final column selection
display_df = top_50[[
    "CVE",
    "Vendor",
    "Product",
    "Max Exploit Maturity",
    "# of Exploits",
    "Days Since Exploitation Reported",
    "Days Since Exploit Published",
    "Exploitation Reference",
    "Exploit Reference"
]]

# Step 9: Replace NaNs with "-"
columns_to_clean = ["Vendor", "Product", "Max Exploit Maturity", "Exploitation Reference", "Exploit Reference"]
for col in columns_to_clean:
    display_df[col].fillna("-")

# Step 10: Title + Count + Scrollable HTML output
title_html = """
<h2 style="margin-bottom: 5px;">Top 50 RESERVED AND EXPLOIT(ED) CVE's</h2>
<p><strong>Total Count of Reserved CVE's with Exploitation/Exploit Evidence: {}</strong></p>
""".format(total_reserved)

table_html = display_df.to_html(index=False, escape=False)
scrollable_html = f"""
{title_html}
<div style="max-height: 500px; overflow-y: scroll; border: 1px solid #ccc; padding: 10px">
    {table_html}
</div>
"""

display(HTML(scrollable_html))

NIST NVD

NIST NVD Dashboard

Reserved CVE's

Reserved CVEs by Reference Count

Reserved But Exploited CVEs¶