On our latest episode of runZero Hour I sat down with Rob King and Jerry Gamblin, Principal Engineer at Cisco, to dig into the state of vulnerability data in 2025.
From the explosion of CVE volume to the tools we’re building to make sense of it all, we covered a lot of ground. Here's a quick recap for those who missed it.
MCP: not the villain from TRON #
Jerry walked us through his latest project: a Model Context Protocol (MCP) server designed to help LLMs make smarter, more informed decisions about vulnerabilities. Think of an MCP as an API for APIs. Instead of training a giant bespoke model, MCPs let you feed real-time data into general-purpose LLMs from trusted sources with already great APIs like NVD, EPSS, and others.
In other words: contextual enrichment for vulnerability data, without the overhead and expense of building your own model from scratch.
But (and it’s a big but) you still need a human in the loop. Even the best LLMs are only about 90% accurate, which sounds great until you're wrong 1 out of 10 times in a customer-facing product. Automation is helpful. Blind trust isn’t.
CVE data quality is a mess #
We talked at length about the quality (or lack thereof) of today’s CVE records. The bar to publish a CVE is incredibly low. Descriptions can be as short as two characters, and as long as entire stack traces (thanks Linux kernel!), and there’s nobody enforcing a useful median between the two.
Some of our key takeaways:
- CPEs and PURLs are valuable but they’re also underused and often inconsistent.
- Microsoft gets props for robust CPE strings, but their CVE descriptions tend to be frustratingly vague.
- There’s growing concern over “CVE inflation”: the sheer number of new entries each year, many of which provide minimal context.
What’s missing isn’t more CVEs, it’s better CVEs.
The case for smarter publishing tools #
One of Jerry’s big points was that if we want better CVEs, we need better tooling for the people writing them. Today, most submissions go through clunky web forms or email. There's little validation, and almost no automated checks for completeness or clarity.
Imagine a CVE submission process that automatically suggests relevant CWE categories, flags vague descriptions, or nudges CNAs to provide richer references. We have the tech. We just haven’t built the workflows yet.
Rapid response rundown #
Before we wrapped, we covered several real-world threats that defenders should have on their radar:
- Roundcube Webmail: Still favored by nation-state attackers, and still popping up in places like European governments as well as state and local US governments, and commonly packaged in hosted email services.
- ConnectWise ScreenConnect: Remains a favorite target for espionage campaigns. If you use it, patch aggressively.
- ASUS Routers: A widespread compromise involving port 53282/TCP was uncovered by GreyNoise, with assists from Censys and runZero. If you spot that port open, it’s time to yank the cable.
As always, runZero customers can find all these insights and relevant queries in your console.
What’s next #
We gave a quick teaser of runZero’s upcoming Nuclei integration, which brings even more powerful scanning capabilities into the platform. We’re taking a targeted approach that avoids blind spraying. And yes, we’re contributing back to the open source community along the way. More on that in next month’s episode.
Don't miss another live session! Subscribe to the runZero Hour series. On the next episode we'll take a deeper dive into Nuclei, chat vulnerability scanning, and any other hot topics we feel like yelling about.
