Exploit Analysis
Analyze exploit intelligence for a vulnerability, build a threat model, compute CWSS priority scores, and assess repository impact.
The Exploit Analysis skill analyzes exploit intelligence for a specific vulnerability and assesses its impact against the current repository. It fetches exploit records, builds a MITRE ATT&CK-informed threat model, computes a CWSS priority score, and caches PoC source code for static analysis.
This skill does not modify application code – it only updates .vulnetix/memory.yaml to track findings. Use /vulnetix:fix for remediation.
Invocation
/vulnetix:exploits <vuln-id>
For example:
/vulnetix:exploits CVE-2021-44228
/vulnetix:exploits GHSA-jfh8-c2jp-5v3q
Workflow
1. Load Vulnerability Memory
Reads .vulnetix/memory.yaml and checks for prior entries matching the vuln ID or its aliases. If a prior entry exists, the skill displays the previous status, CWSS priority, last decision, and any Dependabot/CodeQL/Secret Scanning context before proceeding.
2. Fetch Exploit Data
Queries the Vulnetix VDB for exploit records:
vulnetix vdb exploits CVE-2021-44228 -o json
If the V1 response is empty, the V2 endpoint is tried automatically.
3. Parse Exploit Records
Exploits are grouped by source and presented in a structured table:
| Source | Type | Date | Description | Link |
|---|---|---|---|---|
| exploitdb | poc | 2021-12-15 | Remote code execution via log4j | [link] |
| metasploit | exploit-framework | 2021-12-20 | Log4Shell RCE module | [link] |
Exploit Types
| Type | Description |
|---|---|
poc | Proof-of-concept code |
exploit-framework | Metasploit, Canvas, or Nuclei modules |
article | Technical writeups and blog posts |
advisory | Security advisories |
patch | Patches or fixes |
mitigation | Workarounds |
4. Fetch Vulnerability Context
Retrieves additional vulnerability details including CVSS scores and vector strings, EPSS probability, CISA KEV status, CWE IDs, and affected version ranges.
5. Analyze Repository Impact
Uses Glob and Grep to assess whether the vulnerability affects the current repository:
- Dependency check – Searches manifest and lockfiles for the affected package
- Code pattern search – Greps for code patterns matching the CWE (e.g.,
pickle.loadsfor CWE-502,exec/subprocessfor CWE-78) - Reachability assessment – Determines if the vulnerable dependency is direct or transitive, and whether vulnerable code paths are actually called
Findings are recorded as reachability (direct, transitive, not-found, unknown) and exposure (public-facing, internal, local-only, unknown).
6. PoC Caching and Static Analysis
For each PoC URL from the exploit records, the skill:
- Creates
.vulnetix/pocs/<VULN_ID>/directory (ensuring.vulnetix/is in.gitignore) - Fetches the PoC source code via WebFetch
- Saves it locally for offline static reference
- Analyzes the source statically only to understand attack vector, conditions, and impact
Previously fetched PoCs (where the local path already exists) are read from cache rather than re-fetched.
7. Threat Model (MITRE ATT&CK Mapping)
The skill maps the vulnerability to MITRE ATT&CK techniques based on the CWE, CVSS vector, and exploit analysis. ATT&CK technique IDs are stored internally but never shown to the user – only developer-friendly language is presented:
How this could be exploited:
- Attackable from the internet -- web app or API is the entry point
- Can run arbitrary commands on your server
Attack requirements: No authentication needed, no user interaction, low complexity
Your exposure: Direct dependency, public-facing deployment
ATT&CK Mapping Examples
| Internal T-Code | Developer-Friendly Language |
|---|---|
| T1190 | Attackable from the internet – web app or API is the entry point |
| T1195.001 | Compromised dependency – malicious code injected via a package you use |
| T1059 | Can run arbitrary commands on your server |
| T1068 | Can escalate to admin or root access |
| T1212 | Can steal credentials – passwords, tokens, or keys |
| T1499 | Can crash your service or exhaust resources |
| T1005 | Can read sensitive data – files, env vars, or secrets on the host |
| T1565 | Can tamper with, corrupt, or inject data |
8. CWSS Priority Scoring
Computes a CWSS-derived priority score (0–100) from five weighted factors:
| Factor | Weight | Source | Scoring |
|---|---|---|---|
| Technical Impact | 25% | CVSS impact, CWE consequence | RCE=100, Priv escalation=90, Data exfil=85, DoS=40 |
| Exploitability | 25% | EPSS score, exploit records, CISA KEV | Base: EPSS x 100. Metasploit +20, Verified PoC +15, KEV +15. Cap at 100. |
| Exposure | 15% | CVSS attack vector + repo deployment | Network+public-facing=100, Network+internal=70, Local=30 |
| Complexity | 15% | CVSS AC, PR, UI (inverted: higher = easier) | Low complexity + no auth + no interaction = 100 |
| Repo Relevance | 20% | Dependency analysis | Direct+reachable=100, Direct+unknown=70, Transitive=40, Not found=0 |
Composite score:
CWSS = (technical_impact x 0.25) + (exploitability x 0.25)
+ (exposure x 0.15) + (complexity x 0.15)
+ (repo_relevance x 0.20)
Priority Tiers
| Priority | Score | Developer Language |
|---|---|---|
| P1 | >= 80 | Act now – actively exploited, trivial to attack, you’re exposed |
| P2 | 60–79 | Plan this sprint – public exploits exist, you’re likely affected |
| P3 | 40–59 | Schedule it – known issue, limited exploitability or exposure |
| P4 | < 40 | Track it – low risk, no known exploitation, limited exposure |
If the priority tier changed from a prior analysis, the skill flags the change.
9. Risk Assessment
Provides a unified exploitability assessment combining the threat model and priority score:
Exploitability Rating: HIGH
Priority: P2 (72.5) -- Plan this sprint
How this could be exploited:
- Attackable from the internet -- web app or API is the entry point
- Can run arbitrary commands on your server
Attack requirements: No authentication needed, low complexity
Your exposure: Direct dependency, public-facing app
Evidence:
Metasploit module available (verified exploit)
EPSS score: 0.89 (89% chance of exploitation within 30 days)
CISA KEV: Listed (deadline 2024-01-15)
Repository impact: log4j-core 2.14.1 found in pom.xml (vulnerable version)
Recommendation: Run /vulnetix:fix CVE-2021-44228 to get fix options.
10. Update Vulnerability Memory
Updates .vulnetix/memory.yaml with the full threat_model, cwss, and pocs sections. If the user provides a decision during the conversation (e.g., “we’ll accept this risk”), it is recorded immediately using the risk treatment mapping.
CrowdSec and CISA KEV Enrichment
The skill uses CrowdSec sighting data and CISA Known Exploited Vulnerabilities (KEV) catalog status as strong signals in the CWSS scoring:
- CISA KEV listed – adds +15 to the exploitability factor and is flagged with the compliance deadline
- CrowdSec sightings – indicates live exploitation in the wild, directly informing the exploitability and exposure factors
Decision Recording
After presenting the assessment, if the user provides a decision, the skill records it:
| Decision | Developer Language |
|---|---|
fix-applied | Fix applied |
mitigated | Workaround in place |
risk-accepted | Risk acknowledged, shipping as-is |
deferred | Fix planned for later |
not-affected | Not affected |
risk-avoided | Removed the exposure |
inlined | Replaced with own code |
risk-transferred | Handled by platform or infrastructure |
Example
/vulnetix:exploits CVE-2021-44228
The skill loads prior memory, fetches 3 exploit records (ExploitDB PoC, Metasploit module, Nuclei template), retrieves CVSS 10.0 / EPSS 0.97 context, finds log4j-core@2.14.1 as a direct dependency in pom.xml, caches the PoC source to .vulnetix/pocs/CVE-2021-44228/, builds a threat model mapping to T1190 and T1059, scores CWSS at 87.5 (P1), and recommends running /vulnetix:fix CVE-2021-44228 for remediation.