EU Cyber Resilience Act Compliance Roadmap
CRA Published
Regulation (EU) 2024/2847 published in the Official Journal; enters into force 11 December 2024
Art. 14 Enforcement Begins
Vulnerability reporting obligations apply to all products in scope
Full Conformity Deadline
Design and production requirements (Annex I, CE marking) apply to new products placed on the market
Three Pillars of CRA CVD Compliance
A complete vulnerability disclosure infrastructure designed for economic operators subject to the Cyber Resilience Act.
Dual-Track SLA Compliance
48-hour acknowledgment per CVD best practice (ISO/IEC 29147, Art. 13), plus mandatory 24-hour early warning and 72-hour full notification to authorities under Article 14 of the CRA.
Single Point of Contact
A unified, branded vulnerability intake portal for your organization. Security researchers submit reports through a standardized, encrypted channel.
ENISA-Aligned Triage
All submissions follow ENISA coordinated vulnerability disclosure (CVD) best practices with CVSS scoring, reporter communication, and mitigation tracking.
Are You CRA Ready?
EU Vulnerability Database (EUVD) Pulse
Official feed of the latest critical and actively exploited vulnerabilities tracked by European authorities.
Latest Critical Vulnerabilities
CVSS 9.0+The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's ScriptEngine.eval() without sandboxing, class filtering, or access restrictions, and the authorization check in RulesResourceImpl only restricts Groovy rules to superusers while leaving JavaScript rules unrestricted for any user with the write:rules role. Additionally, the Groovy rules engine has a GroovyDenyAllFilter security filter that is defined but never registered, as the registration code is commented out, rendering the SandboxTransformer ineffective for superuser-created Groovy rules. A non-superuser attacker with the write:rules role can create JavaScript rulesets that execute with full JVM access, enabling remote code execution as root, arbitrary file read, environment variable theft including database credentials, and complete multi-tenant isolation bypass to access data across all realms. This issue has been fixed in version 1.22.0.
NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized package identifiers, allowing an attacker to control the resolved blob path. This enables writes to arbitrary blobs within the storage container, not limited to .nupkg files, resulting in potential tampering of existing content. This issue has been patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276.
Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access
Actively Exploited (KEV)
In the wildAn improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Microsoft Exchange Server Remote Code Execution Vulnerability
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Five Months to September: What CRA Article 14 Compliance Actually Requires
Article 14 enforcement begins 11 September 2026 — for products already on market. Here's exactly what infrastructure manufacturers, importers, and distributors need in place before the deadline: VDP, triage authority, reporting cascade, and audit trail.
10 min readCRA ComplianceExploitable vs. Exploited: The Legal Distinction That Defines Your CRA Compliance
The CRA draws a sharp legal line between 'exploitable' and 'actively exploited' vulnerabilities — with very different consequences for each. We break down the three-tier obligation framework, the EUVD's role as authoritative reference, and the September 2026 reporting deadlines that apply to products already on the market.
9 min readCRA ComplianceCRA Vulnerability Handling: What Every Manufacturer Needs to Know Before September 2026
The EU Cyber Resilience Act creates the first mandatory vulnerability handling framework for products with digital elements. We break down the 26 articles, the key deadlines, and the practical steps manufacturers should take today to prepare.
12 min read