← CRA Glossary
Technical Security

Exploit

An exploit is code, data, or a sequence of commands that takes advantage of a vulnerability to cause unintended behaviour in software or hardware. Under the EU Cyber Resilience Act, manufacturers must actively track and remediate vulnerabilities before exploits are developed and weaponised.

An exploit is code, data, or a sequence of commands that takes advantage of a vulnerability to cause unintended behaviour in software or hardware. Under the EU Cyber Resilience Act, manufacturers must actively track and remediate vulnerabilities before exploits are developed and weaponised.

Technical Security
Free CVD portal →

What Is an Exploit?

An exploit is a piece of code, a crafted payload, or a defined technique that leverages a specific vulnerability to make a system behave in an unintended way — commonly to gain unauthorised access, execute arbitrary code, escalate privileges, or cause a denial of service. Exploits range from theoretical proof-of-concept demonstrations, which confirm a vulnerability is real but may require significant adaptation to be weaponised, to fully operational exploit kits that automate attack delivery with no technical skill required. The existence of a public exploit transforms an abstract vulnerability into an immediate, actionable threat and dramatically compresses the window manufacturers have to deploy a patch.

CRA reference:Article 13(6), Annex I Part I(2)

Why Exploits Matter Under the CRA

The EU Cyber Resilience Act requires manufacturers to monitor and address vulnerabilities in their products without undue delay (Article 13). When a public exploit exists, regulators and market surveillance authorities treat the threat as elevated and expect accelerated remediation timelines. ENISA's vulnerability handling guidance notes that the presence of a known exploit is a key factor in severity prioritisation. Manufacturers who are slow to patch exploitable vulnerabilities face enforcement action and reputational harm. Under Article 14, manufacturers are also required to notify ENISA within 24 hours if an actively exploited vulnerability is discovered in their product.

CRA reference:Article 13, Article 14(1)

How Manufacturers Reduce Exploit Risk

Effective exploit risk management involves several parallel workstreams. Manufacturers should maintain a Software Bill of Materials (SBOM) to rapidly identify components affected by newly disclosed vulnerabilities. Continuous vulnerability scanning of products against feeds such as the NVD and CISA KEV catalogue flags exploited vulnerabilities early. Exploit intelligence feeds provide real-time signals when proof-of-concept code is published. Internally, threat modelling during design reduces the attack surface that exploits can target. Secure coding practices — input validation, memory-safe languages, and least-privilege architecture — reduce the number of exploitable conditions present in shipped products.

CRA reference:Annex I Part I, Article 13(5)

Common Mistakes

Manufacturers frequently conflate the existence of a vulnerability with the existence of an exploit, treating all unpatched CVEs with equal urgency regardless of exploitability. Conversely, some deprioritise vulnerabilities marked 'no known exploit' and are then caught off guard when a proof-of-concept emerges days later. Another common error is failing to monitor exploit databases and threat intelligence sources, so that the manufacturer learns of active exploitation from a customer complaint rather than from proactive monitoring. Exploit status should be a primary factor in CVSS environmental scoring and patch prioritisation decisions.

CRA reference:Annex I Part I(2)

CVD Portal makes Exploit compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

What is the difference between a vulnerability and an exploit?+

A vulnerability is a weakness — a flaw in code, design, or configuration that could be abused. An exploit is the mechanism that abuses it. Every exploit requires a vulnerability, but not every vulnerability has a publicly known exploit. The CRA requires manufacturers to address vulnerabilities regardless of exploit availability, but the existence of an exploit is a key factor in determining remediation urgency.

Does the CRA require manufacturers to report actively exploited vulnerabilities to authorities?+

Yes. Article 14(1) of the CRA requires manufacturers to notify ENISA within 24 hours of becoming aware that a vulnerability in their product is being actively exploited. This is a strict early warning obligation separate from the broader vulnerability handling requirements in Article 13. Manufacturers must have monitoring processes in place to detect active exploitation promptly.

What is a proof-of-concept (PoC) exploit and is it treated differently from a weaponised exploit?+

A proof-of-concept (PoC) is a minimal demonstration that a vulnerability is exploitable, often released by security researchers after a patch is available. A weaponised exploit is a fully operational attack tool. From a CRA compliance standpoint, the publication of a PoC signals that weaponisation is likely imminent, and manufacturers should treat PoC availability as equivalent to active exploitation for the purposes of patch prioritisation and ENISA notification timelines.

Related terms

Zero-Day VulnerabilityA zero-day vulnerability is a security flaw that is unknown to the vendor and for which no patch exists at the time of discovery or exploitation. Zero-day vulnerabilities are particularly significant under the CRA because their active exploitation triggers immediate notification obligations to ENISA within 24 hours.Proof-of-Concept (PoC) ExploitA proof-of-concept (PoC) exploit is working code or a detailed technical demonstration that shows a security vulnerability is real and exploitable. The existence of a public PoC significantly increases the urgency of a manufacturer's patch release and may affect CRA notification timelines.Common Vulnerabilities and Exposures (CVE)CVE is a public catalogue of known cybersecurity vulnerabilities, each assigned a unique identifier (e.g. CVE-2024-12345) maintained by MITRE. Under the CRA, manufacturers are expected to track CVEs affecting their products and report actively exploited vulnerabilities to ENISA.CISA Known Exploited Vulnerabilities (KEV) CatalogueThe CISA Known Exploited Vulnerabilities (KEV) catalogue is a curated list maintained by the US Cybersecurity and Infrastructure Security Agency that identifies CVEs for which there is credible evidence of active exploitation in the wild. For EU manufacturers, the KEV catalogue is the highest-priority vulnerability intelligence source — any KEV entry affecting a shipped product triggers the CRA's 24-hour ENISA notification obligation.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how Exploit fits into your complete CRA compliance programme.

View checklists →