Back to blog

Does a Vulnerability With a Name or Logo Deserve More Attention?

·Bastien Cacace
threat-intelligencecvssvulnerabilityexploitationcybersecurity

The very first CVE to carry a name, on paper, is a 1999 FTP bug nicknamed "Pizza Thief", except nobody actually called it that in 1999. Vulnerability branding really begins in 2014, when Heartbleed shows up with a logo.

When a flaw gets a name (Heartbleed, Log4Shell, BlueKeep, Citrix Bleed, YellowKey), it usually becomes popular. You move it to the top of the pile. You assume it's worse than the unnamed CVE-2026-XXXXX next to it. A logo, a catchy name, sometimes even a dedicated website: surely that means the vulnerability is critical.

Heartbleed's logo and page, the first vulnerability to get a name and a logo in 2014
Source: heartbleed.com

So is it just marketing? Not really, and you're right to prioritize it. But probably for the wrong reason.

After adding the names of 994 popular CVEs to the SYRN app, we lined them up against all 361,589 CVEs in our database. Named flaws really are far more dangerous, but when you look at which numbers actually move, the story flips to the opposite of what everyone assumes. A name tells you almost nothing about a vulnerability's severity. It tells you it's going to be "weaponized".

The number that doesn't move: the CVSS score

If "named" meant "more severe", CVSS, the long-standing severity score, should spike for named flaws. In reality, it barely moves:

Named CVEs Other CVEs Gap
Average CVSS 7.35 6.75 +0.6 point
Median CVSS 7.5 6.8 +0.7 point

A named vulnerability scores about 9% higher on CVSS than an unnamed one. That's it. On the metric meant to capture how fundamentally critical a flaw is, popular vulnerabilities are nearly indistinguishable from the rest.

Worse: 35% of named vulnerabilities aren't even rated "high", they fall below 7 on CVSS. A third of the flaws famous enough to have a logo would, on CVSS alone, be triaged as "medium". Some never crossed 7 and still ended up in CISA's Known Exploited Vulnerabilities (KEV) catalog.

So if it isn't severity that earns a name, what is it?

The numbers that explode: exploitation

Swap CVSS for a metric that measures real-world exploitation, and the gap explodes:

Signal Named CVEs Other CVEs Named are…
Exploited in the wild1 26.9% 1.65% 16× more likely
Public exploit available2 19.7% 8.1% 2.4× more likely
Public PoC repos on GitHub (avg.) 5.06 0.06 ~84× more

Put the two tables side by side. Severity (CVSS): +9% gap between named and unnamed. Exploitation: from +140% (public exploit, 2.4×) to +8,300% (PoC repos, ~84×). That's the whole article in a nutshell. A name isn't a label that says "this is severe". It's a label that says "this gets exploited". If a flaw gets a name, it's because someone wrote a working exploit, that exploit spread, it got used for real, and the story was striking enough to slap a name on it.

Share of CVEs in each group affected by each exploitation signal: exploited in the wild (named 26.9% vs unnamed 1.65%) and public exploit available (19.7% vs 8.1%).
On real-world exploitation, the gap between named and unnamed is huge, whereas CVSS severity moves only +9%.
Dirty Frag vulnerability logo (CVE-2026-43284 and CVE-2026-43500)
Dirty Frag vulnerability logo (CVE-2026-43284 & CVE-2026-43500)

That's exactly what our SYRN score3 does. Instead of looking at CVSS alone, it adds what's actually happening in the field: is the flaw being exploited right now, what does the threat intel say, and so on. As a result, it immediately sees the difference between the two groups, where CVSS sees nothing. On pure severity, the two groups look alike. It's everything tied to exploitation that drives the gap.

"But the famous ones are just old": no, actually

The obvious objection: Heartbleed and Shellshock are from 2014, flaws weren't scored the same back then, so you're comparing different eras. So we neutralized that bias by comparing named and unnamed flaws within the same five-year window:

Years CVSS named CVEs CVSS unnamed CVEs SYRN named CVEs SYRN unnamed CVEs
2010-14 6.65 6.15 60.7 25.8
2015-19 7.10 7.13 49.4 26.5
2020-24 7.44 6.85 50.7 30.6
2025+ 7.56 6.70 51.2 31.4

Look at the 2015-19 row. Named and unnamed vulnerabilities have the same CVSS, 7.10 versus 7.13. Identical severity. And yet the named ones carry nearly double the real threat score (SYRN Score). The pattern repeats in every era: severity flat, exploitation soaring. It was never about age. A name has meant "this one gets exploited" ever since giving CVEs cute names became a thing.

You could push the objection further: back then there were also fewer exploitation signals available. No EPSS before 2021, fewer public PoCs, a recent KEV catalog. True. But that scarcity affects named and unnamed flaws from the same era in exactly the same way. So it can't explain the gap between the two at a given period. And that gap, named versus unnamed within the same range of years, is precisely what we measure.

It used to take a catastrophe to earn a name. Not anymore.

Naming has changed. In 2014, exactly fourteen vulnerabilities got a name, and they were "monsters". They average a SYRN score of 68/100, half were exploited in the wild, and 57% had a working public exploit. Back then it took a genuine catastrophe (Heartbleed, Shellshock, POODLE) on a very popular tech stack to earn a name and a logo.

A decade later, roughly 9× more flaws get named every year. So did the famous ones become less dangerous? Split the named set by range of years and think in rates, not volumes:

Years Named in window Avg CVSS % CVSS ≥ 9 % exploited in the wild
2014-2018 181 7.18 14% 32%
2019-2021 249 7.38 20% 32%
2022-2026 515 7.45 20% 24%

Two things happened, and they point in opposite directions.

Severity didn't drop, it rose. Average CVSS climbed from 7.18 to 7.45, and the share of named flaws with a critical 9+ score went from 14% to 20%. By the strict severity metric, a named vulnerability today is more critical than one from 2015, not less.

But the exploitation pedigree thinned. In-the-wild exploitation slipped from 32% to 24%, and the share shipping with a public exploit collapsed after 2017. The name was once reserved for the most-exploited flaw of the year; now it's marketing applied broadly to a wider set.

So named vulnerabilities haven't become less serious. Naming has become more common and more diluted. It must be said the pool exploded: the number of CVEs published each year multiplied several times over the decade, nearing 50,000 in 2025. The more flaws there are, the more candidates for naming, and the lower the bar to "deserve a name" drops, from Heartbleed to notable enough for a blog post.

Three recent examples, precisely: names attached to very middling flaws on CVSS, but exploited all the same.

Name CVE CVSS Exploited? SYRN Component Published
UnDefend CVE‑2026‑45498 4.0 Yes (CISA KEV) 92 Microsoft Defender May 2026
TrustFall CVE‑2026‑21852 5.3 Yes (HackerOne + GitHub PoC) 84 Claude Code Jan 2026
DarkSword CVE‑2025‑43520 5.5 Yes (CISA KEV) 89 Apple iPadOS/macOS Dec 2025

ℹ️ Note: exploitation signals (public exploits, KEV entries, vendor reports, honeypots) all pile up over time. A flaw named in 2026 simply hasn't had years yet to be weaponized and cataloged; part of that recent "less exploited" dip is just youth, not a real decline. Severity, which doesn't age, shows no drop at all. So we can say the famous flaws are as serious as ever, but the club has grown and lost its exclusivity 😅.

0.27% of CVEs, but they concentrate the danger

The set of named flaws is tiny: 994 out of 361,589, or 0.27% of the total. If names were handed out at random, unrelated to exploitation, named flaws should make up 0.27% of any group of dangerous flaws. We're nowhere close:

Group Named CVE share vs their 0.27% baseline
Ransomware-linked CVEs4 13.5% 49× over-represented
Exploited in the wild (CISA KEV included) 4.3% 16× over-represented
CVSS ≥ 9 (Critical) 0.43% 1.6× over-represented

It's all in this table. A flaw with a name shows up 49 times more often than average among the CVEs ransomware crews actually use. But among the highest-CVSS flaws, it shows up only 1.6 times more often.

What this changes for your triage

The takeaway isn't "drop the vulnerabilities that have a name". It's the opposite, but with a clearer reason. Treat a well-known name as a hint that the flaw is likely to be exploited, not as a measure of its severity. The mere fact that a flaw carries a name is one of the best, and cheapest, signals to predict a CVE will end up in KEV. Better than its CVSS score, which mostly can't tell named flaws apart from the rest.

So, concretely:

  • Don't downgrade a named flaw just because its CVSS came back as 6.5. A third of named flaws are below 7, and some are being exploited right now.
  • Let the "hey, this has a name" bump a flaw up your patch queue, exactly the way a public exploit appearing or a fresh KEV entry would. Statistically, it's the same signal.
  • And don't forget the reverse: the unnamed CVE-20XX-XXXXX rated 9.8 is not guaranteed to be that critical. Most CVSS-9 flaws are never exploited.

And the mirror of the first table is just as telling: the most destructive CVEs of recent years never had a name or a logo. All unnamed, yet at the maximum SYRN score (100/100), because every exploitation signal is in the red.

CVE CVSS Exploited? SYRN Component Published
CVE‑2024‑3400 10 Yes (CISA KEV, ransomware) 100 Palo Alto PAN-OS GlobalProtect Apr 2024
CVE‑2023‑20198 10 Yes (CISA KEV) 100 Cisco IOS XE (Web UI) Oct 2023
CVE‑2022‑40684 9.8 Yes (CISA KEV, ransomware) 100 Fortinet FortiOS/FortiProxy Oct 2022
CVE‑2022‑26134 9.8 Yes (CISA KEV, ransomware) 100 Atlassian Confluence Jun 2022

A name is an extra indicator, not just marketing: it doesn't spread because a vulnerability is mediocre on paper, but because someone made it work. The converse holds just as well: the absence of a name protects nothing, and the most destructive flaws often stayed unnamed. What ends up landing in your incident channel at 2 a.m. is sometimes famous, often nameless, but always exploited 😬.

In short

A name or a logo isn't a measure of severity, it's an exploitation signal. A named flaw deserves your attention not because it's "severe", but because, statistically, it gets exploited. And the converse holds: the most destructive CVEs often have no name at all. On both sides, what matters is exploitation, not fame.

If this rings true for your day-to-day: too many CVEs, too little time, and a CVSS that can't tell what gets exploited from the rest, that's exactly the question that pushed us to build SYRN. You can try it for free.

Try SYRN →

Footnotes

  1. In-the-wild exploitation sources aggregated by SYRN: CISA KEV, ENISA EU-KEV, Shadowserver, Telegram, HackerOne and vendor advisories.

  2. Public exploit sources aggregated by SYRN: ExploitDB, Nuclei and Metasploit.

  3. The SYRN score is a 0-to-100 criticality score that combines CVSS severity with real-time signals (observed exploitation, public exploits and PoCs, threat intel, social-media trending). It recalculates continuously as new signals appear.

  4. Ransomware linkage from the "known ransomware campaign use" marker in CISA's Known Exploited Vulnerabilities (KEV) catalog.