Severity and Exploitability Analysis of Security Vulnerabilities in the Public Sector
Abstract
The increasing sophistication of cyber threats poses challenges to the protection of public services and infrastructure, especially in heterogeneous environments. Simply detecting vulnerabilities is not enough: it is necessary to understand them in the context of the organization and prioritize remediation intelligently. This paper presents a systematic approach to vulnerability analysis based on vulnerability severity and exploitability. The methodology includes asset mapping, vulnerability scanning, CVSS and EPSS classification, and analysis between technical attributes and risks. The data were analyzed based on variables such as service ports, operating systems, severity of failures, and probability of exploitation, allowing the identification of exposure patterns and the definition of priorities. The results show that the integration of metrics and context significantly improves the effectiveness of vulnerability management in public institutions.
References
Center for Internet Security (2023). CIS Critical Security Controls v8. [link]. Accessed: 2025-07-03.
Cruz, D. B., Almeida, J. R., and Oliveira, J. L. (2023). Open source solutions for vulnerability assessment: A comparative analysis. IEEE Access, 11:100234–100255.
Ficco, M., Granata, D., Palmieri, F., and Rak, M. (2024). A systematic approach for threat and vulnerability analysis of unmanned aerial vehicles. Internet of Things, 26:101180.
FIRST (2019). Forum of Incident Response and Security Teams - Common Vulnerability Scoring System v3.1: Specification Document. Acesso em: 17 maio 2025.
FIRST (2022). Forum of Incident Response and Security Teams - Exploit Prediction Scoring System (EPSS) – v2 Model Documentation. Acesso em: 17 maio 2025.
Liu, Z., Tang, Z., Zhang, J., Xia, X., and Yang, X. (2024). Pre-training by predicting program dependencies for vulnerability analysis tasks. In Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, pages 1–13.
National Institute of Standards and Technology (NIST) (2018). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. Technical report, NIST. Acesso em: 17 maio 2025.
Offensive Security (2025). Exploit Database (Exploit-DB). Acesso em: 17 maio 2025.
Pimenta, I., Silva, D., Moura, E., Silveira, M., and Gomes, R. L. (2024). Impact of data anonymization in machine learning models. In Proceedings of the 13th Latin-American Symposium on Dependable and Secure Computing, LADC ’24, page 188–191, New York, NY, USA. Association for Computing Machinery.
Rahalkar, S. (2018). OpenVAS. In Quick Start Guide to Penetration Testing: With NMAP, OpenVAS and Metasploit, pages 47–71. Springer.
Rapid7 (2025). Metasploit Framework. Acesso em: 17 maio 2025.
Safitra, M. F., Lubis, M., and Widjajarto, A. (2023). Security vulnerability analysis using penetration testing execution standard (PTES): case study of government’s website. In Proceedings of the 2023 6th international conference on electronics, communications and control engineering, pages 139–145.
Silva, M., Ribeiro, S., Carvalho, V., Cardoso, F., and Gomes, R. L. (2023). Scalable detection of sql injection in cyber physical systems. In Proceedings of the 12th Latin-American Symposium on Dependable and Secure Computing, LADC ’23, page 220–225, New York, NY, USA. Association for Computing Machinery.
Thomas, B., Thampi, S. M., and Mukherjee, P. (2025). An in-depth exploration of attack modeling and vulnerability analysis in IoT networks. In Securing the Connected World: Exploring Emerging Threats and Innovative Solutions, pages 19–45. Springer.
