CVE (Common Vulnerabilities and Exposures) is the standard catalogue of publicly disclosed cybersecurity vulnerabilities, maintained by MITRE with sponsorship from the US Cybersecurity and Infrastructure Security Agency (CISA). Each CVE entry receives a unique identifier (for example, CVE-2024-12345) and a description of the vulnerability it documents.

In short: CVE entries are used across the industry as a shared reference for vulnerabilities in software and firmware. When a router vendor discloses a vulnerability in their firmware, the disclosure is published with one or more CVE IDs. Security scanners check whether deployed firmware versions are vulnerable to known CVEs. Compliance frameworks (NIS, PCI DSS, ISO 27001, IEC 62443) all require tracking, prioritising, and patching CVEs as part of routine operations. The Common Vulnerability Scoring System (CVSS) assigns each CVE a severity score from 0 to 10, giving a consistent way to prioritise patching.

For IoT deployments, CVE awareness matters because the consequences of unpatched vulnerabilities are direct and frequent. Cellular routers, IoT gateways, and connected industrial equipment are all subject to ongoing CVE disclosures. Teltonika, Proroute, Robustel, and other vendors publish security advisories alongside firmware updates, and most operate dedicated security advisory pages where CVE-mapped issues are documented.

The practical implications for operators are: subscribe to security advisories from every vendor in the deployment, track which firmware versions are running on each device (a remote management platform makes this much easier), and have a process for applying critical firmware updates promptly. The UK Cyber Security and Resilience Bill and existing NIS Regulations both expect organisations to manage CVEs as part of ongoing security operations, not as a one-off exercise.