OpenCTI data in Vulmatch -- when to use?

0101001001001 · 17 November 2025 00:00

I am trying to understand the pros and cons of x_opencti data in Vulnerability objects.

For example, Vulmatch Web | Straightforward vulnerability management.

Gives…

{
  "created": "2025-11-08T23:15:48.270Z",
  "created_by_ref": "identity--a9546a6d-7e78-5367-847d-8d10e8a77bc9",
  "description": "A vulnerability was found in 70mai X200 up to 20251019. This issue affects some unknown processing of the component Init Script Handler. The manipulation results in file inclusion. The attack requires a local approach. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "extensions": {
    "extension-definition--2c5c13af-ee92-5246-9ba7-0b958f8cd34a": {
      "extension_type": "toplevel-property-extension"
    },
    "extension-definition--ec658473-1319-53b4-879f-488e47805554": {
      "extension_type": "toplevel-property-extension"
    }
  },
  "external_references": [
    {
      "source_name": "cve",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12915",
      "external_id": "CVE-2025-12915"
    },
    {
      "source_name": "cwe",
      "url": "https://cwe.mitre.org/data/definitions/CWE-73.html",
      "external_id": "CWE-73"
    },
    {
      "source_name": "[email protected]",
      "description": "Exploit,Third Party Advisory",
      "url": "https://github.com/geo-chen/70mai/blob/main/README.md#finding-11-init-script-binary-hijack-persistence-vulnerability-in-70mai-x200-omni-dashcam"
    },
    {
      "source_name": "[email protected]",
      "description": "Permissions Required,VDB Entry",
      "url": "https://vuldb.com/?ctiid.331633"
    },
    {
      "source_name": "[email protected]",
      "description": "Third Party Advisory,VDB Entry",
      "url": "https://vuldb.com/?id.331633"
    },
    {
      "source_name": "[email protected]",
      "description": "Third Party Advisory,VDB Entry",
      "url": "https://vuldb.com/?submit.678285"
    },
    {
      "source_name": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "description": "Exploit,Third Party Advisory",
      "url": "https://github.com/geo-chen/70mai/blob/main/README.md#finding-11-init-script-binary-hijack-persistence-vulnerability-in-70mai-x200-omni-dashcam"
    },
    {
      "source_name": "vulnStatus",
      "description": "Analyzed"
    }
  ],
  "id": "vulnerability--b5aec50a-b8ad-5a0b-89db-83ff6094dd1e",
  "modified": "2025-11-14T18:20:17.173Z",
  "name": "CVE-2025-12915",
  "object_marking_refs": [
    "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
    "marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3"
  ],
  "spec_version": "2.1",
  "type": "vulnerability",
  "x_cvss": {
    "v2_0": [
      {
        "vector_string": "AV:L/AC:H/Au:M/C:C/I:C/A:C",
        "exploitability_score": 1.2,
        "impact_score": 10,
        "base_score": 5.9,
        "base_severity": "MEDIUM",
        "source": "[email protected]",
        "type": "Secondary"
      }
    ],
    "v3_1": [
      {
        "vector_string": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "exploitability_score": 0.5,
        "impact_score": 5.9,
        "base_score": 6.4,
        "base_severity": "MEDIUM",
        "source": "[email protected]",
        "type": "Secondary"
      }
    ],
    "v4_0": [
      {
        "vector_string": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
        "base_score": 7.1,
        "base_severity": "HIGH",
        "source": "[email protected]",
        "type": "Secondary"
      }
    ]
  },
  "x_opencti_cvss_base_score": 6.4,
  "x_opencti_cvss_base_severity": "MEDIUM",
  "x_opencti_cvss_v2_base_score": 5.9,
  "x_opencti_cvss_v2_base_severity": "MEDIUM",
  "x_opencti_cvss_v2_vector_string": "AV:L/AC:H/Au:M/C:C/I:C/A:C",
  "x_opencti_cvss_v4_base_score": 7.1,
  "x_opencti_cvss_v4_base_severity": "HIGH",
  "x_opencti_cvss_v4_vector_string": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
  "x_opencti_cvss_vector_string": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
  "x_opencti_epss_percentile": 0.03163,
  "x_opencti_epss_score": 0.00017
}

I see CVSS and EPSS as x_opencti properties. Is there a reason I would x_cvss instead? I feel there should be (because it exists) but want to be sure.

dgreenwood-dogesec · 17 November 2025 00:07

x_opencti and x_cvss have identical data (for the same properties). x_cvss contains a bit more info (e.g. source, type,…), however, if you don’t need them, using the data in x_opencti is the same (and maybe easier) than using x_cvss nested values.

A short history lesson; x_opencti properties were added after x_cvss to ensure we properly support the OpenCTI Vulnerability views.

One small not on EPSS…

x_opencti_epss properties only show the most recent EPSS score for the CVE. However, this property is problematic for two reasons; 1. there is no date of the score, 2. there is no history. This is a limitation of OpenCTI properties we don’t control.

As such, you should generally use the EPSS report object for the CVE to get the full dated EPSS history

e.g.

{
  "created": "2025-11-08T23:15:48.270Z",
  "created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
  "extensions": {
    "extension-definition--efd26d23-d37d-5cf2-ac95-a101e46ce11d": {
      "extension_type": "toplevel-property-extension"
    }
  },
  "external_references": [
    {
      "source_name": "cve",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12915",
      "external_id": "CVE-2025-12915"
    },
    {
      "source_name": "arango_cve_processor",
      "external_id": "cve-epss"
    }
  ],
  "id": "report--0ea954b3-8772-55c3-b98a-6628d8525279",
  "labels": [
    "epss"
  ],
  "modified": "2025-11-17T00:00:00.000Z",
  "name": "EPSS Scores: CVE-2025-12915",
  "object_marking_refs": [
    "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
    "marking-definition--152ecfe1-5015-522b-97e4-86b60c57036d"
  ],
  "object_refs": [
    "vulnerability--b5aec50a-b8ad-5a0b-89db-83ff6094dd1e"
  ],
  "published": "2025-11-08T23:15:48.27Z",
  "spec_version": "2.1",
  "type": "report",
  "x_epss": [
    {
      "date": "2025-11-17",
      "epss": 0.00017,
      "percentile": 0.03163
    },
    {
      "date": "2025-11-13",
      "epss": 0.0001,
      "percentile": 0.00824
    },
    {
      "date": "2025-11-12",
      "epss": 0.0001,
      "percentile": 0.00823
    },
    {
      "date": "2025-11-11",
      "epss": 0.0001,
      "percentile": 0.00825
    },
    {
      "date": "2025-11-10",
      "epss": 0.0001,
      "percentile": 0.00821
    },
    {
      "date": "2025-11-09",
      "epss": 0.0001,
      "percentile": 0.00829
    }
  ]
}