---
name: "CRA Vulnerability Advisory Template"
version: "1.0"
updated: "2026-07-03"
source: "https://www.orbiqhq.com/templates/cra-vulnerability-advisory-template"
license: "Free to use and adapt for your organisation. Attribution appreciated, not required. Provided as-is, without warranty; not legal advice."
legal_basis:
  - "https://eur-lex.europa.eu/eli/reg/2024/2847/oj"   # Cyber Resilience Act — Art. 13, Art. 14, Annex I Part II
  - "https://eur-lex.europa.eu/eli/dir/2022/2555/oj"   # NIS2 — Art. 12(2) (European vulnerability database)
---

# CRA Vulnerability Advisory Template

A structured template for the public security advisories required by Regulation (EU) 2024/2847
(Cyber Resilience Act), Annex I Part II: once a security update is available, manufacturers must
publicly disclose information about fixed vulnerabilities, including a description of the
vulnerability, information allowing users to identify the affected product, and the action users
should take.

**Regulatory note — two separate clocks:**

- **Public advisory (this template):** due when the security update is available. Applies to every
  fixed vulnerability. (Annex I Part II, points 4 and 8.)
- **Article 14 reporting:** only for **actively exploited** vulnerabilities (and severe incidents).
  Early warning to the CSIRT designated as coordinator and ENISA via the single reporting platform
  within **24 hours** of awareness, notification within **72 hours**, final report no later than
  **14 days** after a corrective measure is available. Applies from **11 September 2026**.

---

## 1. Advisory template

Replace every `{{placeholder}}`. Delete guidance comments before publishing.

```markdown
# {{advisory_title}}
<!-- One line, format: "<Product>: <flaw class> in <component> (<CVE ID>)" -->

| | |
|---|---|
| **Advisory ID** | {{advisory_id}} <!-- e.g. ACME-SA-2026-001 --> |
| **CVE ID** | {{cve_id}} <!-- CVE-YYYY-NNNNN, or "pending" --> |
| **EUVD ID** | {{euvd_id}} <!-- EUVD-YYYY-NNNNN, see https://euvd.enisa.europa.eu --> |
| **Severity** | {{severity}} ({{cvss_base_score}}) <!-- see severity scale below --> |
| **CVSS v4.0 vector** | {{cvss_vector}} |
| **Exploitation status** | {{exploitation_status}} <!-- see enum below --> |
| **Advisory state** | {{advisory_state}} <!-- see lifecycle states below --> |
| **First published** | {{published_date}} (UTC) |
| **Last updated** | {{updated_date}} (UTC) |

## Summary

{{summary}}
<!-- 2–4 sentences: what the flaw is, what an attacker can do, and the single most
     important action ("Upgrade to version X"). Written for a customer, not a researcher. -->

## Affected products and versions

| Product | Affected versions | Fixed version | Deployment |
|---|---|---|---|
| {{product_name}} | {{affected_version_range}} | {{fixed_version}} | {{deployment_model}} |
<!-- One row per product line. deployment_model: cloud | self-hosted | embedded/firmware.
     Cover ALL supported lines; state explicitly if a line is NOT affected. -->

Products and versions **not** affected: {{not_affected_note}}

## Impact

{{impact_description}}
<!-- What a successful attacker achieves (RCE, data disclosure, privilege escalation...),
     preconditions (network access, authentication, user interaction), and any conditions
     that limit exploitability in typical deployments. -->

## Remediation

**Recommended action:** {{remediation_action}}
<!-- Normally: "Upgrade to {{fixed_version}} or later." State whether the security update is
     free of charge (the CRA requires free security updates during the support period) and
     whether it is applied automatically (e.g. cloud tenants need no action). -->

## Mitigations and workarounds

{{mitigations}}
<!-- Interim measures for customers who cannot patch immediately: config changes, network
     restrictions, feature disablement. If none exist, say "No workarounds are available;
     upgrading is the only remediation." Never leave this section out. -->

## Exploitation

{{exploitation_details}}
<!-- Evidence basis for the exploitation-status field. If exploited in the wild: what you
     observed, since when, and note that the incident was reported under CRA Article 14 via
     the single reporting platform. If none known: state your monitoring basis. -->

## Timeline

| Date (UTC) | Event |
|---|---|
| {{date_reported}} | Vulnerability reported by {{reporter_credit}} |
| {{date_triaged}} | Report triaged and confirmed |
| {{date_cve_assigned}} | {{cve_id}} assigned |
| {{date_fix_released}} | Fixed version {{fixed_version}} released |
| {{date_published}} | Advisory published |

## Update log

| Date (UTC) | Version | Change |
|---|---|---|
| {{published_date}} | 1.0 | Initial publication |
<!-- Add a dated row for every material change: new affected versions, exploitation
     observed, revised mitigations, additional fixed releases. -->

## Credit

{{reporter_credit}}
<!-- Name/handle of the reporter, if they consent to being credited. -->

## Contact

Report vulnerabilities to **{{security_contact_email}}** (see our coordinated vulnerability
disclosure policy: {{cvd_policy_url}}).
PGP key: {{pgp_key_url}} — fingerprint `{{pgp_fingerprint}}`
```

---

## 2. Field definitions and enums

### Severity scale (CVSS v4.0 base-score bands, per FIRST)

| Severity | CVSS v4.0 score |
|---|---|
| `none` | 0.0 |
| `low` | 0.1–3.9 |
| `medium` | 4.0–6.9 |
| `high` | 7.0–8.9 |
| `critical` | 9.0–10.0 |

Record the full vector string (e.g. `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`),
not just the number — customers re-score for their own environment.

### Exploitation-status enum

| Value | Meaning | Regulatory consequence |
|---|---|---|
| `none-known` | No exploitation or public PoC known | Advisory only |
| `poc-published` | Public proof-of-concept exists; no exploitation observed | Advisory only; monitor closely |
| `exploited-in-the-wild` | Active exploitation observed or credibly reported | **CRA Article 14 triggered**: 24h early warning / 72h notification / 14-day final report via the single reporting platform, plus user information under Article 14(8) |

Re-evaluate on every update; if status escalates to `exploited-in-the-wild` after publication,
the Article 14 clock starts at the moment of awareness, not at original publication.

### Advisory lifecycle states

| State | Meaning |
|---|---|
| `draft` | Being written; not distributed |
| `embargoed` | Shared under embargo with the reporter/coordinators; publication date agreed |
| `published` | Publicly available; fix released |
| `updated` | Published and materially revised (see update log) |
| `superseded` | Replaced by a newer advisory (link it) |
| `closed` | All supported lines fixed; no further updates expected |

### Other field notes

- **advisory_id** — stable, sequential, never reused: `<ORG>-SA-<YYYY>-<NNN>`.
- **euvd_id** — the European Union Vulnerability Database identifier (`EUVD-YYYY-NNNNN`),
  assigned via ENISA's EUVD (mandated by NIS2 Article 12(2)). List alongside the CVE ID.
- **Machine-readable variant** — CRA Article 14(8) favours structured, machine-readable user
  information. These fields map onto CSAF 2.0 (OASIS) document properties:
  `advisory_id` → `/document/tracking/id`, product/version tables → `/product_tree`,
  CVSS + status → `/vulnerabilities[]/scores` and `/vulnerabilities[]/flags`.

---

## 3. Subscriber-notification email variant

Send to security contacts and Trust Center subscribers at (or just before) publication.

```markdown
Subject: [{{severity_uppercase}}] Security advisory {{advisory_id}}: {{advisory_title_short}}

Hello {{recipient_name}},

We have published a security advisory affecting {{product_name}}.

  Advisory:    {{advisory_id}} — {{advisory_title_short}}
  CVE / EUVD:  {{cve_id}} / {{euvd_id}}
  Severity:    {{severity}} (CVSS v4.0 {{cvss_base_score}})
  Affected:    {{affected_version_range}}
  Fixed in:    {{fixed_version}}
  Exploitation: {{exploitation_status}}

What you should do:
{{action_summary}}
<!-- 1–3 lines. For cloud customers state explicitly if no action is required. -->

Full advisory, including mitigations and the disclosure timeline:
{{advisory_url}}

We will update the advisory if anything material changes; subscribers to our Trust Center
receive those updates automatically.

{{sender_name}}
Security Team, {{company_name}}
{{security_contact_email}}
```

---

## 4. Sample filled advisory (fictional)

All names, products, versions, identifiers, and events below are **fictional**, for illustration only.

```markdown
# Aurivo Edge Gateway: unauthenticated remote code execution in the sync API (CVE-2026-41337)

| | |
|---|---|
| **Advisory ID** | AURIVO-SA-2026-004 |
| **CVE ID** | CVE-2026-41337 |
| **EUVD ID** | EUVD-2026-08123 |
| **Severity** | critical (9.3) |
| **CVSS v4.0 vector** | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| **Exploitation status** | none-known |
| **Advisory state** | published |
| **First published** | 2026-06-24 (UTC) |
| **Last updated** | 2026-07-01 (UTC) |

## Summary

A deserialization flaw in the device-sync API of Aurivo Edge Gateway allows an unauthenticated
network attacker to execute arbitrary code with service privileges. Aurivo Edge Gateway 3.8.2
fixes the issue. Upgrade immediately; a configuration workaround is available for deployments
that cannot patch this week.

## Affected products and versions

| Product | Affected versions | Fixed version | Deployment |
|---|---|---|---|
| Aurivo Edge Gateway | 3.2.0 – 3.8.1 | 3.8.2 | self-hosted |
| Aurivo Edge Gateway LTS | 2.9.0 – 2.9.14 | 2.9.15 | self-hosted |

Products and versions **not** affected: Aurivo Cloud Console (the sync API is not exposed);
Edge Gateway releases before 3.2.0 (the affected endpoint was introduced in 3.2.0).

## Impact

An attacker with network access to the sync API port (default 8443/tcp) can send a crafted
payload that is deserialized without validation, resulting in remote code execution as the
`aurivo-sync` service account. No authentication or user interaction is required. Deployments
that restrict port 8443 to management networks reduce, but do not eliminate, exposure.

## Remediation

**Recommended action:** Upgrade to Aurivo Edge Gateway 3.8.2 (or LTS 2.9.15) or later.
The security update is free of charge for all supported installations and is available through
the standard update channel.

## Mitigations and workarounds

Deployments that cannot patch immediately should restrict access to TCP port 8443 to trusted
management networks, or disable the device-sync API (`sync.enabled = false` in
`gateway.conf`; requires service restart). Disabling sync pauses fleet configuration
distribution but does not affect data-plane traffic.

## Exploitation

We are not aware of exploitation of this vulnerability in the wild, and no public
proof-of-concept exists at the time of publication. Our detection guidance for the affected
endpoint is included in release notes 3.8.2. Should we become aware of active exploitation,
we will report it via the CRA single reporting platform in line with Article 14 and update
this advisory.

## Timeline

| Date (UTC) | Event |
|---|---|
| 2026-06-09 | Vulnerability reported by Mira Lindqvist (independent researcher) |
| 2026-06-10 | Report triaged and confirmed |
| 2026-06-12 | CVE-2026-41337 assigned |
| 2026-06-24 | Fixed versions 3.8.2 and 2.9.15 released |
| 2026-06-24 | Advisory published |

## Update log

| Date (UTC) | Version | Change |
|---|---|---|
| 2026-06-24 | 1.0 | Initial publication |
| 2026-07-01 | 1.1 | Added LTS 2.9.x affected range and fixed version 2.9.15 |

## Credit

Mira Lindqvist (independent researcher) — reported via our coordinated vulnerability
disclosure programme. Thank you.

## Contact

Report vulnerabilities to **security@aurivo.example** (see our coordinated vulnerability
disclosure policy: https://trust.aurivo.example/cvd-policy).
PGP key: https://trust.aurivo.example/pgp — fingerprint `3F2A 91C4 0D77 5B1E 8A60  4C2F 7E19 D3B8 55AA 10E4`
```

---

Template by Orbiq — https://www.orbiqhq.com/templates/cra-vulnerability-advisory-template
Version 1.0 · Updated 2026-07-03 · Not legal advice.
