Hello Yuffie, Upon further investigation, the VulnCheck CNA determined that these vulnerabilities were not suitable for CVE assignment. The vulnerabilities exist within a SaaS product and are mitigated at the CSP-level which in this case, would be the vendor, EQS Group. Rather than contribute unactionable CVE records, the VulnCheck CNA used its discretionary prowess to move forward with rejecting these records. This policy aligns with a 2022 blog from MITRE <https://www.cve.org/Media/News/item/blog/2022/09/13/Dispelling-the-Myth-CVE-ID>. It should be noted that the vendor informed us that they have published advisories for the respective vulnerabilities in their "Trust Center" customer portal.
These actions should not be a deterrent for you to pursue CVE assignment through MITRE or another research CNA. Best regards, <https://www.vulncheck.com/> Wade Sparks III VulnCheck Senior Vulnerability Analyst On Tue, Jan 20, 2026 at 12:13 PM Yuffie Kisaragi < [email protected]> wrote: > > Dear Art, > > Thank you for sharing your detailed evaluation and for pointing out the > relevant sections of the CNA Rules. > > Your argument is well reasoned, particularly with respect to the current > guidance on SaaS and exclusively hosted services. > > I have forwarded your evaluation to the CNA for further consideration. It > will also be important to understand the vendor’s perspective in light of > the points you raised, especially regarding the applicability of the > “exclusively-hosted-service” tag and the removal of prior restrictions. > > We look forward to receive transparent feedback from the CNA and/or the > vendor. > > To date, the vendor has remained silent with regard to informing their > users about the reported issues. As far as we can determine, no public > advisory or user-facing communication has been issued via their > vulnerability reporting channel ( > https://www.eqs.com/report-a-vulnerability/) or elsewhere. > > Best regards, > > Yuffie > > On Tue, Jan 20, 2026 at 7:26 PM <[email protected]> wrote: > >> Hi, >> >> > the vulnerabilities are no longer considered eligible for CVE tracking, >> despite being real, independently discovered, responsibly disclosed, and >> acknowledged by the vendor. >> CVE IDs *can* be assigned for SaaS or similarly "cloud only" software. >> For a period of time, there was a restriction that only the provider could >> make or request such an assignment. But the current CVE rules remove this >> restriction: >> >> 4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, >> on-premises, artificial intelligence, machine learning) as the sole basis >> for determining assignment. >> >> It would have been acceptable (even preferred) to leave CVE-2025-34411 >> and CVE-2025-34412 published and identify them as affecting an >> "exclusively-hosted-service:" >> >> 5.1.11.1 (A CVE Record) MUST use the “exclusively-hosted-service” tag >> when all known Products listed in the CVE Record exist only as fully hosted >> services. If the Vulnerability affects both hosted services and on-premises >> Products, then this tag MUST NOT be used. >> >> Rules: https://www.cve.org/resourcessupport/allresources/cnarules >> >> Regards, >> >> - Art >> > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
