Back to Details

cve-mcp-server-security-intelligence

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

CVE MCP Server Security Intelligence

CVE MCP Server 安全情报

Skill by ara.so — MCP Skills collection
ara.so开发的Skill — MCP Skills合集

What This Project Does

项目功能

CVE MCP Server is a production-grade Model Context Protocol server that transforms Claude into a comprehensive security analyst. It provides 27 security intelligence tools that integrate with 21 different APIs including NVD, EPSS, CISA KEV, MITRE ATT&CK, Shodan, VirusTotal, GreyNoise, GitHub, and more.
Instead of manually querying multiple security databases, this MCP server allows Claude to:
  • Look up detailed CVE information with CVSS scores and affected products
  • Calculate composite risk scores using EPSS, KEV status, and PoC availability
  • Search for public exploits and proof-of-concept code
  • Check IP addresses against threat intelligence feeds
  • Analyze malware samples and indicators of compromise
  • Generate executive security reports with prioritized recommendations
  • Map vulnerabilities to MITRE ATT&CK techniques
The server runs locally via stdio, makes only outbound HTTPS requests, and supports both free APIs (no key required) and premium services.
CVE MCP Server是一款生产级Model Context Protocol服务器,可将Claude转变为全面的安全分析师。它提供27款安全情报工具,集成了21个不同的API,包括NVD、EPSS、CISA KEV、MITRE ATT&CK、Shodan、VirusTotal、GreyNoise、GitHub等。
无需手动查询多个安全数据库,该MCP服务器允许Claude:
  • 查找包含CVSS评分和受影响产品的详细CVE信息
  • 使用EPSS、KEV状态和PoC可用性计算综合风险评分
  • 搜索公开漏洞利用和概念验证代码
  • 对照威胁情报源检查IP地址
  • 分析恶意软件样本和入侵指标
  • 生成包含优先级建议的高管级安全报告
  • 将漏洞映射到MITRE ATT&CK技术
服务器通过标准输入输出本地运行,仅发起出站HTTPS请求,同时支持免费API(无需密钥)和付费服务。

Installation

安装

Prerequisites

前置条件

  • Python 3.10 or higher
  • Claude Desktop or any MCP-compatible client
  • (Optional) API keys for premium services
  • Python 3.10或更高版本
  • Claude Desktop或任何兼容MCP的客户端
  • (可选)付费服务的API密钥

Install via pip/pipx (Recommended)

通过pip/pipx安装(推荐)

bash
undefined
bash
undefined

Using pipx (isolated environment)

Using pipx (isolated environment)

pipx install cve-mcp-server
pipx install cve-mcp-server

Using pip

Using pip

pip install cve-mcp-server
pip install cve-mcp-server

Using uv (faster)

Using uv (faster)

uv pip install cve-mcp-server
undefined
uv pip install cve-mcp-server
undefined

Install from Source

从源码安装

bash
git clone https://github.com/mukul975/cve-mcp-server.git
cd cve-mcp-server
pip install -e .
bash
git clone https://github.com/mukul975/cve-mcp-server.git
cd cve-mcp-server
pip install -e .

Configuration

配置

Claude Desktop Setup

Claude Desktop 设置

Add to your Claude Desktop config file:
macOS: 
~/Library/Application Support/Claude/claude_desktop_config.json

Windows: 
%APPDATA%\Claude\claude_desktop_config.json
json
{
  "mcpServers": {
    "cve-security": {
      "command": "python",
      "args": ["-m", "cve_mcp_server"],
      "env": {
        "NVD_API_KEY": "your-nvd-key-here",
        "VIRUSTOTAL_API_KEY": "your-vt-key-here",
        "SHODAN_API_KEY": "your-shodan-key-here",
        "GREYNOISE_API_KEY": "your-greynoise-key-here",
        "ABUSEIPDB_API_KEY": "your-abuseipdb-key-here",
        "GITHUB_TOKEN": "your-github-token-here"
      }
    }
  }
}
添加到你的Claude Desktop配置文件中:
macOS: 
~/Library/Application Support/Claude/claude_desktop_config.json

Windows: 
%APPDATA%\Claude\claude_desktop_config.json
json
{
  "mcpServers": {
    "cve-security": {
      "command": "python",
      "args": ["-m", "cve_mcp_server"],
      "env": {
        "NVD_API_KEY": "your-nvd-key-here",
        "VIRUSTOTAL_API_KEY": "your-vt-key-here",
        "SHODAN_API_KEY": "your-shodan-key-here",
        "GREYNOISE_API_KEY": "your-greynoise-key-here",
        "ABUSEIPDB_API_KEY": "your-abuseipdb-key-here",
        "GITHUB_TOKEN": "your-github-token-here"
      }
    }
  }
}

Environment Variables

环境变量

Required API keys (most are optional, tools degrade gracefully):
  • NVD_API_KEY
    - NVD API 2.0 key (free, highly recommended for rate limits)
  • VIRUSTOTAL_API_KEY
    - VirusTotal v3 API key
  • SHODAN_API_KEY
    - Shodan API key
  • GREYNOISE_API_KEY
    - GreyNoise Community or Enterprise key
  • ABUSEIPDB_API_KEY
    - AbuseIPDB v2 key
  • GITHUB_TOKEN
    - GitHub personal access token (public repo read)
  • ABUSECH_AUTH_KEY
    - Abuse.ch (MalwareBazaar/ThreatFox) auth key
  • CIRCL_PDNS_USER
    - CIRCL Passive DNS username
  • CIRCL_PDNS_PASSWORD
    - CIRCL Passive DNS password
  • ALIENVAULT_OTX_KEY
    - AlienVault OTX API key
所需API密钥(大多数为可选,工具会优雅降级):
  • NVD_API_KEY
    - NVD API 2.0密钥(免费,强烈建议设置以提升速率限制)
  • VIRUSTOTAL_API_KEY
    - VirusTotal v3 API密钥
  • SHODAN_API_KEY
    - Shodan API密钥
  • GREYNOISE_API_KEY
    - GreyNoise社区版或企业版密钥
  • ABUSEIPDB_API_KEY
    - AbuseIPDB v2密钥
  • GITHUB_TOKEN
    - GitHub个人访问令牌(需
    public_repo
    权限)
  • ABUSECH_AUTH_KEY
    - Abuse.ch(MalwareBazaar/ThreatFox)认证密钥
  • CIRCL_PDNS_USER
    - CIRCL被动DNS用户名
  • CIRCL_PDNS_PASSWORD
    - CIRCL被动DNS密码
  • ALIENVAULT_OTX_KEY
    - AlienVault OTX API密钥

Create API Keys

获取API密钥

Free tier API keys:
免费层级API密钥:

Core Tool Categories

核心工具分类

1. Vulnerability Intelligence (8 tools)

1. 漏洞情报(8款工具)

lookup_cve

lookup_cve

Fetch detailed CVE record from NVD:
python
undefined
从NVD获取详细CVE记录:
python
undefined

Claude will call this as:

Claude will call this as:

lookup_cve(cve_id="CVE-2024-3400")

lookup_cve(cve_id="CVE-2024-3400")

Returns:

Returns:

{ "id": "CVE-2024-3400", "description": "Command injection vulnerability in...", "cvss_v3_score": 10.0, "cvss_v3_severity": "CRITICAL", "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "published": "2024-04-12T00:00:00", "last_modified": "2024-04-15T12:34:56", "cwe_ids": ["CWE-77"], "references": [...], "affected_products": [...] }
undefined
{ "id": "CVE-2024-3400", "description": "Command injection vulnerability in...", "cvss_v3_score": 10.0, "cvss_v3_severity": "CRITICAL", "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "published": "2024-04-12T00:00:00", "last_modified": "2024-04-15T12:34:56", "cwe_ids": ["CWE-77"], "references": [...], "affected_products": [...] }
undefined

search_cves

search_cves

Search NVD by keyword, product, or severity:
python
undefined
按关键词、产品或严重性搜索NVD:
python
undefined

search_cves(keyword="Apache Log4j", severity="CRITICAL", last_n_days=30)

search_cves(keyword="Apache Log4j", severity="CRITICAL", last_n_days=30)

search_cves(product="palo alto networks", max_results=10)

search_cves(product="palo alto networks", max_results=10)

undefined
undefined

get_epss_score

get_epss_score

Get exploitation probability score (0.0-1.0):
python
undefined
获取利用概率评分(0.0-1.0):
python
undefined

get_epss_score(cve_id="CVE-2024-3400")

get_epss_score(cve_id="CVE-2024-3400")

Returns:

Returns:

{ "cve": "CVE-2024-3400", "epss": 0.89234, "percentile": 0.99123, "date": "2024-05-16" }
undefined
{ "cve": "CVE-2024-3400", "epss": 0.89234, "percentile": 0.99123, "date": "2024-05-16" }
undefined

check_kev_status

check_kev_status

Check if CVE is in CISA Known Exploited Vulnerabilities:
python
undefined
检查CVE是否在CISA已知被利用漏洞列表中:
python
undefined

check_kev_status(cve_id="CVE-2021-44228")

check_kev_status(cve_id="CVE-2021-44228")

Returns:

Returns:

{ "in_kev": true, "date_added": "2021-12-10", "due_date": "2021-12-24", "required_action": "Apply updates per vendor instructions", "known_ransomware": true }
undefined
{ "in_kev": true, "date_added": "2021-12-10", "due_date": "2021-12-24", "required_action": "Apply updates per vendor instructions", "known_ransomware": true }
undefined

bulk_cve_lookup

bulk_cve_lookup

Batch fetch up to 20 CVEs in parallel:
python
undefined
批量并行获取最多20个CVE:
python
undefined

bulk_cve_lookup(cve_ids=["CVE-2024-3400", "CVE-2023-44487", "CVE-2021-44228"])

bulk_cve_lookup(cve_ids=["CVE-2024-3400", "CVE-2023-44487", "CVE-2021-44228"])

undefined
undefined

2. Exploit & Attack Intelligence (4 tools)

2. 漏洞利用与攻击情报(4款工具)

search_exploits

search_exploits

Search GitHub for public PoC exploits:
python
undefined
在GitHub上搜索公开PoC漏洞利用:
python
undefined

search_exploits(cve_id="CVE-2024-3400")

search_exploits(cve_id="CVE-2024-3400")

Returns:

Returns:

{ "cve": "CVE-2024-3400", "exploit_count": 12, "exploits": [ { "title": "CVE-2024-3400 PoC", "url": "https://github.com/...", "stars": 45, "language": "Python", "created_at": "2024-04-13" } ] }
undefined
{ "cve": "CVE-2024-3400", "exploit_count": 12, "exploits": [ { "title": "CVE-2024-3400 PoC", "url": "https://github.com/...", "stars": 45, "language": "Python", "created_at": "2024-04-13" } ] }
undefined

get_mitre_techniques

get_mitre_techniques

Map CVE to MITRE ATT&CK framework:
python
undefined
将CVE映射到MITRE ATT&CK框架:
python
undefined

get_mitre_techniques(cve_id="CVE-2021-44228")

get_mitre_techniques(cve_id="CVE-2021-44228")

Returns:

Returns:

{ "cve": "CVE-2021-44228", "techniques": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "tactic": "Initial Access", "description": "...", "mitigations": [...] } ] }
undefined
{ "cve": "CVE-2021-44228", "techniques": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "tactic": "Initial Access", "description": "...", "mitigations": [...] } ] }
undefined

check_poc_availability

check_poc_availability

Determine if PoC code exists across multiple sources:
python
undefined
确定PoC代码是否在多个来源中存在:
python
undefined

check_poc_availability(cve_id="CVE-2024-3400")

check_poc_availability(cve_id="CVE-2024-3400")

Returns:

Returns:

{ "poc_available": true, "sources": ["GitHub", "Exploit-DB"], "confidence": "HIGH" }
undefined
{ "poc_available": true, "sources": ["GitHub", "Exploit-DB"], "confidence": "HIGH" }
undefined

3. Risk Analysis & Reporting (4 tools)

3. 风险分析与报告(4款工具)

calculate_risk_score

calculate_risk_score

Compute composite 0-100 risk score:
python
undefined
计算0-100的综合风险评分:
python
undefined

calculate_risk_score(cve_id="CVE-2024-3400")

calculate_risk_score(cve_id="CVE-2024-3400")

Returns:

Returns:

{ "cve": "CVE-2024-3400", "risk_score": 98.5, "risk_level": "CRITICAL", "components": { "cvss_score": 10.0, "epss_score": 0.89234, "in_kev": true, "poc_available": true, "exploit_maturity": "FUNCTIONAL" }, "recommendation": "Patch immediately - active exploitation confirmed" }

Risk score formula:
Base = CVSS * 10 (0-100)
  • EPSS * 30 (0-30)
  • KEV bonus: +20
  • PoC bonus: +10
  • Capped at 100
undefined
{ "cve": "CVE-2024-3400", "risk_score": 98.5, "risk_level": "CRITICAL", "components": { "cvss_score": 10.0, "epss_score": 0.89234, "in_kev": true, "poc_available": true, "exploit_maturity": "FUNCTIONAL" }, "recommendation": "Patch immediately - active exploitation confirmed" }

风险评分公式:
Base = CVSS * 10 (0-100)
  • EPSS * 30 (0-30)
  • KEV bonus: +20
  • PoC bonus: +10
  • Capped at 100
undefined

prioritize_cves

prioritize_cves

Rank multiple CVEs by composite risk:
python
undefined
按综合风险对多个CVE进行排名:
python
undefined

prioritize_cves(cve_ids=["CVE-2024-3400", "CVE-2023-4966", "CVE-2023-44487"])

prioritize_cves(cve_ids=["CVE-2024-3400", "CVE-2023-4966", "CVE-2023-44487"])

Returns sorted list with risk scores:

Returns sorted list with risk scores:

[ {"cve": "CVE-2024-3400", "risk_score": 98.5, "priority": 1}, {"cve": "CVE-2023-44487", "risk_score": 87.3, "priority": 2}, {"cve": "CVE-2023-4966", "risk_score": 76.2, "priority": 3} ]
undefined
[ {"cve": "CVE-2024-3400", "risk_score": 98.5, "priority": 1}, {"cve": "CVE-2023-44487", "risk_score": 87.3, "priority": 2}, {"cve": "CVE-2023-4966", "risk_score": 76.2, "priority": 3} ]
undefined

generate_risk_report

generate_risk_report

Create executive security report:
python
undefined
生成高管级安全报告:
python
undefined

generate_risk_report(cve_ids=["CVE-2024-3400"], include_mitigations=True)

generate_risk_report(cve_ids=["CVE-2024-3400"], include_mitigations=True)

Returns formatted markdown report with:

Returns formatted markdown report with:

- Executive summary

- Executive summary

- CVE details with CVSS/EPSS

- CVE details with CVSS/EPSS

- KEV status and exploit availability

- KEV status and exploit availability

- MITRE ATT&CK mapping

- MITRE ATT&CK mapping

- Prioritized remediation steps

- Prioritized remediation steps

undefined
undefined

4. Network Intelligence (4 tools)

4. 网络情报(4款工具)

lookup_ip_reputation

lookup_ip_reputation

Check IP against AbuseIPDB:
python
undefined
在AbuseIPDB中检查IP:
python
undefined

lookup_ip_reputation(ip_address="185.220.101.34")

lookup_ip_reputation(ip_address="185.220.101.34")

Returns:

Returns:

{ "ip": "185.220.101.34", "abuse_confidence": 100, "total_reports": 1234, "is_public": true, "is_whitelisted": false, "country": "US", "isp": "Example ISP", "usage_type": "Data Center/Web Hosting/Transit" }
undefined
{ "ip": "185.220.101.34", "abuse_confidence": 100, "total_reports": 1234, "is_public": true, "is_whitelisted": false, "country": "US", "isp": "Example ISP", "usage_type": "Data Center/Web Hosting/Transit" }
undefined

check_ip_noise

check_ip_noise

Query GreyNoise for attack activity:
python
undefined
查询GreyNoise获取攻击活动信息:
python
undefined

check_ip_noise(ip_address="185.220.101.34")

check_ip_noise(ip_address="185.220.101.34")

Returns:

Returns:

{ "ip": "185.220.101.34", "classification": "malicious", "last_seen": "2024-05-16", "tags": ["SSH Bruteforce", "Web Scanner"], "cves": ["CVE-2024-1234"], "actor": "Unknown" }
undefined
{ "ip": "185.220.101.34", "classification": "malicious", "last_seen": "2024-05-16", "tags": ["SSH Bruteforce", "Web Scanner"], "cves": ["CVE-2024-1234"], "actor": "Unknown" }
undefined

shodan_host_lookup

shodan_host_lookup

Get open ports and vulnerabilities:
python
undefined
获取开放端口和漏洞信息:
python
undefined

shodan_host_lookup(ip_address="8.8.8.8")

shodan_host_lookup(ip_address="8.8.8.8")

Returns:

Returns:

{ "ip": "8.8.8.8", "ports": [53, 443], "vulns": [], "services": [ {"port": 53, "protocol": "dns", "product": "Google DNS"} ], "os": null, "hostnames": ["dns.google"] }
undefined
{ "ip": "8.8.8.8", "ports": [53, 443], "vulns": [], "services": [ {"port": 53, "protocol": "dns", "product": "Google DNS"} ], "os": null, "hostnames": ["dns.google"] }
undefined

5. Threat Intelligence (4 tools)

5. 威胁情报(4款工具)

virustotal_lookup

virustotal_lookup

Analyze hashes/URLs/domains/IPs:
python
undefined
分析哈希/URL/域名/IP:
python
undefined

virustotal_lookup(resource_type="hash", resource="44d88612fea8a8f36de82e1278abb02f")

virustotal_lookup(resource_type="hash", resource="44d88612fea8a8f36de82e1278abb02f")

virustotal_lookup(resource_type="url", resource="https://malicious.example.com")

virustotal_lookup(resource_type="url", resource="https://malicious.example.com")

virustotal_lookup(resource_type="domain", resource="malicious.example.com")

virustotal_lookup(resource_type="domain", resource="malicious.example.com")

virustotal_lookup(resource_type="ip", resource="192.0.2.1")

virustotal_lookup(resource_type="ip", resource="192.0.2.1")

Returns:

Returns:

{ "resource": "44d88612fea8a8f36de82e1278abb02f", "positives": 56, "total": 70, "scan_date": "2024-05-16 12:34:56", "permalink": "https://virustotal.com/...", "detections": { "Kaspersky": "HEUR:Trojan.Win32.Generic", "Microsoft": "Trojan:Win32/Meterpreter" } }
undefined
{ "resource": "44d88612fea8a8f36de82e1278abb02f", "positives": 56, "total": 70, "scan_date": "2024-05-16 12:34:56", "permalink": "https://virustotal.com/...", "detections": { "Kaspersky": "HEUR:Trojan.Win32.Generic", "Microsoft": "Trojan:Win32/Meterpreter" } }
undefined

search_malware

search_malware

Query MalwareBazaar for samples:
python
undefined
在MalwareBazaar中查询样本:
python
undefined

search_malware(query_type="tag", query="Emotet", limit=10)

search_malware(query_type="tag", query="Emotet", limit=10)

search_malware(query_type="hash", query="44d88612fea8a8f36de82e1278abb02f")

search_malware(query_type="hash", query="44d88612fea8a8f36de82e1278abb02f")

Returns:

Returns:

{ "query_status": "ok", "data": [ { "sha256_hash": "abc123...", "file_type": "exe", "file_size": 123456, "signature": "Emotet", "first_seen": "2024-05-01", "tags": ["Emotet", "trojan"] } ] }
undefined
{ "query_status": "ok", "data": [ { "sha256_hash": "abc123...", "file_type": "exe", "file_size": 123456, "signature": "Emotet", "first_seen": "2024-05-01", "tags": ["Emotet", "trojan"] } ] }
undefined

search_iocs

search_iocs

Query ThreatFox for indicators of compromise:
python
undefined
在ThreatFox中查询入侵指标:
python
undefined

search_iocs(query_type="malware", query="CobaltStrike")

search_iocs(query_type="malware", query="CobaltStrike")

search_iocs(query_type="ioc", query="192.0.2.1")

search_iocs(query_type="ioc", query="192.0.2.1")

Returns:

Returns:

{ "query_status": "ok", "data": [ { "ioc": "192.0.2.1", "ioc_type": "ip:port", "malware": "CobaltStrike", "confidence_level": 100, "first_seen": "2024-05-10", "tags": ["c2"] } ] }
undefined
{ "query_status": "ok", "data": [ { "ioc": "192.0.2.1", "ioc_type": "ip:port", "malware": "CobaltStrike", "confidence_level": 100, "first_seen": "2024-05-10", "tags": ["c2"] } ] }
undefined

Common Usage Patterns

常见使用模式

Pattern 1: Complete Vulnerability Triage

模式1:完整漏洞分类

When a user asks "Should we patch CVE-2024-3400?", orchestrate:
python
undefined
当用户询问“我们应该修复CVE-2024-3400吗?”时,执行以下流程:
python
undefined

Step 1: Get CVE details

Step 1: Get CVE details

cve_data = lookup_cve("CVE-2024-3400")
cve_data = lookup_cve("CVE-2024-3400")

Step 2: Calculate risk score (combines CVSS + EPSS + KEV + PoC)

Step 2: Calculate risk score (combines CVSS + EPSS + KEV + PoC)

risk = calculate_risk_score("CVE-2024-3400")
risk = calculate_risk_score("CVE-2024-3400")

Step 3: Check for public exploits

Step 3: Check for public exploits

exploits = search_exploits("CVE-2024-3400")
exploits = search_exploits("CVE-2024-3400")

Step 4: Map to ATT&CK for context

Step 4: Map to ATT&CK for context

attack = get_mitre_techniques("CVE-2024-3400")
attack = get_mitre_techniques("CVE-2024-3400")

Step 5: Present unified recommendation

Step 5: Present unified recommendation

Risk score 98.5/100 → Patch immediately

Risk score 98.5/100 → Patch immediately

KEV status: YES → Federal mandate to patch

KEV status: YES → Federal mandate to patch

EPSS: 89% → High exploitation probability

EPSS: 89% → High exploitation probability

PoC available: YES → Exploitation barriers low

PoC available: YES → Exploitation barriers low

undefined
undefined

Pattern 2: Batch Vulnerability Prioritization

模式2:批量漏洞优先级排序

When user provides a list of CVEs:
python
undefined
当用户提供CVE列表时:
python
undefined

User: "Prioritize these CVEs: CVE-2024-3400, CVE-2023-4966, CVE-2023-44487"

User: "Prioritize these CVEs: CVE-2024-3400, CVE-2023-4966, CVE-2023-44487"

Single call to get ranked list

Single call to get ranked list

prioritized = prioritize_cves([ "CVE-2024-3400", "CVE-2023-4966", "CVE-2023-44487" ])
prioritized = prioritize_cves([ "CVE-2024-3400", "CVE-2023-4966", "CVE-2023-44487" ])

Returns:

Returns:

1. CVE-2024-3400 (98.5) - CRITICAL - Patch this week

1. CVE-2024-3400 (98.5) - CRITICAL - Patch this week

2. CVE-2023-44487 (87.3) - HIGH - Patch this month

2. CVE-2023-44487 (87.3) - HIGH - Patch this month

3. CVE-2023-4966 (76.2) - HIGH - Patch next quarter

3. CVE-2023-4966 (76.2) - HIGH - Patch next quarter

undefined
undefined

Pattern 3: IP Threat Investigation

模式3:IP威胁调查

When investigating a suspicious IP:
python
undefined
当调查可疑IP时:
python
undefined

User: "Is 185.220.101.34 malicious?"

User: "Is 185.220.101.34 malicious?"

Check reputation

Check reputation

abuse = lookup_ip_reputation("185.220.101.34")
abuse = lookup_ip_reputation("185.220.101.34")

Check active scanning behavior

Check active scanning behavior

noise = check_ip_noise("185.220.101.34")
noise = check_ip_noise("185.220.101.34")

Get infrastructure details

Get infrastructure details

host = shodan_host_lookup("185.220.101.34")
host = shodan_host_lookup("185.220.101.34")

Cross-reference with VirusTotal

Cross-reference with VirusTotal

vt = virustotal_lookup("ip", "185.220.101.34")
vt = virustotal_lookup("ip", "185.220.101.34")

Synthesize verdict:

Synthesize verdict:

AbuseIPDB: 100% confidence malicious

AbuseIPDB: 100% confidence malicious

GreyNoise: Active SSH bruteforce + web scanning

GreyNoise: Active SSH bruteforce + web scanning

Shodan: Exposed SSH, MySQL, RDP

Shodan: Exposed SSH, MySQL, RDP

VT: Flagged by 12/90 vendors

VT: Flagged by 12/90 vendors

→ Block immediately

→ Block immediately

undefined
undefined

Pattern 4: Malware Analysis Workflow

模式4:恶意软件分析流程

When user provides a file hash:
python
undefined
当用户提供文件哈希时:
python
undefined

User: "Analyze hash 44d88612fea8a8f36de82e1278abb02f"

User: "Analyze hash 44d88612fea8a8f36de82e1278abb02f"

Check VirusTotal

Check VirusTotal

vt = virustotal_lookup("hash", "44d88612fea8a8f36de82e1278abb02f")
vt = virustotal_lookup("hash", "44d88612fea8a8f36de82e1278abb02f")

Search MalwareBazaar

Search MalwareBazaar

mb = search_malware("hash", "44d88612fea8a8f36de82e1278abb02f")
mb = search_malware("hash", "44d88612fea8a8f36de82e1278abb02f")

Find related IOCs in ThreatFox

Find related IOCs in ThreatFox

if mb["data"]: family = mb["data"][0]["signature"] iocs = search_iocs("malware", family)
if mb["data"]: family = mb["data"][0]["signature"] iocs = search_iocs("malware", family)

Present:

Present:

Detection: 56/70 engines (Meterpreter)

Detection: 56/70 engines (Meterpreter)

Family: Generic backdoor

Family: Generic backdoor

Related IOCs: 12 C2 IPs, 5 domains

Related IOCs: 12 C2 IPs, 5 domains

undefined
undefined

Pattern 5: Executive Security Report

模式5:高管级安全报告

When user needs a formal report:
python
undefined
当用户需要正式报告时:
python
undefined

User: "Generate security report for CVEs found in our scan"

User: "Generate security report for CVEs found in our scan"

report = generate_risk_report( cve_ids=["CVE-2024-3400", "CVE-2023-44487"], include_mitigations=True )
report = generate_risk_report( cve_ids=["CVE-2024-3400", "CVE-2023-44487"], include_mitigations=True )

Returns formatted markdown with:

Returns formatted markdown with:

- Executive summary (risk level, count)

- Executive summary (risk level, count)

- Per-CVE analysis (CVSS, EPSS, KEV)

- Per-CVE analysis (CVSS, EPSS, KEV)

- Exploit landscape (PoC availability)

- Exploit landscape (PoC availability)

- ATT&CK techniques mapped

- ATT&CK techniques mapped

- Prioritized remediation timeline

- Prioritized remediation timeline

- Mitigation strategies per CVE

- Mitigation strategies per CVE

undefined
undefined

Troubleshooting

故障排除

Issue: Tool returns "API key not configured"

问题:工具返回"API key not configured"

Solution: Set the required environment variable in Claude Desktop config:
json
{
  "mcpServers": {
    "cve-security": {
      "env": {
        "NVD_API_KEY": "your-actual-key-here"
      }
    }
  }
}
解决方案:在Claude Desktop配置中设置所需环境变量:
json
{
  "mcpServers": {
    "cve-security": {
      "env": {
        "NVD_API_KEY": "your-actual-key-here"
      }
    }
  }
}

Issue: Rate limit errors from NVD

问题:NVD返回速率限制错误

Solution:
  1. Ensure 
    NVD_API_KEY
    is set (increases rate limit from 5/30s to 50/30s)
  2. The server has built-in rate limiting and caching
  3. Use 
    bulk_cve_lookup
    instead of multiple 
    lookup_cve
    calls
解决方案
  1. 确保已设置
    NVD_API_KEY
    (将速率限制从5次/30秒提升至50次/30秒)
  2. 服务器内置速率限制和缓存机制
  3. 使用
    bulk_cve_lookup
    替代多次
    lookup_cve
    调用

Issue: "Private IP address blocked"

问题:"Private IP address blocked"

Solution: This is intentional security behavior. Network intelligence tools block RFC 1918 private IPs (10.x, 172.16.x, 192.168.x) to prevent internal network scanning. Only use public IPs.
解决方案:这是有意的安全行为。网络情报工具会阻止RFC 1918私有IP(10.x、172.16.x、192.168.x),以防止内部网络扫描。仅使用公共IP。

Issue: Shodan returns empty results

问题:Shodan返回空结果

Causes:
  1. IP not in Shodan database (not scanned recently)
  2. API key missing or invalid
  3. Rate limit exceeded (1 request/second on free tier)
原因
  1. IP不在Shodan数据库中(近期未被扫描)
  2. API密钥缺失或无效
  3. 超出速率限制(免费层级为1次/秒)

Issue: CVE not found in NVD

问题:NVD中未找到CVE

Check:
  1. CVE ID format is correct (CVE-YYYY-NNNNN)
  2. CVE is recently published (NVD has 24-48h delay)
  3. Try 
    search_cves
    with keyword instead
检查项
  1. CVE ID格式正确(CVE-YYYY-NNNNN)
  2. CVE是近期发布的(NVD有24-48小时的延迟)
  3. 尝试使用关键词调用
    search_cves

Issue: EPSS score returns 0.0

问题:EPSS评分返回0.0

Explanation: EPSS updates daily. Newly published CVEs may not have EPSS scores yet. Score of 0.0 is valid (means <0.1% exploitation probability).
说明:EPSS每日更新。新发布的CVE可能尚未有EPSS评分。0.0分是有效的(表示利用概率<0.1%)。

Issue: Tools work in CLI but not in Claude Desktop

问题:工具在CLI中可用但在Claude Desktop中不可用

Solution:
  1. Restart Claude Desktop after config changes
  2. Check config JSON syntax (use JSONLint)
  3. Verify Python path in 
    command
    field:
    bash
    which python  # macOS/Linux
where python  # Windows
  4. Check Claude Desktop logs:
    • macOS: 
      ~/Library/Logs/Claude/mcp*.log
    • Windows: 
      %APPDATA%\Claude\logs\mcp*.log
解决方案
  1. 修改配置后重启Claude Desktop
  2. 检查配置JSON语法(使用JSONLint)
  3. 验证
    command
    字段中的Python路径:
    bash
    which python  # macOS/Linux
where python  # Windows
  4. 查看Claude Desktop日志:
    • macOS: 
      ~/Library/Logs/Claude/mcp*.log
    • Windows: 
      %APPDATA%\Claude\logs\mcp*.log

Testing the Installation

安装测试

Test from command line:

从命令行测试:

bash
undefined
bash
undefined

Test basic CVE lookup

Test basic CVE lookup

python -m cve_mcp_server --test lookup_cve CVE-2021-44228
python -m cve_mcp_server --test lookup_cve CVE-2021-44228

Test risk calculation

Test risk calculation

python -m cve_mcp_server --test calculate_risk_score CVE-2024-3400
python -m cve_mcp_server --test calculate_risk_score CVE-2024-3400

Test with API key

Test with API key

NVD_API_KEY=your-key python -m cve_mcp_server --test search_cves "Apache"
undefined
NVD_API_KEY=your-key python -m cve_mcp_server --test search_cves "Apache"
undefined

Test in Claude Desktop:

在Claude Desktop中测试:

After configuration, restart Claude Desktop and try:
"Can you look up CVE-2021-44228 and tell me its risk score?"
"Search for recent critical CVEs in Apache Log4j"
"Check if 185.220.101.34 is malicious"
"Analyze hash 44d88612fea8a8f36de82e1278abb02f"
配置完成后,重启Claude Desktop并尝试:
"Can you look up CVE-2021-44228 and tell me its risk score?"
"Search for recent critical CVEs in Apache Log4j"
"Check if 185.220.101.34 is malicious"
"Analyze hash 44d88612fea8a8f36de82e1278abb02f"

Advanced Configuration

高级配置

Custom Cache Location

自定义缓存位置

Set cache directory via environment variable:
json
{
  "env": {
    "CVE_MCP_CACHE_DIR": "/path/to/cache"
  }
}
Default locations:
  • macOS: 
    ~/Library/Caches/cve-mcp-server/
  • Linux: 
    ~/.cache/cve-mcp-server/
  • Windows: 
    %LOCALAPPDATA%\cve-mcp-server\cache\
通过环境变量设置缓存目录:
json
{
  "env": {
    "CVE_MCP_CACHE_DIR": "/path/to/cache"
  }
}
默认位置:
  • macOS: 
    ~/Library/Caches/cve-mcp-server/
  • Linux: 
    ~/.cache/cve-mcp-server/
  • Windows: 
    %LOCALAPPDATA%\cve-mcp-server\cache\

Disable Caching

禁用缓存

json
{
  "env": {
    "CVE_MCP_DISABLE_CACHE": "true"
  }
}
json
{
  "env": {
    "CVE_MCP_DISABLE_CACHE": "true"
  }
}

Custom Rate Limits

自定义速率限制

json
{
  "env": {
    "NVD_RATE_LIMIT": "10",
    "VIRUSTOTAL_RATE_LIMIT": "4"
  }
}
json
{
  "env": {
    "NVD_RATE_LIMIT": "10",
    "VIRUSTOTAL_RATE_LIMIT": "4"
  }
}

Security Considerations

安全注意事项

  • No inbound ports: Server runs via stdio only
  • No data storage: Only caches API responses locally
  • API key handling: Never logged or transmitted except to authorized APIs
  • Private IP blocking: Prevents internal network scanning
  • HTTPS only: All external requests use TLS
  • Input validation: All inputs sanitized via Pydantic schemas
  • 无入站端口:服务器仅通过标准输入输出运行
  • 无数据存储:仅在本地缓存API响应
  • API密钥处理:密钥绝不会被记录或传输至未授权API
  • 私有IP阻止:防止内部网络扫描
  • 仅使用HTTPS:所有外部请求均使用TLS
  • 输入验证:所有输入通过Pydantic模式进行清理

Best Practices

最佳实践

  1. Always set NVD_API_KEY - Dramatically increases rate limits
  2. Use bulk operations - 
    bulk_cve_lookup
    instead of loops
  3. Cache results - Risk scores for same CVE rarely change within 24h
  4. Combine tools - Use 
    calculate_risk_score
    which aggregates CVSS+EPSS+KEV
  5. Check KEV first - If in CISA KEV, patch immediately regardless of CVSS
  6. Interpret EPSS correctly - 0.1 = 10% probability, not 10.0
  7. Validate CVE IDs - Must match pattern CVE-YYYY-NNNNN
  1. 始终设置NVD_API_KEY - 大幅提升速率限制
  2. 使用批量操作 - 使用
    bulk_cve_lookup
    替代循环调用
  3. 缓存结果 - 同一CVE的风险评分在24小时内很少变化
  4. 组合使用工具 - 使用
    calculate_risk_score
    聚合CVSS+EPSS+KEV数据
  5. 优先检查KEV - 如果在CISA KEV列表中,无论CVSS评分如何都应立即修复
  6. 正确解读EPSS - 0.1表示10%的利用概率,而非10.0
  7. 验证CVE ID - 必须符合CVE-YYYY-NNNNN格式

API Key Priority Guide

API密钥优先级指南

Essential (free):
  • NVD_API_KEY
    - 10x rate limit increase
High value (free tier):
  • GITHUB_TOKEN
    - Exploit search, better rate limits
  • VIRUSTOTAL_API_KEY
    - 4 req/min on free tier
  • ABUSEIPDB_API_KEY
    - IP reputation checks
Optional (paid or limited free):
  • SHODAN_API_KEY
    - 1 req/sec free, 100 credits/month
  • GREYNOISE_API_KEY
    - Community tier available
  • ABUSECH_AUTH_KEY
    - Higher rate limits
Specialized:
  • CIRCL_PDNS_USER/PASSWORD
    - Passive DNS (requires registration)
  • ALIENVAULT_OTX_KEY
    - Threat intelligence pulses
必备(免费)
  • NVD_API_KEY
    - 速率限制提升10倍
高价值(免费层级)
  • GITHUB_TOKEN
    - 漏洞利用搜索,更优速率限制
  • VIRUSTOTAL_API_KEY
    - 免费层级为4次/分钟
  • ABUSEIPDB_API_KEY
    - IP信誉检查
可选(付费或有限免费)
  • SHODAN_API_KEY
    - 免费层级为1次/秒,每月100次查询额度
  • GREYNOISE_API_KEY
    - 提供社区版
  • ABUSECH_AUTH_KEY
    - 更高速率限制
专业类
  • CIRCL_PDNS_USER/PASSWORD
    - 被动DNS(需注册)
  • ALIENVAULT_OTX_KEY
    - 威胁情报脉冲