What does "no known exploitable vulnerabilities" mean under the CRA?

Alexis Hirschhorn· CEO, Acuna16 July 2026

Direct answer

The Cyber Resilience Act requires products to be placed on the market without known exploitable vulnerabilities (Annex I). It is a release-quality duty, distinct from the separate obligation to report vulnerabilities that become actively exploited later. The CRA is technology-neutral, so it does not mandate CVSS, EPSS or any specific scoring model.

Key Facts

  • Annex I requires shipping free of known exploitable vulnerabilities.
  • Different from an "actively exploited vulnerability," which is the Article 14 reporting trigger (Art. 3(42)).
  • Technology-neutral: CVSS, EPSS and CISA KEV are useful inputs, not legal requirements.
  • Requires a defensible, systematic triage, not a single number.
  • Continuous handling still applies after release across the support period.

"No known exploitable vulnerabilities" is a release-quality requirement: a product must be made available on the market without known exploitable flaws and with a secure default configuration (Annex I). It is not the same thing as the reporting trigger. An "actively exploited vulnerability," which starts the 24-hour reporting clock, is one with reliable evidence of real-world malicious exploitation (Art. 3(42)); the Annex I duty is about what you ship, not only what you later detect. The CRA is deliberately technology-neutral. It requires a risk-based, systematic approach to identifying and handling vulnerabilities, but it does not codify CVSS, EPSS or the CISA KEV catalogue. Using them is sensible for demonstrating a defensible triage process; stating that they are legally mandated is incorrect. What the regulation expects is a documented decision, not a specific score.

What's next

See how Acuna handles this