CVE MCP Server Enhances Claude with 27 Security Tools and 21 APIs
Key Takeaways A new open-source project, CVE MCP Server, integrates Anthropic’s Claude AI with 27 security tools and 21 APIs to automate vulnerability triage. The server aims to streamline the...
Key Takeaways
- A new open-source project, CVE MCP Server, integrates Anthropic’s Claude AI with 27 security tools and 21 APIs to automate vulnerability triage.
- The server aims to streamline the manual, multi-tab workflow security analysts currently face when assessing CVEs, which often leads to 96% of lower-priority vulnerabilities going uninvestigated.
- It features a weighted risk scoring formula that prioritizes vulnerabilities based on factors like EPSS, CISA KEV status, CVSS, and Proof-of-Concept availability, moving beyond CVSS-only prioritization.
- The tool is immediately deployable, with eight core functions requiring no API keys, allowing teams to progressively add more advanced integrations.
A new open-source initiative, CVE MCP Server, is set to revolutionize how cybersecurity teams approach vulnerability triage. This innovative project transforms Anthropic’s Claude AI into a sophisticated security analyst, granting it direct, correlated access to 27 distinct intelligence tools via 21 external APIs. All these capabilities are accessible through a single, natural-language query.
Table Of Content
Security analysts are intimately familiar with the cumbersome process of vulnerability assessment. Triaging even a single Common Vulnerabilities and Exposures (CVE) identifier typically necessitates opening numerous browser tabs. This fragmented workflow involves consulting the National Vulnerability Database (NVD) for CVSS scores, checking the Exploit Prediction Scoring System (EPSS) for exploitation probability, reviewing CISA’s Known Exploited Vulnerabilities (KEV) catalog, searching GitHub for patch status, scanning VirusTotal for malware associations, and querying Shodan for exposed hosts, among other tasks.
This manual bottleneck is a significant challenge, as evidenced by EPSS v4 research, which indicates that a staggering 96% of CVE alerts falling below an exploitation threshold remain uninvestigated due to the sheer volume of manual work required. For security teams managing 50 or more CVEs concurrently, this fragmented approach can consume an entire workday.
Developer Mahipal (mukul975) released the CVE MCP Server on GitHub. It represents a production-grade implementation of Anthropic’s Model Context Protocol (MCP), an open standard designed to facilitate seamless integration between Large Language Model (LLM) applications and diverse external data sources and tools.
CVE MCP Server With 27 Tools
The server integrates Claude with 27 specialized security tools, categorized into five key areas: Core Vulnerability Intelligence, Exploit & Attack Intelligence, Advanced Risk & Reporting, Network Intelligence, and Threat Intelligence.
Constructed using Python, FastMCP, httpx, aiosqlite, Pydantic v2, and defusedxml, the entire system operates exclusively via outbound HTTPS. It requires no inbound ports, collects no telemetry, and never logs API keys, ensuring a secure and private operational environment.
The extensive tool catalog is designed for immediate production readiness. Core vulnerability tools include lookup_cve for NVD queries, get_epss_score for FIRST data, check_kev_status for CISA’s KEV catalog, and bulk_cve_lookup, which can fetch information for up to 20 CVEs in parallel.
Exploit intelligence tools within the server map CVEs to MITRE ATT&CK techniques, verify Proof-of-Concept (PoC) availability across GitHub and Exploit-DB, and retrieve Common Attack Pattern Enumeration and Classification (CAPEC) attack patterns.
Network intelligence capabilities incorporate AbuseIPDB reputation scoring, GreyNoise scan activity data, Shodan host profiling, and CIRCL Passive DNS. Threat intelligence tools facilitate lookups on VirusTotal, MalwareBazaar, and ThreatFox for Indicators of Compromise (IOCs), and connect to Ransomwhere for tracking ransomware Bitcoin addresses.
A central component of the project is a weighted risk scoring formula that transcends traditional CVSS-only prioritization, aligning with the industry’s shift towards multi-signal triage methodologies. This formula assigns EPSS probability a 35% weight, CISA KEV status 30%, CVSS 20%, and PoC availability 15%. Boost multipliers are applied for combinations such as active KEV and PoC, CVSS scores of 9.0 or higher with high EPSS, and recently published CVEs. A score between 76 and 100 triggers a CRITICAL label, mandating patching within 24 to 48 hours under an emergency change window.
A notable design choice emphasizes accessibility: eight tools function without requiring any API keys. These include EPSS, CISA KEV, OSV.dev, MITRE ATT&CK, CWE lookups, CVSS parsing, Ransomwhere, and NVD (at a reduced rate). This allows teams to deploy and begin querying immediately, then progressively add Tier 1 keys (NVD, GitHub) for tenfold throughput and Tier 2 keys (AbuseIPDB, VirusTotal, GreyNoise, Shodan) for comprehensive multi-domain intelligence.
The server also addresses software supply chain security with three DevSecOps tools: scan_dependencies queries OSV.dev for vulnerable package versions, scan_github_advisories searches GitHub Security Advisories by ecosystem, and urlscan_check analyzes suspicious URLs. Developers can use a single Claude prompt to scan an entire requirements.txt file and receive prioritized upgrade recommendations.
The CVE MCP Server is currently available under an open-source license at github.com/mukul975/cve-mcp-server, with out-of-the-box support for Claude Desktop and Claude Code configurations.
What You Should Do
- Review the CVE MCP Server project on GitHub to understand its capabilities and integration potential.
- Consider deploying the server in a controlled environment to evaluate its effectiveness in automating vulnerability triage for your organization.
- Prioritize adding Tier 1 and Tier 2 API keys for enhanced throughput and comprehensive threat intelligence once initial testing is complete.
- Integrate the DevSecOps tools (
scan_dependencies,scan_github_advisories,urlscan_check) into your development pipeline to bolster software supply chain security.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.