@@ -73,7 +73,11 @@ The product shall be tested for all known exploitable vulnerabilities to demonst
* Reference: TR-NKEV
* Objective: Prevent exploitation of known exploitable vulnerabilities at first use
* Preparation: Compile a list of known exploitable vulnerabilities in the product and its components, compile a list of known exploitable vulnerabilities that will be tested, collect tests for each one
* Preparation: Using the product's SBOM, relevant publically accessible vulnerability databases, private disclosures, and internal testing, compile a list of known exploitable vulnerabilities in the product and its components that will be tested. Collect tests for each one.
> [!NOTE]
> Some examples of publically accessible vulnerability databases are [GCVE](https://gcve.eu), [EUVD](http://euvd.enisa.europa.eu), and the Common Vulnerability and Exposures (CVE) List maintained by the MITRE Corporation.
* Activities: On a new product, carry out a secure update, run the tests, and compare the results with the generated list of known exploitable vulnerabilities
* Verdict: No vulnerabilities found, or all reported vulnerabilities satisfy either the age or mitigation requirement => PASS, otherwise FAIL
* Evidence: Documented vulnerability handling policy, list of vulnerabilities, test results for each vulnerability or documentation of age of vulnerability, correlation of list of vulnerabilities with test results or documentation of age of vulnerability
@@ -372,7 +376,7 @@ The product shall only report that the VPN connection is established after it ha
#### 5.2.5.3 MI-ROUT-2 VPN routing stays in effect during network-level tunnel failure
The product shall ensure that when the connection to the VPN server is lost at the network level (e.g., due to firewall rules or network outage), no traffic intended for the VPN connection can exit the endpoint through another interface.
The product shall ensure that when the connection to the VPN server is lost at the network level (e.g., due to firewall rules or network outage), no traffic intended for the VPN connection can exit the endpoint outside of the tunnel.
* Reference: TR-ROUT
* Objective: Prevent VPN traffic leaks during tunnel failure
