Resolve "[HAS 48] 5.2.2 Section insufficiently addresses what is meant by...

Recognizing that there may be vulnerabilities discovered between the time that a product is placed on the market and the time of that product's first use, and that the product should be free from known exploitable vulnerabilities both when first made available and when first used by a consumer, the product shall be able to be updated at the time of first use to address known exploitable vulnerabilities which were discovered after the product's placement on the market and before first use.

**Guidance:** From a practical standpoint, a known exploitable vulnerability is a flaw that has the potential to be effectively used by an adversary under practical operational conditions, particularly those for which there is reliable evidence of active exploitation in the wild by malicious actors and/or is listed on trusted vulnerabilities databases, such as the EUVD (https://euvd.enisa.europa.eu/).

#### 5.2.2.2 MI-KEVD: Documentation for secure update before or during first use

The product shall be accompanied by documentation describing how the product can be securely updated, including how to update the product prior to, or as part of, first use.

* Reference: TR-NKEV

* Applicability: The product has software or firmware update capability

* Objective: Prevent exploitation of known exploitable vulnerabilities at first use

* Preparation: Examine public or private vulnerability information sources and select a recently fixed exploitable vulnerability (preferably the most recently fixed)

* Preparation: Examine public or private vulnerability information sources and select a fixed vulnerability for testing. Filter candidates to ensure they specifically affect the platform, architecture, or software components used by the product. Then, prioritize those candidates based on the existence of publicly available exploit code (e.g., Proof of Concept), evidence of active exploitation in the wild, the severity of the vulnerability, and the potential impact its exploitation would have on the product.

* Activities: On a new product, carry out the initial secure update, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info

* Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL

* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results

* Reference: TR-NKEV

* Applicability: The product has software or firmware update capability

* Objective: Prevent exploitation of known exploitable vulnerabilities at first use

* Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)

* Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability. Filter candidates to ensure they specifically affect the platform, architecture, or software components used by the product. Then, prioritize those candidates based on the existence of publicly available exploit code (e.g., Proof of Concept), evidence of active exploitation in the wild, the severity of the vulnerability, and the potential impact its exploitation would have on the product.

* Activities: Follow the instructions to install and use the product for the first time, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info

* Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL

* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results

* Reference: TR-NKEV

* Applicability: The product has software or firmware update capability and is administered by a professional network administrator.

* Objective: Prevent exploitation of known exploitable vulnerabilities at first use

* Preparation: Examine public or private vulnerability information sources and select a recently fixed vulnerability (preferably the most recently fixed)

* Preparation: Examine public or private vulnerability information sources and select a fixed vulnerability. Filter candidates to ensure they specifically affect the platform, architecture, or software components used by the product. Then, prioritize those candidates based on the existence of publicly available exploit code (e.g., Proof of Concept), evidence of active exploitation in the wild, the severity of the vulnerability, and the potential impact its exploitation would have on the product.

* Activities: Follow the instructions for the administrator to receive and install the latest release,  use the product for the first time, scan the product to see if a recently fixed vulnerability has been fixed on the product, and examine the documentation for the required info

* Verdict: The secure update completes successfully, the most recently fixed vulnerability is fixed, and the documentation includes all the required information => PASS, otherwise FAIL

* Evidence: Documentation of vulnerability handling, documentation of how to securely update the product, the report for the selected vulnerability, description of how to scan for the vulnerability, log of vulnerability scan results