Vulnerability Instances

New
  • Published on May 5, 2025
  • 7 minute(s) read
Prev Next

Use the Vulnerability Instances Assets Page to view specific CVEs detected on specific devices.

Click the Assets icon and from the left pane, and under the Exposures category, select Vulnerability Instances.

VIMenuOption

Vulnerability Instances Assets Page

VIPage

The fields on the Vulnerability Instances Assets table provide valuable information on the CVEs detected on your devices.

Note:

All default and optional Vulnerability Instances fields, explained in the following sections, are also accessible from the Vulnerable Software table in any device's Profile Page.

  1. Select a device from the Devices page to navigate to its Asset Profile page.
  2. From the left navigation menu, under Tables, select Vulnerable Software.

VulnSoftTable

Default Fields

  • Vuln ID - The identifier of the vulnerability, either the CVE ID number as provided by the NIST National Vulnerability Database (NVD), or a unique ID number provided by the adapter.
  • CVSS - Common Vulnerability Scoring System (CVSS), a numeric score used to supply a qualitative measure of severity. The CVSS rating is fetched from the source (v2,0, v3.0, v4.0, etc.).
  • CVE Severity - NONE, LOW, MEDIUM, HIGH, CRITICAL, UNTRIAGED, NEGLIGIBLE, INFO, MODERATE, SERIOUS, SEVERE, URGENT, or CRITICAL (based on the CVSS rating).
  • Preferred First Seen - An aggregated date field that shows the earliest date that a Vulnerability was seen on the device. Generally, the date represents the first time this vulnerability was fetched, unless there is a date when it was first seen by an adapter.
  • Preferred Last Seen - An aggregated date field that shows the latest date that a Vulnerability was seen on the device. The value of this field depends on the vulnerability's state - Open or Closed.
    • For a Closed vulnerability, the Preferred Last Seen date is either the remediation time reported by the adapter, or, if no remediation time is reported, the last time it was fetched as an Open vulnerability.
    • For an Open vulnerability, the Preferred Last Seen date is the last time it was fetched or reported by an adapter.
  • Preferred Age (Days) - How many days ago the vulnerability was open. This value is calculated by deducting the Preferred First Seen date from the Preferred Last Seen date.
Note:

The information in the Preferred First Seen, Preferred Last Seen and Preferred Age (Days) fields is provided to allow for MTTR (Mean Time to Remediate) and SLA metrics calculations.

  • CVE Impact Score - An evaluation of the "damage level" that might occur if the vulnerability is exploited, according to NIST.
  • CVE Exploitability Score - How likely it is that a vulnerability will be exploited according to NIST.
  • Mitigated - Whether actions were taken to reduce or eliminate the risk associated with the vulnerability (Yes/No).

Additional fields

The following fields are not default in the Vulnerability Instances table. You can add them by clicking Edit Table > Edit Columns.

  • CVE Description - A description of the vulnerability.
  • Preferred Host Name - a clickable field that allows you to navigate to the Profile Page of the device the vulnerability was detected on. Note that you can also use the Asset Unique ID or Associated Device ID for the same information.
  • State - The state the vulnerability is currently in, namely, whether it was taken care of and where it stands with regards to the remediation process. Possible values are Open (not remediated), Closed (remediated), Unknown, Disappeared (if the vulnerability was remediated by the vendor itself), Resurfaced (if the vulnerability disappeard and then was reported again), or Mitigated/Fixed.
  • Status - a more general field than State, showing whether the vulnerability is Open or Closed. Note that this field can be populated with additional values fetched from the adapter.

Remediation Tracking Fields

Some vulnerability adapters do not report vulnerabilities after they were remediated. To address this issue and maintain accurate calculation of key metrics such as Time to Remediate (TTR) and SLA, Axonius offers a mechanism to identify when a vulnerability is no longer being reported, indicating potential remediation. This mechanism compares the reported vulnerabilities in the latest discovery cycle with those reported in the previous cycle. When a vulnerability is reported in the previous cycle but is absent from the latest cycle, it is considered potentially remediated.
The following fields are related to tracking and calculating remediation times:

Adapter Fields

  • First Seen, Last Seen - The time when an adapter first or last detected the vulnerability.
  • Status - whether the vulnerability is Open or Closed.
  • Remediation Time - When the vulnerability was remediated according to information reported by an adapter.

Axonius Fields

  • First Fetch Time, Last Fetch Time - The time when an adapter first or last reported the vulnerability to Axonius.
  • Axonius Status - The vulnerability status: Open, Closed, or Reopen.
    • A Closed status appears either when this vulnerability was reported closed by an adapter, or when it stopped being reported by an adapter.
    • A Reopen status appears when the vulnerability was reported again by an adapter after a period of time when it was not reported. In this case, the First Fetch Time field value matches the date when it was re-opened. Note that this might also affect the Preferred Age field value.
  • Axonius Status Last Update - When the Axonius Status field was last updated, reflecting the most recent status change.
  • Axonius Remediation Time - When the status was changed from Open to Closed or from Reopen to Closed. This field is populated only when the Axonius Status field value is Closed.

RemediationFields

Notes:
  • The Axonius fields are populated by values from the adapter only if the adapter indeed reported this information. Otherwise, these values are generated by Axonius.
  • This logic does not apply to manually closed vulnerabilities.

Vulnerability Instances Queries

Use the Query Wizard to build queries on the Vulnerability Instances page. For example, you can build a simple query that shows only CVEs with a certain range of CVE Impact Score, as demonstrated below.

VIQuery1

You can also use build relationship queries based on the relationship between a Vulnerability Instance and the device it was detected on.
In the example below, we want to show instances of a specific Vuln ID only on devices that have a Windows OS type:

VIQuery2

Excluding Vulnerability Instances

In some cases, remediation of vulnerabilities is either impractical, cost-prohibitive, or involves a false positive. In these cases, you might want to exclude specific vulnerability instances from your reports and management workflows.
You can exclude a vulnerability temporarily, for a defined period of time, or permanently.
To manage your excluded vulnerabilities, add the following custom fields to the Vulnerability Instances table:

  • Excluded - A boolean field marking whether this vulnerability instance is excluded or not.
  • Exclusion Type - Temporary or permanent.
  • Exclusion Reason - Provide the reason for excluding this vulnerability instance.
  • Exclusion Justification (Link) - Provide a link to documentation supporting the exclusion of this vulnerability instance.
  • Exclusion Expiration Date - If the exclusion is temporary, enter its expiration date.

To learn about adding custom data fields to assets, see:
Managing Custom Fields
Working with Custom Data
Axonius - Add Custom Data to Assets (from the Enforcement Center)

Vulnerability Instances Profile Page

Click on a Vulnerability Instance row to view its Asset Profile page. The Vulnerability Instances Profile page provides detailed information about the Vulnerability Instance selected.
The Vulnerability Instances Profile page is very similar to the Assets Profile page with all of its relevant capabilities. Refer to Asset Profile Page to learn more.

Viewing Vulnerability Instances on the Devices Page

Navigating to the Devices Page from the Vulnerability Instances Page

To identify and manage devices affected by specific vulnerabilities, you can use the contextual navigation option from the Vulnerability Instances page. '

  1. Click on the number next to Unique Device Count, right above the Vulnerability Instances table. This number represents how many devices exist with the vulnerabilities that are the results of the current Vulnerability Instance query.

Device Count

Note:

The actual number of Unique Device Count might change after a new discovery cycle, as new vulnerabilities might be detected on new devices.

  1. You are redirected to the Devices page, which opens in a view that is automatically expanded by the Vulnerability Instances complex field, containing some of the default fields from the Vulnerability Instances Assets Page. Only devices associated with the Vulnerability Instances query results are displayed. No other filtering options or data refinement are applied.

Devices_VI view

Explore Vulnerability Instances in the context of the Devices page to quickly find devices with specific vulnerabilities. A useful tool for that is building device queries using the Vulnerability Instances complex field. For example, show only devices where the Vuln ID contains the string “2025” and the Preferred Age is less than 30 days:

DevicesVIQuery1