Powered by

# Vulnerabilities

Likely the exposure of most value to your organization are Vulnerabilities. These consist of any exploit of significant risk we can identify on your attack surface. They are found by combining Assets and Exposures across your attack surface into a series of steps that comprise a risk greater than the sum of its parts. You will be alerted through Email and in product to High and Critical severity vulnerabilities. After discovering a vulnerability, NetSPI will routinely check for the continued existence of it, and when remediated, automatically update it to remediated.

# Working with Vulnerabilities

  1. From the Exposures page, select any of the Vulnerabilities dashboard elements to display the Vulnerabilities page (or select the Expand icon in the upper right).

The table below calls out some of the high-level functionality on the Vulnerabilities page.

Section of Vulnerabilities Page Function

Select checkboxes in the sidebar filter (left)
  • To narrow results in the (B)Assets table (middle)
  • Any CVE correlated with the discovered vulnerability displays in the sidebar filter along with an instance count of that CVE vulnerability or exposure

Assets table (middle)
  • To view all your vulnerable assets, sort and filter to identify the assets that are of highest importance
  • Select any row to display the vulnerability details in the right pane
  • Select the filter drop-down list to filter the Assets table by vulnerability state (verified, remediated, monitored, or all).
  • Hover over any row in the Assets table to display the View Details icon to display the Vulnerability details page.

Vulnerability details (right)
  • To view notes, remediation instructions, affected domain and attack parameter, the dates the asset was discovered and by which person/process, the discovery chain graphic, and the NIST CVE description with a link to the source NIST website's details for the vulnerability
  • A CVSS severity score and an EPSS exploit prediction score
  • Any CVE that you've elected to monitor appears with a red outline and flag
  • The image below shows the severity level color coding for both CVSS and EPSS scores
  1. Select any CVE in the Vulnerabilities details to display the Vulnerability details page with associated CVE information listed. You can also hover over any row in the Assets table to display the View Details icon to display the Vulnerability details page.

# Vulnerabilities Details Page Functionality

You can view the CVSS and EPSS* scores for the CVEs associated with a vulnerability along with the dates NIST created the CVE (Published) or last modified the CVE (Last Modified) on the Vulnerabilities details page.

* See EPSS at https://www.first.org/epss.

See the sections below for further actions you can take on the Vulnerabilities details page.

# Display CVEs in Explore or Table Format

Select the Explore or Table icons to display the CVEs in two different formats. Table format gives you the option to add or remove columns that display.

CVEs in Explore view
CVEs in Explore view

CVEs in Table view
CVEs in Table view

Note that you can add or remove columns that display in the CVE table view by selecting the gear icon in the table's footer to display the Customize Columns dialog box.

# Search, Filter, and Sort CVEs

You can search, filter, and sort CVEs by multiple criteria.

  • Search and filter all CVEs or only the CVEs you've selected for monitoring by selecting the options from the CVEs drop-down list.

  • Sort CVEs by CVSS or EPSS scores from low -> high or high -> low by selecting the Table view and then selecting the CVSS or EPSS column header to toggle between ascending and descending order.

# Export CVEs in CSV Format

Export the CVEs in a CSV format by selecting the Table view icon. Selecting the CSV export icon will export all CSV vulnerability information for your organizations' assets.

# Configuring CVEs for Monitoring

Use the steps below to configure CVEs for monitoring.

  1. Select Settings from the left navigation to display the Settings page and then select the CVEs tab.

  1. Enter CVE numbers that you want to monitor and select Save CVEs. CVEs that you enter here will display with a red flag in the CVEs table, allowing you to easily filter and display only those CVEs that are most critical to you.

# Vulnerability Definitions

The table below provides brief definitions for the terms used in providing scores for the vulnerabilities ASM finds.

Term Definition
CVE Common Vulnerabilities and Exposures: A glossary of publicly known information security vulnerabilities and exposures published by NIST (National Institute of Standards and Technology). Each CVE consists of a unique identifier, vulnerability description, and references for further information.
Example: CVE-2022-12345 identifies a specific vulnerability in a software application that allows remote attackers to execute arbitrary code.
CVSS Common Vulnerability Scoring System: A standardized system for rating the severity of security vulnerabilities. It provides a numerical score based on factors such as exploitability, impact, and complexity, helping organizations prioritize and manage vulnerabilities effectively.
Example: A CVSS score of 9.8 indicates a critical vulnerability with severe consequences and easy exploitability.
EPSS Exploit Prediction Scoring System: A proprietary scoring system that evaluates the severity of security findings based on evidence and impact, rather than relying solely on automated assessments (it represent the probability that a vulnerability is exploited in the next 30 days). It enhances vulnerability prioritization by considering the context and relevance of findings to the organization's environment.
Example: An EPSS score of 5 indicates a high-priority security finding with substantial evidence and potential impact on the organization's security posture.

# Vulnerability Triggers

Vulnerability triggers can be used by admins to automatically generate vulnerabilities based on custom search results. To create a vulnerability trigger, go to the table view for either ports, domains, IPs or certificates. Enter a search term, and then click the bell icon that appears to the right of the search box. If no bell icon appears after you've entered a search term, confirm that you are assigned as an admin for your tenant.

Within the vulnerability trigger creation modal, you can provide your trigger with a name and description, review its trigger query, and provide details for the vulnerabilities that it will generate from new query results. Once the trigger is saved, the query will be executed periodically, and any new results will have vulnerabilities generated for them.

Note that any results that are returned by your search term when you first create your trigger will be ignored. Only new results will be processed by the trigger. Also, if your trigger ever returns more than 30k new results at one time, it will be temporarily disabled and support will be notified.

If you need to disable, delete, or edit your trigger, you can do so in settings. Select the 'Vulnerability Triggers' tab and choose the trigger you want to update.

# Vulnerability Reporting Guidelines

Our focus is on discovering, validating, and exploiting high-impact vulnerabilities to ensure the confidentiality and integrity of your systems and user data. This below provides an overview of which vulnerabilities are in scope and should be reported, and which ones are out of scope and are not reported.

# In Scope Vulnerabilities

The following vulnerabilities are In Scope and are reported:

  • Remote Code Execution
  • Domain & Subdomain Takeover
  • Injection Attacks
    • SQL Injection
    • Command Injection
    • Code Injection
    • Cross-Site Scripting (XSS)
    • XML External Entity Injection (XXE)
  • Broken Access Controls
    • Insecure Direct Object Reference (IDOR)
    • Missing Function Level Access Control (MFLAC)
    • Authentication/Authorization Bypass
    • Privilege Escalation
  • Information Disclosure
    • Sensitive Information Disclosure
      • PII
      • Private Keys
      • Auth Tokens
      • Passwords
    • Directory Listings
    • Verbose Error Messages (stack traces, application or server errors, path disclosure)
  • Cross-Site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • Insecure Protocols
    • Telnet
    • FTP
    • SNMP
  • Remote Management Interfaces
    • SMB
  • Database Service Available
    • MySQL
    • MSSQL
    • Oracle
    • PostgreSQL
    • MongoDB

# Out of Scope Vulnerabilities

The following vulnerabilities are Out of Scope and are not reported:

  • Clickjacking
  • Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
  • Denial of Service Attacks
  • Deprecated SSL/TLS versions and ciphers
  • Email Spoofing (including SPF, DKIM, and DMARC)
  • Host header issues without a proof-of-concept demonstrating vulnerability
  • Injection Attacks
    • CSV injection
    • Cross-Site Scripting (XSS) issues that affect only outdated browsers
    • Cross-Site Scripting (XSS) that can only be executed against yourself (Self-XSS)
    • Text injection
  • Information Disclosure
    • Internal IP Address
    • Server/Software Versions
    • Non-sensitive files and directories (e.g. README.TXT, CHANGES.TXT, robots.txt, .gitignore, etc.)
    • Lack of rate limiting
    • User Enumeration
      • Username or email enumeration by brute forcing login pages, forgot passwords, etc…
  • WAF bypass
  • Missing HTTP security headers
  • Missing Secure and HTTPOnly cookie flags
  • Open Redirects without demonstrating additional security impact (such as stealing auth tokens)
  • Out-of-Date software without a proof-of-concept demonstrating vulnerability
  • Reflected file download
  • Default/Test Pages (Apache, Apache Tomcat, IIS, etc…)
  • NTP Configurations (Mode 6, Clrtrap, Monlist, etc…)

© Copyright 2025. All rights reserved.