Vulnerability Management Threat insights explanation

The Threat insights section of the Vulnerability Details panel conveys important information regarding possible exploits. Understanding what the fields represent could be a critical factor in deciding the appropriate actions to employ to mitigate any issues and protect your customers.

Threat insights

CVSS score

Numerical score as per CVSS for the vulnerability.

Update available

Indicates whether a fix is available (Yes or No).

Attack Vector

This metric indicates how easily a vulnerability can be exploited. The severity increases with the attacker's distance, both logically and physically. More remote vulnerabilities are considered more severe because they can be exploited by a larger number of potential attackers compared to those requiring physical access. The 4 vectors are:

  • Network: The vulnerable system is connected to the network stack, making it susceptible to attackers from the entire Internet. This type of vulnerability, known as "remotely exploitable," can be exploited at the protocol level across one or more network hops, such as through multiple routers.
  • Adjacent: The vulnerable system is tied to a protocol stack, but the attack is restricted to a logically adjacent topology. This means the attack must originate from the same shared proximity (e.g., Bluetooth, NFC, IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure administrative domain (e.g., MPLS, secure VPN).
  • Local: The vulnerable system is not tied to the network stack, and the attacker exploits it via read/write/execute capabilities. The attacker can either access the system locally (e.g., keyboard, console) or through terminal emulation (e.g., SSH). Alternatively, the attacker may use social engineering to trick a user into performing actions needed to exploit the vulnerability (e.g., opening a malicious document).
  • Physical: The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack) or persistent.

Attack Complexity

This metric measures the actions an attacker must take to bypass built-in security features to exploit a vulnerability. Vulnerabilities that can be exploited without specific customization are considered less complex than those requiring significant customization. This metric captures the security mechanisms of the vulnerable system. Attack complexity is reported as either a Low or a High complexity:

  • Low: The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
  • High: A successful attack requires bypassing security techniques that would otherwise prevent it. This includes evading exploit mitigation techniques like address space randomization (ASLR) or data execution prevention (DEP). Additionally, the attacker must obtain target-specific secrets, which cannot be gathered through reconnaissance alone. To acquire these secrets, the attacker must perform additional attacks or break secure measures (e.g., obtaining a secret key to break a crypto channel). This process must be repeated for each target.

Privileges Required

This metric indicates the level of privileges an attacker needs before exploiting the vulnerability. How the attacker obtains these credentials (e.g., free trial accounts) is not considered. Self-service provisioned accounts do not count as a privilege requirement if the attacker can grant themselves privileges during the attack. Privileges required is listed as one of 3 levels of requirement:

  • None: The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
  • Low: The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
  • High: The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.

User Interaction

This metric assesses whether a human user, other than the attacker, is needed to exploit the vulnerability. It determines if the attacker can exploit the vulnerability alone or if another user (or user-initiated process) must be involved. User interaction is listed as one of 3 levels of interaction:

  • None: The vulnerable system can be exploited without interaction from any human user, other than the attacker.
  • Passive: Exploiting this vulnerability requires minimal, involuntary interaction from the targeted user with the system and the attacker's payload. The user does not need to actively bypass any built-in protections.
  • Active: Exploiting this vulnerability requires the targeted user to perform specific, deliberate actions with the system and the attacker's payload, or to actively bypass protection mechanisms, leading to exploitation.

Related articles