Zero-Day Vulnerabilities

Zero-day vulnerabilities are a unique class of vulnerabilities because there is no patch available for them. The reason may be that the vulnerability has only recently been discovered or disclosed. Security researchers develop Proof of Concept (PoC) code to demonstrate possible vulnerabilities and disclose this information to the vendor or developer, so that a patch can be developed and tested before the vulnerability is disclosed to the general community. The window of time between when Proof of Concept code is developed and when a patch is made available is critical. System hardening limits the number of applications and services running on the system to only those that are essential, reducing the attack surface. Misconfigurations in internet-facing systems can make organizations more susceptible to attacks by providing an entry point where local exploits can be leveraged to escalate privileges. Tenable provides Compliance Audit Files, which are based on various security frameworks, including the CIS Benchmarks and DISA STIGs.  Use the Policy Compliance Auditing scan template to audit the configuration of platforms running in your environment according to the appropriate framework for your environment. Results from Compliance scans can be viewed in the Host Audits Findings page in the Explore Overview.

Prioritizing with Vulnerability Priority Rating (VPR) is one approach to reduce the number of reported high risk vulnerabilities. VPR factors in the exploit code maturity, CVSSv3 impact score, vulnerability age, threat intensity, threat recency, and other threat intelligence sources. The Most Notable Vulnerabilities CVSS to VPR Heat Map (2021 Threat Landscape Retrospective) widget uses the VPR, CVSS v3 Base Score and CVE filters. Filters were created to narrow down the CVEs from the 2021 Threat Landscape Retrospective in a heat map format. The heat map highlights the Medium and High (CVSS v3 4.0-8.9) severity vulnerabilities that previously may have been ignored, that have now been reclassified as high risk based on current threat vectors. The VPR reclassification reduces the number of Critical severity (CVSS v3 9.0-10) vulnerabilities based on current threat analysis. The following group of filters is used to query vulnerabilities with a CVSS v3 Base Score of 9.0-10 and a VPR of 9.0-10 for a specific subset of CVEs. The filter values for each cell change to display results that fall into each of the ranges represented in the row and column headers.

  • VPR is greater than or equal to 9.0

  • VPR is less than or equal to 10

  • CVSS v3.0 Base Score is greater than or equal to 9.0

  • CVSS v3.0 Base Score is less than or equal to 10

  • CVE containsReference the Tenable 2022 Threat Landscape Report for the most up-to-date list of CVE Identifiers.: