Exposure Response Filters
In the Exposure Response section, use the Query Builder to view specific findings or affected assets or choose which vulnerabilities appear in a combination.
The following table lists the filters you can use. Not all filters appear in all sections.
| Filter | Description |
|---|---|
| Category | The vulnerability category, which the Vulnerability Intelligence features also use. To learn more, see Vulnerability Categories. |
| Common Name | The vulnerability's common name, for example Log4Shell. Not all vulnerabilies have a common name. |
| CVE ID | The Common Vulnerabilities and Exposures (CVE) ID, for example CVE-2002-2024. |
| CVSSv2 Base Score | The CVSSv2 score for the vulnerability, for example 5.2. When not available from NVD, Tenable determines this score. To learn more, see CVSS vs. VPR. |
| CVSSv3 Attack Complexity | The attack complexity, which defines how difficult it is to use a vulnerability in an attack. Choose from High or Low. |
| CVSSv3 Attack Vector | The attack vector, which defines an attack's location. Choose from Adjacent, Network, Local, or Physical. |
| CVSSv3 Availability | The affected asset's availability. Choose from High, Low, or None. For example, an affected asset with High is completely unavailable. |
| CVSSv3 Base Score | The CVSSv3 score for the vulnerability, for example 4.3. When not available from NVD, Tenable determines this score. To learn more, see CVSS vs. VPR. |
| CVSSv3 Confidentiality |
The expected impact of the affected asset's information confidentiality loss. Choose from High, Low, or None. For example, an affected asset with High may have a catastrophic adverse effect on your organization or customers. |
| CVSSv3 Integrity | The expected impact of the affected asset's data integrity loss. Choose from High, Low, or None. |
| CVSSv3 Privileges Required | The permission level attackers require to exploit the vulnerability. Choose from High, Low, or None. None means attackers need no permissions in your environment and can exploit the vulnerability while unauthorized. |
| CVSSv3 Scope |
Whether a vulnerability allows attackers to compromise resources beyond an affected asset's normal authorization privileges. Choose from Unchanged or Changed. Changed means the vulnerability increases the affected asset's privileges. |
| CVSSv3 User Interaction |
Whether a vulnerability requires other users (such as end users) for attackers to be able to use it. Choose from Required or None. None is more severe since it means that no additional user interaction is required. |
| CVSSv4 Attack Complexity (AC) |
The conditions beyond the attacker's control that must exist to exploit the vulnerability. |
| CVSSv4 Attack Requirements (AT) |
The resources, access, or specialized conditions required for an attacker to exploit the vulnerability. |
| CVSSv4 Attack Vector (AV) |
The context where vulnerability exploitation is possible, such as Network or Local. |
| CVSSv4 Base Score |
A numeric value between 0.0 and 10.0 that represents the intrinsic characteristics of a vulnerability independent of any specific environment. |
| CVSSv4 Privileges Required (PR) |
The level of privileges an attacker must possess to exploit the vulnerability. |
| CVSSv4 Subsequent System Availability Impact (VA) |
The impact on the availability of systems that can be impacted after the vulnerable system is exploited. |
| CVSSv4 Subsequent System Confidentiality Impact (SC) |
The impact on the confidentiality of systems that can be impacted after the vulnerable system is exploited. |
| CVSSv4 Subsequent System Integrity Impact (SI) |
The impact on the integrity of systems that can be impacted after the vulnerable system is exploited. |
| CVSSv4 User Interaction |
The level of user involvement required for an attacker to exploit the vulnerability. |
| CVSSv4 Vulnerable System Availability Impact |
The impact on the availability of the vulnerable system when successfully exploited. |
| CVSSv4 Vulnerable System Confidentiality Impact (VC) |
The impact on the confidentiality of the vulnerable system when successfully exploited. |
| CVSSv4 Vulnerable System Integrity Impact (VI) |
The impact on the integrity of the vulnerable system when successfully exploited. |
| EPSS Score |
The percentage likelihood that a vulnerability will be exploited, based on the third-party Exploit Prediction Scoring System (EPSS). Type a number from 0 to 100 with up to three decimal places, for example, 75.599. |
| Exploit Maturity |
The exploit maturity based on sophistication and availability. This information is drawn from Tenable’s own research as well as key external sources. Options are High, Functional, PoC, or Unproven. |
| First Discovered |
The date the vulnerability corresponding to a finding was first identified. |
| First Functional Exploit |
The date a vulnerability was first known to be exploited. |
| First Proof of Concept |
The date a vulnerability's first proof of concept was found. |
| Plugins Available |
If a vulnerability currently has a Tenable plugin that detects it. Options are Yes or No. |
| Plugin ID |
The ID of the Tenable plugin that detected the vulnerability, for example 157288. To look up plugin IDs, go to the Tenable website. |
| Plugin Name |
The name of the Tenable plugin that detected the vulnerability, for example TLS Version 1.1 Protocol Deprecated. |
| VPR |
The Tenable-calculated Vulnerability Priority Rating (VPR) score, as a number from 1 to 10. Note: A finding's VPR is based on the VPR of the plugin that identified it. When plugins are associated with multiple vulnerabilities, the highest VPR appears.
|
| VPR Threat Intensity | A vulnerability's Tenable-calculated threat intensity based on the number and frequency of threat events. Choose from Very Low, Low, Medium, High, or Very High. |
| VPR (Beta) |
The numerical VPR (Beta) score itself. Allows filtering by specific ranges or values of the updated vulnerability priority rating. |
| VPR (Beta) Key Driver CVE ID |
Filter on a specific CVE ID for the CVE that is a primary contributor to the calculated VPR (Beta) score for a vulnerability. |
| VPR (Beta) Key Driver Exploit Chain |
Allows filtering on CVEs that are part of an exploit chain. |
| VPR (Beta) Key Driver Code Maturity |
Filter on current availability and maturity of exploit code. Options are High, Functional, POC, and Unproven. |
| VPR (Beta) Key Driver Exploit Probability |
Filter on the probability of exploitation produced by the VPR (Beta) threat model for the CVE. |
| VPR (Beta) Key Driver Exploit Probability |
Filter on the probability of exploitation produced by the VPR (Beta) threat model for the CVE. |
| VPR (Beta) Key Driver In the News, last 30 days |
Filter on categories of news sources that have referenced the CVE within the last 30 days. Select from one or more of Academic and Research Institutions, Blogs and Individual Researchers, Code Repositories, Cybersecurity News Media, Cybersecurity Vendors, Forums and Community Platforms, Government and Regulatory, Mainstream News and Media, Security Research, Technology Companies, Tools and Resources, Other. |
| VPR (Beta) Key Driver Malware Observation Intensity, last 30 days |
Filter on the volume of observed malware exploiting the CVE within the last 30 days. Options are Very Low, Low, Medium, High, Very High. |
| VPR (Beta) Key Driver Malware Observations Recency |
Filter on the recency of observed malware exploiting the CVE. Options are No Recorded Events, 60 to 180 days, 30 to 60 days, 14 to 30 days, 7 to 14 days, 0 to 7 days. |
| VPR (Beta) Key Driver On CISA KEV |
Filter on whether the CVE is listed on the CISA Known Exploited Vulnerabilities list. Options are Yes, No. |
| VPR (Beta) Key Driver Targeted Industries |
Allows filtering on specific industries where attacks leveraging the CVE have been observed. Sample options include Banking, Technology, Government. |
| VPR (Beta) Key Driver Targeted Regions |
Allows filtering on specific geographic regions where attacks leveraging the CVE have been observed. |
| VPR (Beta) Key Driver VPR Percentile |
Filter on the VPR (Beta) score percentile ranking of the CVE, indicating its position relative to other vulnerabilities. |
| Weaponization | Whether a vulnerability is judged to be ready for use in a cyberattack. Choose from Advanced Persistent Threat, Botnet, Malware, Ransomware, or Rootkit. |
| Zero Day |
Yes - This vulnerability was originally identified as a zero-day vulnerability. This value displays Yes even if a fix was made available after the vulnerability was publicized. No - This vulnerability has a publicly available fix that existed before the vulnerability was publicly disclosed or known to be exploited. |