Skip to main content

CVE Monitoring

The Vulnerabilities section tracks Common Vulnerabilities and Exposures (CVEs) detected across your infrastructure. BleedWatch identifies which CVEs affect your services and provides AI-powered validation and remediation guidance.

How CVE Detection Works

BleedWatch matches discovered services and software versions against known vulnerability databases:

  1. Discovery — Asset scans identify software, services, and versions running on your infrastructure
  2. Matching — Detected versions are compared against the NVD (National Vulnerability Database) and OSV databases
  3. Enrichment — Each CVE is enriched with CVSS scores, EPSS probability, and KEV status
  4. Validation — Nuclei templates and AI analysis confirm whether the vulnerability is exploitable in your environment
  5. Remediation — AI generates specific remediation guidance for your context

Understanding Severity Scores

CVSS (Common Vulnerability Scoring System)

CVSS is the industry-standard severity rating on a 0-10 scale:

CVSS RangeSeverityAction
9.0-10.0CriticalImmediate remediation required
7.0-8.9HighRemediate within days
4.0-6.9MediumRemediate within weeks
0.1-3.9LowRemediate during next maintenance window

EPSS (Exploit Prediction Scoring System)

EPSS estimates the probability that a CVE will be exploited in the wild within the next 30 days. A higher EPSS score means the vulnerability is more likely to be actively targeted.

Prioritization with EPSS

Use EPSS to prioritize between CVEs of similar CVSS severity. A medium-CVSS vulnerability with a high EPSS score (e.g., 0.85) is more urgent than a high-CVSS vulnerability with a low EPSS score (e.g., 0.02).

KEV (Known Exploited Vulnerabilities)

The CISA KEV catalog lists CVEs that are confirmed to be actively exploited. If a CVE appears in KEV, it should be treated as the highest priority regardless of CVSS score.

Vulnerability Statuses

StatusDescription
OpenNewly detected, awaiting review
ConfirmedVerified as affecting your environment
ResolvedPatched or mitigated
False PositiveDoes not apply to your configuration

Validation Methods

BleedWatch uses two validation approaches:

  • Nuclei — Automated technical validation using Nuclei templates to confirm exploitability
  • AI — AI-powered analysis that considers your specific environment and configuration

The validation column in the table shows which methods have been applied. Vulnerabilities pending validation are marked as Pending.

Filtering Vulnerabilities

Use the filter bar to narrow results by:

  • Severity — Critical, High, Medium, Low, or Info
  • Status — Open, Confirmed, Resolved, or False Positive

The total count updates in real time as you apply filters.

Patch Availability

The Patch column indicates whether a fix is available:

  • Available (green link) — A patch exists. Click to view the patch details.
  • No — No patch is available yet. Monitor for updates.
note

When a patch is available, BleedWatch links directly to the vendor advisory or release page so you can plan your update.

CVE Detail Page

Click any CVE ID to open the detail page, which includes:

  • Full CVE description and references
  • CVSS vector breakdown
  • AI-generated remediation steps specific to your environment
  • Affected target URL or service
  • Validation timeline

Troubleshooting

No Vulnerabilities Showing

If no CVEs appear:

  1. Verify that asset discovery scans have completed (check Assets)
  2. Ensure your hosts have been scanned for services and versions
  3. CVE matching runs during the enrichment phase after discovery — allow time for processing

CVE Appears as False Positive

If a detected CVE does not apply to your environment (e.g., the affected component is not reachable):

  1. Open the CVE detail page
  2. Change the status to False Positive
  3. The CVE will be excluded from your risk calculations