Broadcom has disclosed a vulnerability in their ESXi product that involves a domain group that could contain members that are granted full administrative access to the ESXi hypervisor host by default without proper validation.
CVE-2024-37085 is rated medium with CVSS score of 6.8 and allows an attacker with sufficient Active Directory (AD) permissions to bypass authentication.
What is the impact?
A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD. The three ways this can be exploited are:
1. Creating the AD group ‘ESX Admins’ to the domain and adding a user to it (known to be exploited in the wild) 2. Renaming another AD group in the domain to ‘ESX Admins’ and adding a new or existing user to it 3. Refreshing the privileges in the ESXi hypervisor when the ‘ESX Admin’ group is unassigned as the management group.
How to find potentially vulnerable systems runZero
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
os:ESXi
Additionally, using the runZero VMware integration, use the following query to locate virtual machines running inside VMware, which could be potential sources of exploitation:
source:vmware or source:broadcom
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
In cosmology, there is the concept of the holographic universe: the idea that a three-dimensional volume of space can be entirely described by the exposed information on its two-dimensional surface. In the context of an organization’s security posture, attack surface management is vital; a vulnerability is almost meaningless unless it is exploitable by a bad actor. The trick to determining where the vulnerable rubber meets the exposed road is in identifying what’s actually reachable, taking into account security controls, or other defenses in depth.
While attack surfaces are expanding in multiple ways, becoming more numerous and more specific, two areas of growth that merit attention are operational technology (OT) and the cloud. In the runZero Research Report, we explored how the prevalence of OT and cloud technology combined with their unique associated risks warrants a deeper look at how to navigate challenges across the attack surfaces for these types of environments.
OT & IT convergence will be the end state
OT and industrial control systems (OT/ICS) environments are undergoing massive changes in a new era of convergence with IT devices and networks. In fact, the 2022 report from the U.S. President’s National Security Telecommunications Advisory Committee on IT-OT Convergence concludes that we must “accept that IT/OT convergence will be the end state” of IT and OT. It is evident that the merger of these historically separated networks under the general IT umbrella has created another high-value attack surface for attackers to plunder.
Historically, security was of less concern than safety and reliability for the “grade-separated” networks supporting OT/ICS devices. These networks had different dynamics, using industry-specific network protocols and abiding by maintenance schedules that were less frequent than IT systems. From an attacker’s perspective, OT systems were relatively soft targets with potentially lucrative rewards.
OT equipment has always been designed for long-term reliability and infrequent changes so many factory floors, water treatment plants, critical infrastructure, and other industrial processes use equipment that is relatively slow compared to modern PCs. OT equipment often excludes encryption and authentication at the protocol level to support real-time control requirements .
And until recently, OT was simply not IT’s problem. Improvements to networking and security technologies have changed this, allowing organizations to link their OT and IT networks (sometimes on purpose, and sometimes not). Teams that were previously responsible for securing laptops and servers are now also responsible for OT security. With mandates to improve management and monitoring efficiencies, systems that were once in a walled garden are now, at least in theory, reachable from anywhere in the world.
OT/ICS around the world
Data from the runZero research team confirms that thousands of OT/ICS devices are indeed “reachable from anywhere in the world.” These devices are prime targets for state actors and ransom seekers, as compromising them can result in industrial or utility disruption.
The number of industrial control systems directly exposed to the public Internet is terrifying. While the year-over-year increase of exposed devices has finally slowed, the total number continues to climb. Over 7% of the ICS systems in the runZero Research Report’s sample data were connected directly to the public Internet, illustrating that organizations are increasingly placing critical control systems on the public Internet.
FIGURE 1 – A selection of industrial devices detected by runZero on the public Internet.
OT Scanning: Passive becomes sometimes active
OT devices often run industry-specific software on hardware with limited computing power. These constraints, combined with the long-term nature of OT deployments, result in an environment that does not respond well to unexpected or excessive network traffic.
Stories abound of naive security consultants accidentally shutting down a factory floor with vulnerability scans. As a result, OT engineers have developed a healthy skepticism for any asset inventory process that sends packets on the network and instead opted for vendor-specific tools and passive network monitoring. Passive monitoring works by siphoning network traffic to an out- of-band processing system that identifies devices and unexpected behavior, without creating any new communication on the network.
While passive discovery is almost entirely safe, it is also limited. By definition, passive discovery can only see the traffic that is sent, and if a device is quiet or does not send any identifying information across the network, the device may be invisible.
Passive deployments are also challenging at scale, since it’s not always possible to obtain a full copy of network traffic at every site, and much of the communication may occur between OT systems and never leave the deepest level of the network.
FIGURE 2 – An Allen-Bradley industrial PLC indicating 100% CPU utilization due to the device receiving a high rate of packets from an active scan NOT conducted by runZero.
Active scanning is faster, more accurate, and less expensive to deploy, but most scanning tools are not appropriate or safe to use in OT environments. Active scanning must be performed with extreme care. Large amounts of traffic, or traffic that is not typically seen by OT devices, can cause communication disruptions and even impact safety systems.
FIGURE 3 – A partial screenshot of an OT device detected by a runZero active scan.
Safe active scans
runZero enables safe scans of fragile systems through a unique approach to active discovery. This approach adheres to three fundamental principles:
Send as little traffic as possible
Only send traffic that the device expects to see
Incrementally discover each asset to avoid methods that may be unsafe for a specific device
runZero supports tuning of traffic rates at the per-host level as well as globally across the entire task. runZero’s active scans can be configured to send as little as one packet per second to any specific endpoint, while still quickly completing scans of a large environment at a reasonable global packet rate.
runZero is careful to send only valid traffic to discovered services and specifically avoids any communication over OT protocols that could disrupt the device. This logic is adaptive, and runZero’s active scans are customized per target through a policy of progressive enhancement.
runZero’s progress enhancement is built on a series of staged “probes.” These probes query specific protocols and applications and use the returned information to adapt the next phase of the scan for that target. The earliest probes are safest for any class of device and include ARP requests, ICMP echo requests, and some UDP discovery methods. These early probes determine the constraints for later stages of discovery, including enumeration of HTTP services and application-specific requests. The following diagram describes how this logic is applied.
FIGURE 4 – A high-level overview of the “progressive enhancement” probing process.
Lastly, runZero’s active scans also take into account shared resources within the network path. Active scans will treat all broadcast traffic as a single global host and apply the per-host rate limit to these requests. Scans that traverse layer 3 devices also actively reset the state within session-aware middle devices using a patent-pending algorithm. This combination allows runZero’s active scans to safely detect fragile devices and reduce the impact on in-path network devices as well as CPU-constrained systems within the same broadcast domain.
For those environments where active scanning is inappropriate or unavailable, runZero also supports comprehensive passive discovery through a novel traffic sampling mechanism. This sampling procedure applies runZero’s deep asset discovery logic to observed network traffic, which produces similar results to runZero’s active scanner in terms of depth and detail.
The cloud is someone else’s attack surface
The commoditization of computing power, massive advancements in virtualization, and fast network connectivity have led to just about any form of software, hardware, or infrastructure being offered “as a service” to customers. Where companies used to run their own data centers or rent rack units in someone else’s, they can now rent fractions of a real CPU or pay for bare metal hardware on a per-minute basis.
Cloud migrations are often framed as flipping a switch, but the reality is that these efforts can take years and often result in a long-term hybrid approach that increases attack surface complexity. The result is more systems to worry about, more connectivity between systems, and greater exposure overall.
Cloud migrations
A common approach to cloud migrations is to enumerate the on-premises environment and then rebuild that environment virtually within the cloud provider. runZero helps customers with this effort by providing the baseline inventory of the on-premises data center and making it easy to compare this with the new cloud environment. During this process, organizations may end up with more than twice as many assets, since the migration process itself often requires additional infrastructure. runZero has observed this first hand in the last five years by assisting with dozens of cloud migration projects. It is common for these projects to take longer than planned and result in more assets to manage at completion.
The migration process can be tricky, with a gradual approach requiring connectivity between the old and new environments. Shared resources such as databases, identity services, and file servers tend to be the most difficult pieces to migrate; however, they are also the most sensitive components of the environment.
The result is that many cloud environments still have direct connectivity back to the on-premises networks (and vice-versa). A compromised cloud system is often just as, if not more, catastrophic to an organization’s security situation as a compromised on-premises system.
Ultimately, the lengthy migration process can lead to increased asset exposure in the short-term due to implied bidirectional trust between the old and new environments.
Cloud providers assume many of the challenges with data center management; failures at the power, network, storage, and hardware level now become the provider’s problem, but new challenges arise to take their place including unique risks that require a different set of skills to adequately address.
Cloud-hosted systems are Internet-connected by definition. While it’s possible to run isolated groups of systems in a cloud environment, cloud defaults favor extensive connectivity and unfiltered egress. Although cloud providers offer many security controls, only some of these are enabled by default, and they function differently than on-premises solutions.
Cloud-hosted systems are also vulnerable to classes of attacks that are only significant in a shared computing environment. CPU-specific vulnerabilities like Meltdown, Spectre, and Spectre v2 force cloud operators to choose between performance and security. The mitigations in place for these vulnerabilities are often bypassed. For example, the recently-disclosed
CVE-2024-2201 allows for Spectre-style data stealing attacks on modern processors, a concern in shared-hosting cloud environments.
Additionally, the ease of spinning up new virtual servers means that cloud-based inventory is now constantly in flux, often with many stale systems left in unknown states. Keeping up with dozens (or even thousands) of cloud accounts and knowing who is responsible for them becomes a problem on its own.
We analyzed systems where runZero detected end-of-life operating systems (OSs), and found that the proportions of systems running unsupported OSs are roughly the same across the cloud and external attack surfaces. This implies that the ease of upgrading cloud systems may not be as great as advertised.
Hybrid is forever
Cloud infrastructure is here to stay, but so is on-premises computing. Any organization with a physical presence – whether retail, fast food, healthcare, or manufacturing – will require on-premises equipment and supporting infrastructure. Cloud services excel at providing highly
available central management, but a medical clinic can’t stop treating patients just because their Internet connection is temporarily offline. A hybrid model requires faster connectivity and increasingly powerful equipment to securely link on-premises and cloud environments.
Even in more simplistic environments, cloud migrations leave behind networking devices, physical security systems, printers, and file servers. All of that equipment will most likely be linked to cloud environments, whether through a VPN or over the public Internet.
Closing Thought
As organizations increasingly rely on OT and cloud services, understanding and managing the attack surface has never been more critical. The unique vulnerabilities associated with these environments, requires proactive strategies like robust attack surface management, accurate and fast exposure management, and comprehensive asset inventory to safeguard against advanced emerging threats. Ultimately, fostering a culture that keeps pace with the threat landscape and adopts continuous improvement in security practices will be essential in navigating the complexities of OT and cloud environments.
Not a runZero customer? Download a free trial and gain complete asset inventory and attack surface visibility in minutes.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
PKIX-SSH is a fork of OpenSSH which has been modified to support X.509 v3 certificate authentication. runZero often sees this on network management devices and baseband management controllers.
Latest PKIX-SSH vulnerability: regreSSHion
On July 1, 2024 the OpenSSH team released version 9.8p1 to address 2 vulnerabilities. The most critical of the two allows Remote Code Execution (RCE) by unauthenticated attackers under certain situations. This vulnerability was discovered by Qualys and dubbed “regreSSHion“.
On July 6, 2024 PKIX-SSH version 15.1 was released to address the regreSSHion vulnerability which impacted versions 13.3.2 to 15.0.
Are updates or workarounds available?
Version 15.1 was released to address the vulnerability.
How to find potentially vulnerable PKIX-SSH systems with runZero
For locating assets with the impacted PKIX versions go the Software Inventory and use the following query:
name:"Roumen Petrov PKIX-SSH" (version:>13.3.1 AND version:<15.1)
Specific services can be found using the Service Inventory and the following query which will remove some of the versions known to be patched or otherwise not impacted:
protocol:ssh ( _service.product:="Roumen Petrov:PKIX-SSH:13.%" OR _service.product:="Roumen Petrov:PKIX-SSH:14.%" OR _service.product:="Roumen Petrov:PKIX-SSH:15.0" ) NOT (os:OpenBSD OR banner:"PKIX[13.2" )
We have a canned query named “Rapid Response: OpenSSH regreSSHion RCE – PKIX-SSH” that can be used to locate potentially impacted systems.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
The only constant in information security is that this year will be different from last year. Not only will new individual threats emerge, but entirely new classes of threats will make their debut. Some evergreen threats will finally die off, while others will roar back from oblivion. More devices (and more types of devices!) will be connected to networks, and attack surfaces will continue to grow in sophistication and scope.
Amidst all of these dynamics, one thing remains clear: as more and more devices are attached to networks, we need faster ways to focus limited information security resources where they are needed most. The runZero research team works tirelessly to find the most efficient ways to pinpoint at-risk devices, through both precise fingerprinting and fast outlier analysis. This results in an unprecedented view of both internal and external attack surfaces across IT, OT, IoT, cloud, mobile, and remote environments.
Mining our rich Cyber Asset Attack Surface Management (CAASM) knowledge base yields insights every day that can aid in exposure mitigation. And this treasure trove of data ultimately served as the genesis of our recent runZero Research Report, which offers our perspective on the changing security landscape and provides recommendations for what your organization can do to evolve with these changes.
The power of CAASM
CAASM was born out of the old adage that security teams can’t defend what they don’t know about. The same goes for assets with unknown attributes, like their location, type, and nature. In addition to discovering devices and their associated details, CAASM attempts to methodically uncover the types and severity of exposures impacting those assets, offering defenders a new vantage point to observe the attack surface.
CAASM elevates the discovery and visibility of assets to a first-class field under the infosec umbrella, and is now considered a foundational and critical component of an organization’s information security posture. This dynamic is directly tied to the exponential expansion of attack surfaces and to exposures outpacing defenders’ resources.
The runZero knowledge base
runZero’s primary data collection method is the runZero Explorer: a lightweight network point-of-presence that is delivered as software and performs active scans, analyzes traffic passively, and integrates with dozens of applications and services.
runZero Explorers provide a true insider’s perspective on global cybersecurity, finding ephemeral devices (phones, watches, cars), devices that normally are less monitored (thermostats, projectors, door locks), and the vast “dark matter” of ad hoc and forgotten networks, alongside the assets already on IT’s radar.
To provide insight into what the runZero Explorers are seeing in the wild, we investigated the public runZero cloud platform data and extracted a representative, anonymized data sample for analysis. This sample consisted of nearly four million assets with almost fifty million associated, distinct data points, including more than 160 network protocols + that have been normalized into 800+ distinct attributes and filtered through more than 17,000 unique fingerprints.
This culmination of data was transformed into the first-ever runZero Research Report, a compendium of CAASM insights on the state of asset security.
Redefining attack surfaces in the era of remote work and IT/OT convergence
The attack surface of an organization is no longer defined by on-premises locations with a known set of managed devices. Today, the attack surface consists of personal mobile phones, smart watches, thermostats in conference rooms, aquarium pumps in the lobby, game consoles in the CEO’s living room, and countless other devices, many of which come and go from the network on a regular basis.
The COVID-19 pandemic resulted in an explosion of the attack surface perimeter. While remote work was previously a perk, suddenly it became the standard for countless organizations. Huge numbers of employees retreated from the office and added their home networks as entry points to the previously gated and walled garden under the CISO’s watchful eye.
Further complicating today’s attack surfaces, operational technology (OT) and industrial control systems (ICS) have converged with IT. The whole world has, with very rare exceptions, settled on Ethernet and the Internet Protocol stack for IT. The vast, chaotic sea of proprietary protocols and competing standards of the OT/ICS world have now joined the fray in earnest, along with all the growing pains that come with it.
Today, the world’s living rooms and parking lots have become the CISO’s responsibility, as well as its factories and utility grids. In 2024, the US Environmental Protection Agency (EPA) wrote an open letter describing how “disabling cyberattacks” are attacking water and wastewater systems throughout the United States. Not so long ago, these systems were unreachable directly from the wider Internet. Today, many of them are perilously and openly exposed to attackers from around the world. It is in this world that we, as information security practitioners, now find ourselves. Defining attack surfaces is no longer an academic exercise that can be table-topped once a quarter. As exposures emerge at light speed, rapid, real-time discovery and CAASM are more critical than ever before.
FIGURE 1 – A list of devices with multiple attack surface designations found by runZero. Devices that span attack surfaces can provide entry points for attackers into internal organizational networks.
New dynamics emerge while persistent problems remain
Tectonic shifts are happening in the cybersecurity industry, brought about by the rapid coalescence of several powerful trends and technological developments that have been years in the making. First and foremost, vulnerabilities are being exploited at a truly unprecedented pace. And it’s working. So much so that the SEC now requires 8K filings for data breaches, not to mention the constant flow of news about emerging vulnerabilities and successful compromises across organizations of every size and sector.
While zero day attacks at the network edge have surged, suppliers are struggling to provide timely patches for their products, often leaving customers at the mercy of attackers for days or weeks. In response to the acceleration of exploitation, suppliers are now often releasing indicators of compromise (IOCs) in conjunction with their initial notifications to customers. Earlier in 2024, the xz-utils backdoor became a stark reminder that supply chains are still under immense attack with catastrophic potential. The incident also catalyzed conversations about what it means to be a responsible consumer of open source products, and what “supplier” means in a shared security model.
Meanwhile, security programs are dogged by end-of-life systems, unknown assets, and network segmentation challenges. These time-consuming issues compete for resources with short-term fire drills related to emerging threats and exposures. Defenders continue to juggle scoping, patch management, emergency response, and incident analysis on top of business requirements – all while security budgets shrink.
Our analysis also indicates that large organizations are still struggling with long-standing configuration problems. Remote management services are not in great shape. The trends for outdated TLS stacks, continued use of outdated protocols like SMB v1, and general hygiene issues with the Secure Shell and Remote Desktop Protocols continue unabated, with serious implications for long-term security. The silver lining is that default choices by operating system vendors are making a difference, but not fast enough to reduce the risk to the overall attack surface.
While generative artificial intelligence (Gen AI) and large language models (LLMs) have been touted as the next big thing for security, the reality is more modest. LLMs are helpful in many contexts, but are still prediction engines at heart. As a result, LLMs are limited to helping with the human side of security and struggle to replace expert systems and logic-based decision-making.
Closing thought
The constantly evolving threat landscape demands agility and visibility like never before. As organizations brace for the emergence of new threats and bid farewell to obsolete ones, the need for efficient allocation of security resources becomes paramount. Speedy and accurate asset discovery, attack surface assessment, and exposure management are at the forefront of today’s most advanced cybersecurity programs.
Stay tuned for more insights from the runZero research team on what you need to know about the state of asset security and how to use runZero to strengthen your defenses.
Not a runZero customer? Start a free trial and gain complete asset inventory and attack surface visibility in minutes.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
The United States Cybersecurity and Infrastructure Agency (CISA) is a federal agency tasked with informing other government agencies about cybersecurity threats, information security best practices, mediation recommendations, and so on. It is also responsible for coordinating defense of critical infrastructure, such as electrical grids, water treatment systems, pipelines, and air traffic control systems.
CISA publishes a regularly-updated list of cybersecurity vulnerabilities that are known to be exploited in the wild: the Known Exploited Vulnerabilities (KEV) list. The CISA KEV list currently catalogs 1,127 vulnerabilities in hardware and software that CISA has evidence of being actively exploited.
In this case “active exploitation” means that CISA has reason to believe that threat actors are currently exploiting these vulnerabilities for malicious purposes. If a vulnerability appears on this list, it should be considered a high priority; it represents not just a vulnerability, but one that is known to be under active attack.
If a vulnerability has an associated CISA KEV record, runZero will display it on the vulnerability’s information page. Here’s an example from the runZero Platform:
A sample CISA KEV record attached to a vulnerability.
The VulnCheck KEV List
VulnCheck, a leading cybersecurity intelligence vendor, also publishes their own Known Exploited Vulnerabilities list (the VulnCheck KEV) that is timely, accurate, and frequently updated. runZero can now enrich vulnerability information with input from the VulnCheck KEV. Here’s an example:
A sample VulnCheck KEV record attached to a vulnerability.
Searching KEV Lists
It’s easy to locate vulnerabilities that appear on the KEV list by visiting the Vulnerability Inventory in runZero and using the kev: search keyword. Search for membership in a specific KEV list simply by providing its name:
kev:cisa
kev:vulncheck
Or look for vulnerabilities that appear on any KEV list (including any other KEV lists that may be added in the future):
kev:any
These query terms also work in the Asset Inventory to find assets with vulnerabilities that appear on the relevant list(s) and on individual assets, as well.
The Exploit Prediction Scoring System
Additionally, runZero now integrates with the Exploit Prediction Scoring System (EPSS), a scoring system that predicts the likelihood that a given vulnerability will be exploited in the wild. EPSS provides a score between 0.0 (extremely unlikely to be exploited) and 1.0 (is definitely being exploited). You can search for vulnerabilities by their EPSS scores using the epss_score search term in the Vulnerability Inventory and for assets with EPSS-scored vulnerabilities in the Asset Inventory. The conventional runZero numeric search operators can be used, for example:
epss_score:>0.9
epss_score:<=0.8
In general, vulnerabilities with scores higher than around 0.9 should be looked at very closely.
Like the KEV lists above, vulnerabilities with EPSS scores will have that information displayed in the vulnerability view:
A sample EPSS record attached to a vulnerability.
A Bonus: Faster CVE Searches!
The work to integrate with the CISA and VulnCheck KEV lists and the EPSS resulted in a nice little bonus: searches by CVE should now be considerably faster!
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
