Severity Levels

The service assigns every vulnerability in the KnowledgeBase a severity level, which is determined by the security risk associated with its exploitation. The possible consequences related to each vulnerability, potential vulnerability, and information gathered severity level are described below. The guidance below is followed for all vulnerabilities. In addition to this broad guidance, the service also takes into consideration factors like the technical severity of the vulnerability, the complexity of the exploit, vendor-provided severity, and the likelihood of the exploit working under normal conditions. Network location and privileges needed by an attacker to execute a successful attack are considered. The prevalence of the affected software and the existence of known attacks, worm or malware also plays a role.

Managers have the option to edit vulnerabilities in the KnowledgeBase and change the severity level (except for web application vulnerabilities).

Vulnerabilities

Vulnerabilities are design flaws or mis-configurations that make your network (or a host on your network) susceptible to malicious attacks from local or remote users. Vulnerabilities can exist in several areas of your network, such as in your firewalls, FTP servers, Web servers, operating systems or CGI bins. Depending on the level of the security risk, the successful exploitation of a vulnerability can vary from the disclosure of information about the host to a complete compromise of the host.

Severity	Level	Description
	Minimal	Intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities.
	Medium	Intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions.
	Serious	Intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying.
	Critical	Intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host.
	Urgent	Intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors.

Potential Vulnerabilities

Potential Vulnerabilities include vulnerabilities that cannot be fully verified. In these cases, at least one necessary condition for the vulnerability is detected. It's recommended that you investigate these vulnerabilities further. The service can verify the existence of some potential vulnerabilities when authenticated trusted scanning is enabled. Learn more

Please note that even if a QID is detected by an authenticated scan or a cloud agent that doesn't mean that the vulnerability will be categorized as Confirmed. You can have potential vulnerabilities detected by authenticated scans and agents. These often include vulnerabilities where we don't have any mechanism to detect if the patch/workaround is applied or not.

Note: When viewing scan results and some other reports in XML and CSV formats, the vulnerability type "potential" is identified as "practice". In this case the term "practice" (as a CSV column title or an XML element name) is identical in meaning to the vulnerability type "potential".

Severity	Level	Description
	Minimal	If this vulnerability exists on your system, intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities.
	Medium	If this vulnerability exists on your system, intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions.
	Serious	If this vulnerability exists on your system, intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying.
	Critical	If this vulnerability exists on your system, intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host.
	Urgent	If this vulnerability exists on your system, intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors.

Information Gathered

Information Gathered includes visible information about the network related to the host, such as traceroute information, Internet Service Provider (ISP), or a list of reachable hosts. Information Gathered severity levels also include Network Mapping data, such as detected firewalls, SMTP banners, or a list of open TCP services.

Severity	Level	Description
	Minimal	Intruders may be able to retrieve sensitive information related to the host, such as open UDP and TCP services lists, and detection of firewalls.
	Medium	Intruders may be able to determine the operating system running on the host, and view banner versions.
	Serious	Intruders may be able to detect highly sensitive data, such as global system user lists.

Half Red / Half Yellow

Vulnerabilities assigned a half red / half yellow severity level (such as ) in the KnowledgeBase represent vulnerabilities that may be confirmed in some cases and not confirmed in other cases because of various factors affecting scan results. If the vulnerability is confirmed during a scan, it appears as a red vulnerability in the results. If it cannot be confirmed, it appears as a yellow potential vulnerability in the results. For example, without Windows Authentication enabled, there may not be enough information gathered to accurately identify the operating system on the target host, or detect installed fixes and patches. Thus, related vulnerabilities will go unconfirmed and appear as potential vulnerabilities in the results. When Windows Authentication is enabled, subsequent scans may result in more accurate detection and the same issues may be confirmed.

Additionally, scans may not result in enough information for confirming certain vulnerabilities due to the scan options applied to the scan, and the services running at the time of the scan.