Vulnerabilities
The Vulnerabilities tab on the agent detail page shows all CVEs detected on the endpoint. TridentStack Control continuously matches installed software versions and Windows build numbers against CVE databases to identify known vulnerabilities.
Current View
The default view shows all active vulnerabilities in a sortable, filterable table.
Vulnerability Table
| Column | Description |
|---|---|
| CVE ID | The CVE identifier, linked to the NVD entry |
| Software | The affected application or "Windows" for OS-level CVEs |
| Severity | Critical, High, Medium, or Low (color-coded) |
| CVSS Score | Numeric CVSS v3 base score |
| Status | Open, Awaiting re-scan, Resolved, or Pending Restart |
Summary Bar
Above the table, a summary strip shows:
- Total vulnerability count
- Breakdown by severity: Critical / High / Medium / Low
- KEV count (CISA Known Exploited Vulnerabilities)
Source Tabs
On Windows and macOS agents, vulnerabilities are categorized by source:
- All: Every detected vulnerability
- System: CVEs in the operating system itself (on Windows, based on build number and installed KBs)
- Software: CVEs in installed third-party applications (based on software inventory)
Filters
- Search: Filter by CVE ID, software name, or CWE identifier
- Severity: Show only Critical, High, Medium, or Low
- KEV only: Toggle to show only CISA Known Exploited Vulnerabilities
- Fixable: Toggle to show only vulnerabilities with an available fix (a missing update or a newer software version). On endpoints whose operating system is past its end-of-support date, this shows only the fixes you can apply without an Extended Security Update (ESU) license.
- ESU only: Appears next to Fixable on endpoints past their end-of-support date that have fixes gated behind an Extended Security Update (ESU) license. Toggle it to show only those ESU-gated fixes. It is hidden on endpoints with no ESU-gated fixes.
- Group by Remediation: Group vulnerabilities that share the same fix action (e.g., same update resolves multiple CVEs)
Expanded Details
Click any vulnerability row to see full details:
- CVSS v3 vector breakdown: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and Confidentiality/Integrity/Availability impact
- EPSS score: Exploit Prediction Scoring System probability and percentile
- KEV status: Whether this CVE is in the CISA Known Exploited Vulnerabilities catalog
- Fix information: The KB number or package update that resolves the vulnerability
- Detection logic: How the vulnerability was identified (version comparison, build number match, etc.)
Actions
From the expanded row, you can:
- Apply Fix: Shown when a verified one-click fix is available (the fix is known to resolve the CVE and the affected software is confidently matched to a cataloged package). Clicking it triggers the remediation immediately.
- Add to Policy: Shown when a precise fix exists but applicability is unconfirmed (for example, the installed software could not be matched to a cataloged package with certainty). Clicking it opens the remediation flow with a compatibility warning and adds the fix to an application update policy, so the update deploys on the next evaluation. If the endpoint inherits more than one application update policy, you are asked which policy should receive the application.
- Remediate: The generic entry point to the remediation modal, available from the row's action menu. Use this when neither Apply Fix nor Add to Policy is surfaced, or when you want to review the full set of remediation options before dispatching.
- Create Exception: Exempt this vulnerability from scoring and reporting, with a reason and optional expiration date.
- Investigate: Open an investigation view for deeper analysis.
If no policy currently covers the fix on this endpoint, you can still run a one-off remediation from the Remediate dialog. It installs the fix immediately on that single endpoint, outside any policy, and does not change your policies or affect other endpoints. The dialog shows exactly which application or update will install and the target version before you confirm.
After you remediate
When you apply a fix or the missing update installs, the vulnerability does not clear instantly. It moves to an Awaiting re-scan state, shown as "Update installed - refresh on next scan", because TridentStack Control confirms the fix the next time the agent reports its software inventory and patch status.
- Confirmation happens automatically on the agent's next check-in, after which the CVE moves to Resolved.
- To confirm immediately instead of waiting, click Re-scan now on the vulnerability. This asks the agent to re-report its state right away.
This keeps a vulnerability from briefly looking unresolved after you have already fixed it.
History View
Toggle to History to see the vulnerability timeline for this agent:
- When vulnerabilities were first detected
- When they were resolved (by patch installation or software update)
- Status transitions over time
This helps you verify that remediation actions were effective and track how long vulnerabilities remained open.