Assess your exposure to vulnerable software
-
- UpdatedJan 30, 2025
- 6 minutes to read
- Yokohama
- Vulnerability Response
You can provide the publisher and product information in the Exposure Assessment module to assess your zero-day (current day) exposure of your assets to vulnerable software using the ITSM Software Asset Management (SAM) Foundation application.
Before you begin
Persona and granular roles are available to help you manage what users and groups can see and do in the Vulnerability Response application. For an initial assignment of the persona roles in Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant. For more information about managing granular roles, see Manage persona and granular roles for Vulnerability Response.
- Publisher
- Version
- Product
- Edition
About this task
For more information on system requirements, see Configure the Vulnerability Exposure Assessment.
View the software exposure assessment module and create and edit exposure assessment records on-demand for vulnerable software in your ServiceNow AI Platform® instance.
You manage the vulnerability response activities for a large operation responsible for many assets. The Security Operations Center (SOC) in your operation contacts you about a version of software that they’ve learned is vulnerable. You discover that a scan of your assets was recently completed and didn’t find this vulnerability. The SOC team learned about this vulnerability from a reliable source outside of the National Vulnerability Database (NVD), Common Weakness Enumeration (CWE), or the other third-party libraries in your instance, and you’re concerned that your vulnerability scanner hasn’t yet added the plugin for it.
You are confident that the data for this vulnerability will be updated in the NVD and imported soon so that your scanner can catch this vulnerability in the next scan, but because you are concerned about the scope of your potential exposure, you want to determine today if you have assets in your network that have this software installed.
Starting with v23.0 of Vulnerability Response, if you have the Pro or Enterprise subscription, you are redirected to the Exposure Assessment page in the Workspaces based on your role on selecting the Exposure Assessment link in the All menu. For more information, see Configure the Vulnerability Exposure Assessment.
Procedure
-
To create a new exposure assessment, navigate to .
The Exposure Assessments list is displayed.
-
Select New.
The Exposure Assessment form is displayed.
-
Select Show Exposure.
The Exposure Assessment record with your discovery model and the software installation count on your assets as of the specific date is displayed.
-
To create vulnerable items, follow these steps:
-
Fill in the fields.
Field Description Using Form the choice list, choose one to continue. - Existing vulnerability.
To the right of the Vulnerability field, click the
search icon. In the list that is displayed, select
the CVE-ID, or enter search criteria to locate the
existing CVE-ID, for example, CVE 2018-9120.
Note: This can be a CVE-ID from a vulnerability database other than the NVD.
- New vulnerability. Enter the CVE-ID for your new vulnerability in xxxx-xxxx, xxxx-xxxxx, or xxxx-xxxxxxx format.
Vulnerability summary (for new vulnerability only) Enter a summary for the new vulnerability, for example, An attacker can execute script on an unsuspecting user's browser. The following images show examples of the completed form for an existing vulnerability and a new vulnerability.
Figure 1. Existing vulnerability 
Figure 2. New vulnerability 
- Existing vulnerability.
To the right of the Vulnerability field, click the
search icon. In the list that is displayed, select
the CVE-ID, or enter search criteria to locate the
existing CVE-ID, for example, CVE 2018-9120.
-
After a few seconds, at the top of the form, right-click in the gray
banner to reload the page.
The new vulnerable items are displayed as shown in the following figure on the Assessed Vulnerable Items tab (531). The new remediation task created for these vulnerable items is displayed on the remediation task tab (1).Note: For this example, a remediation task is created according to the group rules and conditions from the remediation task rule called, Vulnerability. This group rule is the default remediation task rule that is installed with the Vulnerability Response product in your ServiceNow AI Platform® instance. In this example, the conditions of this group rule placed all the vulnerable items into a single remediation task. If you prefer to create more than one remediation task for the vulnerable items that match your exposure assessment search results, you may prefer to set up additional remediation task rules. Creating more remediation tasks may help you prevent creating remediation tasks with large numbers of vulnerable items. For more information about remediation task rules, see Vulnerability Response remediation tasks and remediation task rules overview and Create or edit Vulnerability Response remediation task rules.
-
Fill in the fields.
-
Choose one to continue.
Option Description Remediation tasks With the Remediation Tasks tab selected, in the number column, click to open the record and review and assign the task for remediation. For more information on assignment groups, see Creating groups. Assessed Vulnerability Items With the Assessed Vulnerable Items tab selected, in the Vulnerable item column, click to open the records and review and assign individual vulnerable items. Delete Delete the exposure assessment record. A confirmation dialog is displayed. Note: If you delete the exposure record after you create vulnerability items, any vulnerable items that you create for this record that aren’t related to another exposure record are automatically moved to the Closed state. The reason for closure is Cancelled.
What to do next