Find Vulnerabilities (CVEs)
Find known vulnerabilities (CVEs) in your infrastructure and use Mondoo's scoring to prioritize fixes.
A vulnerability is a weakness in software that an attacker can exploit. Vulnerabilities are catalogued in the CVE (Common Vulnerabilities and Exposures) database, each with a unique identifier like CVE-2025-21755. Mondoo continuously scans your infrastructure to find which CVEs affect which assets, and prioritizes them using risk scores that combine severity with asset context.
Vendors often release advisories recommending how to fix or mitigate a vulnerability. To learn more, read Find Advisories.
Find CVEs in a space
-
In the Mondoo App, navigate to the space.
You can also select a workspace to view a subset of assets.
-
In the side navigation, under Findings, select Vulnerabilities.
For each CVE, Mondoo shows its rank, severity, blast radius, risk factors, and when it was first found.
-
Filter using the search bar. Examples:
- A platform name (
windows,debian,google) - A CVE number (
2025-21755,1325) - A service or tool (
winsock,curl,cim)
- A platform name (
-
Select a CVE to see its description, scoring details, and the list of affected assets.
How a CVE is scored
Mondoo combines a base severity with asset context to produce each CVE's risk score. To learn the full model, read How Mondoo Scores and Prioritizes Findings.
Risk factors
Risk factors are flags that raise or lower the risk of a CVE. They appear as icons next to the CVE.
CVE-level risk factors describe the vulnerability itself:
| Icon | Risk factor |
|---|---|
 | Exploitable CVEs have known exploits in the wild. |
 | Remote execution CVEs let an attacker run code on a target system over the network. |
Contextual risk factors describe the assets where the CVE was found:
| Icon | Risk factor |
|---|---|
| Accessible keys indicates that key or credential information is exposed on at least one affected asset. | |
| End-of-life (EOL) indicates that at least one affected asset is running an operating system version that is approaching or has reached EOL (no longer supported). | |
| Database indicates that at least one affected asset hosts a running database (MySQL or PostgreSQL). | |
| In use indicates that at least one affected asset has a running service or is in active use. Examples are assets running sshd, OpenSSH, NGINX, or Apache, or assets with open or listening ports. | |
| Defensive indicates that at least one affected asset has defensive countermeasures in place (SELinux or AppArmor). |
CVSS score
The CVSS base score is a single number from 0 (low) to 10 (critical) representing the severity of a vulnerability. It's published by FIRST and is the industry standard for ranking CVEs.
How CVSS is calculated
The CVSS base score combines three groups of metrics. To learn more, read the FIRST CVSS documentation.
Exploitability metrics describe how easy the CVE is to exploit:
- Attack vector: Network, Adjacent, Local, or Physical
- Attack complexity: Low or High
- Privileges required: None, Low, or High
- User interaction: None, Passive, or Active
Scope metric indicates whether the vulnerability impacts resources beyond its security scope:
- Unchanged or Changed
Impact metrics describe what an attacker gains:
- Confidentiality: None, Low, or High
- Integrity: None, Low, or High
- Availability: None, Low, or High
EPSS score
The Exploit Prediction Scoring System (EPSS), also from FIRST, estimates how likely a CVE is to be exploited in the next 30 days. It complements CVSS: a Medium-severity CVE that's actively being exploited often deserves more attention than a Critical one with no known exploits.
Mondoo shows three EPSS values:
-
Probability. Likelihood of exploitation in the next 30 days, as a percentage. 99% means an exploit is extremely likely; 1% means it's unlikely.
-
Percentile. Comparison to all CVEs. A CVE in the 96.9th percentile is more likely to be exploited than 96.9% of all CVEs ever evaluated.
-
CVSS3 score. The CVSS base score described above.
To learn more, read the FIRST EPSS documentation.