Vulnerabilities in my organization
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Vulnerability Management
- Microsoft 365 Defender
- Microsoft Defender for Servers Plan 1 & 2
Want to experience Microsoft Defender Vulnerability Management? Find out how to sign up for a free trial.
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Defender Vulnerability Management can help identify Log4j vulnerabilities in applications and components. Learn more.
Microsoft Defender Vulnerability Management uses the same signals in Defender for Endpoint's endpoint protection to scan and detect vulnerabilities.
The Weaknesses page lists the software vulnerabilities your devices are exposed to by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by Microsoft Defender Vulnerability Management, formerly known as threat and vulnerability management.
To get emails about new vulnerability events, see Configure vulnerability email notifications in Microsoft Defender for Endpoint
Navigate to the Weaknesses page
Access the Weaknesses page a few different ways:
- Select Weaknesses from the Vulnerability management navigation menu in the Microsoft 365 Defender portal to open the list of CVEs.
Vulnerabilities in global search
- Go to the global search drop-down menu.
- Select Vulnerability and key in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, for example "CVE-2018-5568", then select the search icon. The Weaknesses page opens with the CVE information that you're looking for.
- Select the CVE to open a flyout panel with more information, including the vulnerability description, details, threat insights, and exposed devices.
To see the rest of the vulnerabilities in the Weaknesses page, type CVE, then select search.
Remediate the vulnerabilities in exposed devices to reduce the risk to your assets and organization. If the Exposed Devices column shows 0, that means you aren't at risk.
Breach and threat insights
View any related breach and threat insights in the Threats column when the icons are colored red.
Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon and breach insight icon .
The breach insights icon is highlighted if there's a vulnerability found in your organization.
The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there's a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories.
Gain vulnerability insights
If you select a CVE, a flyout panel will open with more information such as the vulnerability description, details and threat insights. For each CVE, you can see a list of the exposed devices and the software affected.
When a security recommendation is available you can select Go to the related security recommendation for details on how to remediate the vulnerability.
Recommendations for a CVE are often to remediate the vulnerability through a security update for the related software. However, Some CVEs won't have a security update available. This might apply to all the related software for a CVE or just a subset, for example, a software vendor might decide not to fix the issue on a particular vulnerable version.
When a security update is only available for some of the related software, the CVE will have the tag 'Some updates available'. Once there is at least one update available, you'll have the option to go to the related security recommendation.
If there is no security update available, the CVE will have the tag 'No security update'. There will be no option to go to the related security recommendation as software that doesn't have a security update available is excluded from the Security recommendations page.
Security recommendations only include devices and software packages that have security updates available.
The information on security update availability is also visible in the Update availability column on the Exposed devices and Related software tabs.
Software that isn't supported
A CVE for software that isn't currently supported by vulnerability management still appears in the Weaknesses page. Because the software is not supported, only limited data will be available.
Exposed device information will not be available for CVEs with unsupported software. Filter by unsupported software by selecting the "Not available" option in the "Exposed devices" section.
View Common Vulnerabilities and Exposures (CVE) entries in other places
Top vulnerable software in the dashboard
- Go to the Defender Vulnerability Management dashboard and scroll down to the Top vulnerable software widget. You will see the number of vulnerabilities found in each software, along with threat information and a high-level view of device exposure over time.
- Select the software you want to investigate.
- Select the Discovered vulnerabilities tab.
- Select the vulnerability you want to investigate for more information on the vulnerability details.
Discover vulnerabilities in the device page
View related weaknesses information in the device page.
Select Device inventory from the Assets navigation menu in the Microsoft 365 Defender portal.
In the Device inventory page, select the device name that you want to investigate.
Select Discovered vulnerabilities from the device page.
Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as, vulnerability description, threat insights, and detection logic.
CVE Detection logic
Similar to the software evidence, we show the detection logic we applied on a device in order to state that it's vulnerable.
To see the detection logic:
- Select a device from the Device inventory page.
- Select Discovered vulnerabilities from the device page.
- Select the vulnerability you want to investigate.
A flyout will open and the Detection logic section shows the detection logic and source.
The "OS Feature" category is also shown in relevant scenarios. This is when a CVE would affect devices that run a vulnerable OS if a specific OS component is enabled. For example, if Windows Server 2019 or Windows Server 2022 has vulnerability in its DNS component we'll only attach this CVE to the Windows Server 2019 and Windows Server 2022 devices with the DNS capability enabled in their OS.
Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated.
- Open the CVE on the Weaknesses page.
- Select Report inaccuracy and a flyout pane will open.
- From the flyout pane, choose an issue to report.
- Fill in the requested details about the inaccuracy. This will vary depending on the issue you're reporting.
- Select Submit. Your feedback is immediately sent to the Microsoft Defender Vulnerability Management experts.
Submit and view feedback for