Know which devices are running vulnerable software.
Kudu Cloud continuously scans every managed device's installed software against a live CVE database sourced from NVD and OSV.dev. Critical and high-severity vulnerabilities surface immediately in device health scores and fire alerts through email, Slack, or webhook — no agent update required. Pro only.
Server-side CVE scanning with no extra setup.
The Kudu agent already reports a full software inventory from every device. Kudu Cloud does the rest — matching installed packages against a continuously updated CVE library and surfacing findings in your dashboard.
Per-device CVE findings, grouped by package
The vulnerability tab on each device shows affected packages grouped into collapsible rows — one row per application, not one row per CVE. Each row shows the installed version, the fix-available version, the worst severity badge, the total CVE count, and when the vulnerability was first detected. Expand any row to see individual CVE IDs linked to NVD, CVSS scores, and severity badges. A severity filter lets you focus on Critical or High findings only.
Fleet-wide exposure at a glance
The fleet vulnerabilities page gives you total unique CVEs affecting your organisation, critical and high package counts, the top 10 most-affected applications ranked by worst severity and CVE count, and the top 10 most-exposed devices. Filter the entire view by device group to focus on a specific segment — your Linux servers, a customer site, or any custom group.
Accurate CVE detection across Windows, macOS, and Linux.
Server-Side Matching
CVE data is fetched and matched entirely server-side. Nothing is downloaded to the device — the agent's existing software inventory is all that's needed.
Nightly Refresh
CVE library sourced from NVD and OSV.dev, refreshed nightly. A full 365-day backfill runs weekly. Your fleet is always matched against current data.
150+ Applications Covered
Browsers, runtimes, servers, databases, and developer tools across Windows, macOS, and Linux — including Chrome, Python, Node.js, Nginx, OpenSSL, PostgreSQL, and more.
Critical & High Only
Only critical and high severity CVEs are tracked and displayed. Medium and low noise is intentionally filtered out so you focus on what matters.
Instant Alerts
Devices with critical or high CVEs trigger health alerts through email, Slack, or webhook. Alert emails deep-link directly to the device's vulnerability tab.
Health Score Impact
Critical CVEs deduct 20 points from a device's health score. High CVEs deduct 10 points. Vulnerable devices surface automatically in health-sorted fleet views.
False Positive Prevention
CVEs with no version range data are skipped. Linux library packages are matched only against their own CVEs — they don't inherit vulnerabilities from the runtime they're built on.
CVE IDs Linked to NVD
Every CVE ID links directly to its NVD detail page so you can read the full advisory, check CVSS vectors, and track remediation guidance.
Auto-Resolving Alerts
Vulnerability alerts auto-resolve once the affected software is updated and the device's next inventory scan confirms the fix.
CVE coverage that keeps pace with the threat landscape.
No manual configuration. No per-device agent changes. Vulnerability data is matched server-side against the software inventory your fleet is already reporting.
Commonly deployed applications covered across Windows, macOS, and Linux.
CVEs tracked in the shared library, refreshed nightly.
CVE age limit — only vulnerabilities relevant to modern software versions.
Find out which devices are running vulnerable software.
Vulnerability monitoring is available on the Pro plan. Start your free trial today.