Vulnerability Monitoring
Automatically scan installed software across your fleet against a live CVE database. Critical and high-severity findings surface in health scores and fire alerts instantly.
Vulnerability monitoring is a Pro-only feature. It automatically matches installed software from every device against a continuously updated CVE (Common Vulnerabilities and Exposures) database, with no agent update required.
How It Works
-
Software inventory is already collected. Every Kudu agent periodically runs a software inventory scan and reports installed applications to the cloud. No extra configuration needed.
-
Server-side CVE matching. Kudu Cloud maintains a CVE library sourced from NVD and OSV.dev, refreshed nightly. After each software inventory scan — and nightly after the CVE library refresh — installed packages are matched against the library automatically.
-
Only critical and high CVEs are tracked. Medium and low severity findings are intentionally filtered out to keep the signal actionable.
-
Results appear in the device's Vulnerabilities tab and in the fleet-wide vulnerabilities page.
Device Vulnerability Tab
Accessed from the Vulnerabilities tab on any device detail page.
Packages are grouped by application name — one row per package, not one row per CVE. A package with 18 CVEs appears as a single collapsible row.
Each row shows:
- Package name and installed version
- Fix-available version (highlighted in green when a patch exists)
- Worst severity badge (Critical / High)
- Number of CVEs affecting that package
- Date first detected
Clicking a row expands it to show individual CVEs with:
- CVE ID linked to the NVD detail page
- Severity badge and CVSS score
A severity filter (All / Critical / High) is available at the top of the tab. The tab header shows the total CVE library size and a summary of critical/high counts for the device.
Fleet Vulnerabilities Page
Accessed via Vulnerabilities in the Security section of the sidebar.
Stats Bar
- Unique CVEs affecting the fleet
- Total critical packages across the fleet
- Total high-severity packages across the fleet
Top Applications
The 10 most-affected applications, ranked by worst severity then CVE count. Shows application name, worst severity badge, number of distinct CVEs, and number of affected devices.
Most Affected Devices
The 10 most-exposed devices, ranked by critical count, then high count, then total. Each device links directly to its vulnerability tab.
Group Filter
Use the group filter to narrow the entire view to a specific device group (API key) — useful for isolating your Linux servers, a specific customer environment, or any segment of your fleet.
CVE Library
| Sources | NVD API v2 (primary) + OSV.dev (supplemental for Debian, Ubuntu, Alpine) |
| Refresh | Nightly at 02:00 (incremental, ~30 days back). Full 365-day refresh weekly on Sunday. |
| Coverage | 150+ commonly deployed applications across Windows, macOS, and Linux |
| Age filter | Only CVEs published in the last 5 years |
| Severity filter | Critical and high only — medium and low are excluded |
Applications covered include browsers (Chrome, Firefox, Edge), runtimes (Python, Node.js, Java, .NET), servers (Nginx, Apache, OpenSSL), databases (PostgreSQL, MySQL, Redis), and developer tools.
False Positive Prevention
- CVEs with no version range data are skipped — they are not treated as "affects all versions"
- Date strings mistakenly recorded as version bounds are detected and rejected
- Linux library packages (e.g.
python3-idna) are matched only against their own CVE records — they do not inherit CVEs from the runtime they're written in
Platform Support
| Platform | Software inventory source | CVE matching |
|---|---|---|
| Windows | Installed apps via winreg / winget | NVD CPE matching |
| macOS | Installed apps via system_profiler | NVD CPE matching |
| Linux (Debian/Ubuntu) | dpkg package list | NVD + OSV.dev |
| Linux (Alpine) | apk package list | NVD + OSV.dev |
Ubuntu/Debian backporting: Ubuntu and Debian LTS releases sometimes backport security fixes without bumping the upstream version number. Kudu compares installed version strings against upstream fix versions, which may occasionally over-report vulnerabilities for system packages that have a backported fix applied.
Alerts
When a device has critical or high CVEs, Kudu fires health alerts through the normal notification pipeline:
| Alert | Severity | Trigger |
|---|---|---|
| Critical CVEs detected | Critical | Device has ≥1 critical CVE |
| High severity CVEs detected | Warning | Device has ≥1 high CVE and no critical CVEs |
- Alerts route to email, Slack, or webhook like all other Kudu alerts
- Email notifications include a View in Dashboard button that deep-links to the device's Vulnerabilities tab
- Alerts auto-resolve when the vulnerability is patched and the device's next software inventory scan confirms the fix
Health Score Impact
CVE findings reduce a device's health score:
| Condition | Penalty |
|---|---|
| Any critical CVE | −20 points |
| Any high CVE (no critical) | −10 points |
Devices with unresolved critical CVEs appear near the bottom of health-sorted fleet views. See Health Scores & Alerts for the full scoring breakdown.
Plan Availability
Vulnerability monitoring is only available on the Pro plan. Non-Pro organisations see a preview of the vulnerability pages with an upgrade prompt. CVE scans are not run for non-Pro organisations.