USM Anywhere™

About Vulnerability Assessment

Role Availability Read-Only Analyst Manager

USM Anywhere delivers vulnerability assessmentVulnerability assessment uses active network vulnerability scanning and continuous vulnerability monitoring to provide one of the five essential capabilities. as part of a complete package of security monitoringProcess of collecting all device status and event information and processing normalized events for evidence of vulnerabilities, possible attacks, and other malicious activity. and management capabilities for efficient threat detection. USM Anywhere does this to improve security in your network. To generate a vulnerability assessment, you first need to know what is vulnerable.

Vulnerability assessment is a functionality of USM Anywhere used for defining, identifying, classifying, and prioritizing the vulnerabilities in your system. The universal open and standardized method for rating IT vulnerabilities and determining the urgency of response is the Common Vulnerability Scoring System (CVSS). This method assigns severity scores to vulnerabilities. Scores range from 0 to 10, with 10 being the most severe.

USM Anywhere works on both CVSSOpen framework for communicating the characteristics and severity of software vulnerabilities that helps to prioritize actions according to their threat. version 3 (CVSSv3) and the previous version 2 (CVSSv2) for scoring.

About Vulnerability Assessment in USM Anywhere

USM Anywhere detects vulnerabilities in assetsAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. and controls these scanning functions:

USM Anywhere detects vulnerabilities using an authenticated scanAuthenticated scans are performed from inside the machine using a user account with appropriate privileges., where the USM Anywhere SensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. initiates a credentialed SSHProgram to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). (in Linux systems) or Microsoft Windows Remote Management (WinRM) (in Windows systems) connection to the asset, and remotely runs a series of commands for host-based assessment.

Vulnerability detection is based on an implementation of the Security Content Automation Protocol (SCAP) and the Open Vulnerability and Assessment Language (OVAL) 5.11.2 schema version. The National Vulnerability Database (NVD) is the U.S. government's content repository for SCAP. The OVAL schema is maintained by The MITRE Corporation and developed by the public OVAL Community website at

AT&T Alien Labs™ Open Threat Exchange® (OTX™) queries NVD and MITRE every hour looking for the latest vulnerabilities. Every time you run a vulnerability scan, USM Anywhere queries OTX for updating the vulnerabilities information.

For Linux variants, USM Anywhere performs a series of generic UNIX and independent schema tests in addition to flavor-specific tests for IBM AIX, FreeBSD, Hewlett Packard Enterprise HP-UX, and Linux. For Windows, USM Anywhere performs a series of Windows schema and independent schema tests.

Warning: USM Anywhere removes vulnerabilities older than 90 days from the database.

About Vulnerability Severity

Discovering a vulnerability by itself is important, but can be of little use without the ability to estimate the associated severity to an asset. For this reason, USM Anywhere assigns a severity to each vulnerability found in the system and according to the severity score of the CVSS.

The following table shows the CVSS v2.0 and v3.0 ratings.

CVSS v2.0 and v3.0 Ratings
Severity v2 Score Range v3 Score Range
None n/a 0.0


Medium 4.0-6.9 4.0-6.9
High 7.0-10.0 7.0-8.9
Critical n/a 9.0-10.0

Important: There is also an Under Analysis severity. This severity displays when the National Vulnerability Database (NVD) has not assigned a CVSS base score to the vulnerability. OTX queries NVD and MITRE every hour looking for the latest vulnerabilities. Every time you run a vulnerability scan, USM Anywhere queries OTX to update the vulnerabilities information. If the NVD has updated the CVSS base score for that vulnerability, USM Anywhere will update the status after you run a new vulnerability scan.

To see the CVSS score of a vulnerability

  1. Go to Environment > Vulnerabilities.
  2. Click the vulnerability to display its details.

    Displaying the CVSS Score of a vulnerability

About Active and Inactive Vulnerabilities

In USM Anywhere you can find active vulnerabilities and inactive vulnerabilities. When you run a scan on an asset and USM Anywhere finds a vulnerability, this vulnerability is active for that specific asset. If you later run a new scan over the same asset and USM Anywhere finds more vulnerabilities, but the vulnerability found in the previous scan has not been found in this new scan, this vulnerability is inactive and the new vulnerabilities are active. Inactive vulnerabilities are those who are not present in the latest scan but were in a previous one.

A Practical Example

USM Anywhere finds 15 vulnerabilities when you run a scan over an asset, so you will see "active: 15, inactive: 0". Then you fix these vulnerabilities. A week later, you run a scan over the same asset. This new scan finds 3 vulnerabilities, so you will have 3 vulnerabilities active out of 15 vulnerabilities found and USM Anywhere will display "active: 3, inactive: 12".

Searching Active or Inactive Vulnerabilities

When you go to Environment > Vulnerabilities, USM Anywhere displays, by default, all active vulnerabilities. The Active filter is selected.

Displaying the Active Filter

If you want to see the inactive vulnerabilities, select the filter Inactive. USM Anywhere displays the list of your inactive vulnerabilities.

Displaying the Inactive Filter

You can also see if a vulnerability is active or inactive from the full details screen of a vulnerability.

Displaying the details of a vulnerability