CVE and patch capabilities are rolling out in phases, with more arriving in the next release. Contact us for what is available today and what is coming next.
Where the CVE data comes from
Siemserva does not rely on a single feed. For every vulnerability it finds, it pulls the details together from multiple authoritative sources, so each CVE is enriched and current.
| Source | What it adds |
|---|---|
| NVD (NIST) | The definitive national vulnerability database: official CVE metadata, CVSS v3 scores and vectors, and CWE weakness classifications. |
| CIRCL | A free, generous-rate alternative to NVD for the same core CVE data, used so enrichment keeps working without an API key. |
| CISA KEV | The Known Exploited Vulnerabilities catalog: the CVEs confirmed to be exploited in the real world, including ransomware associations. |
| EPSS (FIRST.org) | The Exploit Prediction Scoring System: a daily-updated probability that a CVE will be exploited in the next 30 days, plus its percentile rank. |
| MSRC | Microsoft Security Response Center Patch Tuesday data: KB-to-CVE mappings, Microsoft severity, and disclosure and exploitation status. |
| Microsoft Defender TVM | Per-device missing-patch signals from Defender Threat and Vulnerability Management, where you have it licensed. |
What every CVE is scored on
Each CVE carries the full risk picture, not just one number. That is what makes prioritization defensible.
| Signal | What it tells you |
|---|---|
| CVSS v3 score and vector | Standardized severity (Critical, High, Medium, Low) and the full attack-surface vector: attack vector, complexity, privileges, and impact. |
| CISA KEV flag | Whether the CVE is actively exploited in the wild right now. The strongest signal to fix first. |
| EPSS probability and percentile | How likely the CVE is to be exploited soon, and where it ranks against every other scored CVE. |
| CWE weakness type | The underlying class of flaw, for root-cause understanding and pattern spotting. |
| Microsoft (MSRC) severity | Microsoft’s own rating and exploitation or public-disclosure status from Patch Tuesday. |
| Ransomware association | Whether the vulnerability is tied to known ransomware activity. |
How Siemserva reports on CVEs
Vulnerabilities and missing patches show up as ranked findings in the same dashboard and reports as the rest of your security posture, with the evidence attached.
- One finding per missing patch per device, with the patch and KB article, the CVEs it fixes, and a CISA KEV badge when any of them are actively exploited.
- A deterministic triage order you can defend: actively exploited (KEV) first, then by severity, then by how long the exposure has been open.
- A multi-signal risk tier (Critical-Immediate, High, Medium, Low) that blends KEV status, CVSS severity, EPSS probability, exploit age, and how much of your fleet is affected.
- Everything in self-contained HTML reports and the live dashboard, sortable and audit-ready, mapped to severity alongside your configuration and log findings.
How AI uses your CVE data
Because every CVE is enriched and stored in the Siemserva graph, your AI answers from real data, not a live lookup, so it is fast, cheap, and grounded.
- Ask in plain language through the market-leading Senserva MCP: "Which missing patches fix CISA KEV CVEs?", "What is the CVSS vector for CVE-2024-38226?", or "Build me a remediation plan for the top exploited vulnerabilities on my fleet."
- The AI returns a risk-tiered action plan that already combines EPSS, CISA KEV, CVSS, and fleet impact, so the answer is a plan, not a data dump.
- The full CVE detail (CVSS vector, CWE, EPSS, references, affected products) lives in the local graph, so follow-up questions need no extra API calls. You bring your own model, so there is no AI markup, and rich local data keeps token cost low.
- Deterministic where it counts, AI where it helps: the ranking is repeatable, and the AI explains and plans on top of it.
CVEs are one part of the whole picture
A vulnerability matters more when the configuration around it is weak and the logs show it being probed. Siemserva models all of it together: configurations, logs, identities, devices, and CVEs in one graph, so a missing patch on an exposed, actively-targeted device rises to the top, and a remediation step comes with it.
The full product | Microsoft security and patching landscape | Compare with the tools you run
Frequently asked questions
What is a CVE?
A CVE (Common Vulnerabilities and Exposures) is a unique identifier for a publicly known security vulnerability, such as CVE-2024-38226. Siemserva reports the CVEs affecting your Microsoft estate and enriches each one with severity and exploitation data so you know which to fix first.
Does Siemserva scan for CVEs and missing patches?
Yes. Siemserva reports on vulnerabilities and missing patches across your devices, mapping each missing patch to the CVEs it fixes, and surfaces them as ranked findings in the dashboard and reports.
What is CISA KEV?
CISA KEV is the Known Exploited Vulnerabilities catalog, the list of CVEs confirmed to be actively exploited in the wild. Siemserva flags any CVE in the KEV catalog and ranks those first, because they are the vulnerabilities attackers are using right now.
What is an EPSS score?
EPSS, the Exploit Prediction Scoring System, is a daily-updated probability (0 to 1) that a CVE will be exploited within the next 30 days, with a percentile rank. Siemserva uses EPSS alongside CVSS and CISA KEV so you can focus on the vulnerabilities most likely to be exploited, not just the highest CVSS.
How does Siemserva decide which CVEs to fix first?
It blends multiple signals: CISA KEV status, CVSS severity, EPSS exploitation probability, how long the exposure has been open, and how much of your fleet is affected. Actively exploited vulnerabilities rise to the top, in a repeatable, defensible order.
Where does the CVE data come from?
From the authoritative public sources: NVD (NIST), CIRCL, CISA KEV, EPSS (FIRST.org), and Microsoft MSRC, plus per-device signals from Microsoft Defender Threat and Vulnerability Management where licensed.
Can AI help with CVE remediation?
Yes. Through the Senserva MCP you can ask your AI, such as Claude, for a risk-tiered remediation plan that already accounts for EPSS, CISA KEV, CVSS, and fleet impact. Because the enriched CVE data is stored locally, answers are fast and grounded, with no per-CVE API lookups.
Try the Advanced Microsoft 365 Security Simulator
See exactly what Siemserva finds on a rich, realistic simulated tenant, no access to your environment needed. Launch it right after install, or ask for a free key. Teams report cutting Microsoft 365 and Azure hardening time by up to 80 percent.
Launch the Simulator, free