Login

CVE Intelligence

RMMmax CVE Intelligence is an automated vulnerability detection and tracking system that continuously monitors your endpoints for known security vulnerabilities. It collects a real software and OS inventory from each device, matches that inventory against live threat feeds from the world’s authoritative CVE databases, and presents a clear risk picture at both the device and client level — all without requiring manual lookups or spreadsheets.

It works on Windows, Mac, and Linux devices through your existing RMM platform or the RMMmax independent agent.

How It Works
CVE Intelligence operates in three automated stages:

  • Feed Ingestion — RMMmax pulls the latest CVE data from authoritative external sources and keeps the local database current.
  • Endpoint Scanning — A lightweight scan script is pushed to each enabled device to collect the OS details and installed software inventory.
  • Correlation — The collected inventory is compared against the CVE database to identify which known vulnerabilities apply to each specific device.

This process runs on a fully automated background schedule so your vulnerability data stays current without any manual effort.

CVE Data Sources
RMMmax pulls CVE data from two industry-standard sources:

  • NIST National Vulnerability Database (NVD)
    The NVD feed is ingested on a rolling 7-day window, capturing newly published and recently modified CVEs. Each record includes:
  • The CVE ID and full description
  • CVSS base score (v3.1, falling back to v3.0 or v2 as available)
  • CVSS vector string
    Severity rating (Critical, High, Medium, Low, None)
  • Affected products and version ranges parsed from CPE data
  • Published and last-modified timestamps
  • Auto-detected tags: RCE (remote code execution), privilege-escalation, zero-day, exploited-in-the-wild
  • CISA Known Exploited Vulnerabilities (KEV)
    The CISA KEV catalog is a separate feed of vulnerabilities that have been confirmed as actively exploited in the real world. Every CVE on the CISA KEV list is flagged with a specialKEV indicator in RMMmax. KEV entries also include:
  • The CISA-assigned date added to the catalog
  • The CISA remediation due date
  • The required remediation action as specified by CISA
    KEV-flagged vulnerabilities are treated with the highest urgency throughout the platform — they are highlighted separately, carry an additional risk penalty in scoring, and are counted independently in all dashboards and reports.
  • Endpoint Inventory Collection

When a CVE scan runs on a device, it collects:

Operating system details: OS name, version, build number, OS type (Windows/Linux/Mac), and kernel version
Installed software list: every installed application with its name, version, and publisher
The script version used for the scan
This inventory is stored per device and timestamped so you always know how current the data is.

Correlation Engine
Once inventory is collected, the correlation engine compares it against every CVE in the database. The matching process checks both installed software and OS-level vulnerabilities:

Software matching:

Product and vendor names from the CVE are normalized and compared against installed software names using token-based overlap matching
If the CVE specifies a version range, the installed software version is checked against that range — matches outside the vulnerable version window are correctly excluded

OS-level matching:

CVEs targeting operating systems (Windows, Linux kernel, macOS) are matched against the device’s OS name, type, and version
Version range checks apply the same way as software matching

Match accuracy:

A minimum two-character meaningful token must overlap between the CVE’s affected product and the installed software name, filtering out noise from short or common words.

Each CVE produces at most one match per device — the first matching product wins, preventing duplicate entries for the same vulnerability
When a match is confirmed, a CVEEndpointMatch record is created for that device, capturing the CVE details, the matched product name and version, severity, CVSS score, KEV flag, and detection date.

Severity Ratings
Every matched CVE on every device is rated by severity based on its CVSS base score:

Severity CVSS Score Range
Critical 9.0 – 10.0
High 7.0 – 8.9
Medium 4.0 – 6.9
Low 0.1 – 3.9
None 0.0


Client Risk Dashboard
At the client level, CVE Intelligence provides an aggregated risk view showing:

  • Total active CVE matches broken down by severity (Critical, High, Medium, Low)
  • A separate KEV count — the number of actively exploited vulnerabilities specifically
  • A risk status for each device: critical (has any Critical or KEV matches), high, medium, low, or clean
  • Per-device match counts and last scan date
  • This view lets you immediately identify which clients and which devices carry the most exposure and where remediation effort should be focused.

Security Score and Letter Grade
For each client, CVE Intelligence calculates a 0–100 security score based on the active vulnerability matches. Deductions are applied per match by severity:

Match Type Score Deduction
Critical CVE −8 per match
High CVE −4 per match
Medium CVE −1 per match
Low CVE −0.25 per match
KEV (any severity) −5 additional per match


The score is then converted to a letter grade:

Score Grade Label
90–100 A Excellent
75–89 B Good
60–74 C Fair
40–59 D Poor
0–39 F Critical Risk

Match Status Management
Not every vulnerability requires the same response. For each CVE match on a device, you can set a status to track where it stands in your remediation workflow:

Active — The vulnerability is present and unaddressed
Mitigated — A fix or compensating control has been applied
Risk Accepted — The vulnerability has been reviewed and the risk formally accepted

Each status update supports an optional remediation notes field where you can document what was done, what mitigating controls are in place, or the business justification for accepting the risk. Only Active matches factor into the security score and dashboards.

PDF CVE Intelligence Report
A full PDF report can be generated per client for compliance documentation, client-facing review, or internal audit purposes. The report includes:

Client name, report date, and overall security score with letter grade
Total CVE counts by severity and KEV count
Per-device breakdown with each device’s patch exposure summary
Full table of active CVE matches per device including CVE ID, description, CVSS score, severity, KEV flag, affected product, and matched version
RMMmax branded layout with color-coded severity indicators matching the console UI
Feed Ingestion Log
RMMmax maintains a log of every CVE feed ingestion run, recording the source (NVD or CISA), the number of CVEs processed, the run status (success, partial, or error), and any error details. This gives you full visibility into when the threat data was last refreshed and whether any ingestion issues occurred.

Automated Scanning Schedule
CVE scans are pushed automatically to all enabled devices on a background schedule — no manual triggering required. Scans can also be triggered manually at any time, either for individual agents or for all agents under a client. After each scan completes and new inventory is received, the correlation engine re-runs automatically for that device to update the match list with the freshest data.

Enabling Devices
CVE Intelligence is opt-in at both the client and device level. A client must be enabled for CVE Intelligence, and each individual device must also be enabled before scans are dispatched to it. This keeps CVE scanning contained to the devices you actively want to monitor.