Wazuh's Vulnerability Detection panel automatically detects the CVEs affecting the software installed on your agents, cross-referencing it against the NVD, Debian, Red Hat, and other databases. It's enabled by default and requires no extra configuration to start showing results.
How do you use Wazuh's Vulnerability Detection panel?
Wazuh's Vulnerability Detection panel cross-references the software installed on your systems against CVE databases to detect known vulnerabilities. It comes enabled by default, but it can be customized on both the server and the agents.
Video: Vulnerability Detection
12 minutes - Setup and hands-on CVE case
Discover our Wazuh serviceLearn more about our managed Wazuh service
Regulatory framework: why it's mandatory
ISO 27001 - Control A.8.8
Management of technical vulnerabilities: Organizations must identify the technical vulnerabilities in their information systems, assess their exposure, and take appropriate measures. It's not optional, it's an explicit control in Annex A.
Important: Running a vulnerability scanner once a year isn't enough. The standard requires a continuous, documented process.
ENS - Measures op.exp.6 and op.exp.3
op.exp.6 (Protection against malicious code): Active protection against exploitable vulnerabilities.
op.exp.3 (Security management): Requires keeping an up-to-date inventory of installed software and its versions, precisely so it can be cross-referenced against vulnerability databases. In the ENS medium category, this control is mandatory.
Server (Manager) configuration
Vulnerability detection comes enabled by default. In the manager's /var/ossec/etc/ossec.conf you can customize:
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
</vulnerability-detector>Parameters:
interval: How often to check for new packagesmin_full_scan_interval: Minimum interval between full scansrun_on_start: Run a scan when the service starts
Agent configuration
On the agents, the software inventory module is enabled by default. It sends the list of installed packages to the manager, which cross-references them against the CVE databases.
You can customize which packages to scan or exclude specific directories from the analysis by editing the agent's ossec.conf.
Hands-on case: CVE-2025-15467 (OpenSSL)
In the video we automatically detect a critical OpenSSL vulnerability. The panel shows:
- CVE ID: CVE-2025-15467
- Severity: Critical
- Affected package: openssl
- Vulnerable version: the one installed on the system
- Fix: Update to a patched version
Fix: Update OpenSSL
apt update && apt upgrade -y openssl libssl3t64 openssl-provider-legacyAfter the update, Wazuh will verify on the next scan that the vulnerability no longer applies and mark it as resolved.
What information the panel provides
The Vulnerability Detection panel shows:
- Total vulnerabilities per agent and severity
- CVE ID linked to the national vulnerability database
- CVSS Score: Severity rating
- Affected package and version
- Detection date
- Status: Active, resolved, or ignored
Compliance summary
| Regulation | Control | Requirement |
| ISO 27001 | A.8.8 | Continuous management of technical vulnerabilities |
| ENS | op.exp.6 | Protection against malicious code |
| ENS | op.exp.3 | Up-to-date software inventory |
Next steps
Our managed Wazuh service covers more panels like Configuration Assessment, Malware Detection, and Threat Hunting. Discover our Wazuh service.