The SoftwareVulnerability object is representing vulnerability properties of an Application.

Which type of vulnerability is intended to be represented by the SoftwareVulnerability object is defined by the different security properties, or defense settings, of the SoftwareVulnerability object.

The SoftwareVulnerability concept is not limited to published, official, vulnerabilities with exploits (i.e. CVE-vulnerabilities). It is equally suitable for representing software vulnerabilities that do not require an exploit (for instance misconfigurations) and zero-day exploits.

It is also possible, and recommended, to have a SoftwareVulnerability object connected to every Application object and to configure it as an "unknown vulnerability" in order to take potentially lacking information about the Application into account.



When connecting a SoftwareVulnerability to an Application, provided that the Attacker manage to reach the Application, the Attacker will have the opportunity to attempt exploiting the vulnerability. How useful this particular vulnerability will be to the Attacker is dependent on the properties (defense settings) applied to it.

An Application with a SoftwareVulnerability.An Application with a SoftwareVulnerability.

An Application with a SoftwareVulnerability.


When a SoftwareVulnerability is connected to a SoftwareProduct (for instance to represent a vulnerable software release), the vulnerability affects all Application objects connected to the SoftwareProduct.

Host 1, 2 and 3 are based on the same SoftwareProduct (labeled "Legacy OS") which in turn is vulnerable to the "CVE-yyyy-nnn" SoftwareVulnerability.Host 1, 2 and 3 are based on the same SoftwareProduct (labeled "Legacy OS") which in turn is vulnerable to the "CVE-yyyy-nnn" SoftwareVulnerability.

Host 1, 2 and 3 are based on the same SoftwareProduct (labeled "Legacy OS") which in turn is vulnerable to the "CVE-yyyy-nnn" SoftwareVulnerability.


The type and impact of a vulnerability, as well as the complexity involved in abusing it, is defined using the defense settings of the SoftwareVulnerability object. This section will describe these settings in more detail.

Vulnerability scanner data

When using a data-driven approach with vulnerability scanner data to generate a model, the vulnerability scanner findings contain CVSS vector information that is used to adjust the defense settings of the vulnerability so that the vulnerability added to the model match what the vulnerability scanner reported.

Attack Vector

The "Attack Vector" of a vulnerability is either "network", "local" or "physical".

Network is for vulnerabilities that can be used via a network connection like for instance EternalBlue or the log4j log4shell vulnerability. Network type vulnerabilities might (depending on the other defense settings of the SoftwareVulnerability) be exploitable via a NetworkExposure or ClientAccess connection to a network or via a ConnectionRule.

Local vulnerabilities require the Attacker to connect to the application locally, within the same operating system. It could be related to a non-network application or the operating system itself. If they are related to the operating system kernel, they and are sometimes referred to as "kernel exploits" which in some cases lead to privilege escalation. Therefore, it is not possible to exploit a local vulnerability on an Application via NetworkExposure or ClientAccess to a Network or via a ConnectionRule.

Physical software vulnerabilities require the Attacker to have gained access to a PhysicalZone where a System is connected which, in turn, has a Physical vulnerability connected to it. These are less common, but there are a few examples like the "Sophos Login Screen Bypass Vulnerability (CVE-2014-2005)" vulnerability.

The above aspects are covered in the NetworkAccessRequired, LocalAccessRequired and PhysicalAccessRequired defense properties respectively.

Required Access

Different vulnerabilities require different level of initial access before they are applicable. The "Access" portion of the CVSS vector is defining this aspect.

The different related defense properties are LowPrivilegesRequired and HighPrivilegesRequired.

For vulnerabilities that require no prior authentication both these parameters should be set to zero/off.

Attack Complexity

Attack Complexity is related to how likely it is for an exploit to be successful depending on if there are different aspects beyond the Attacker's control that need to be fulfilled for the vulnerability to be exploitable.

Attack Complexity is not related to how technically advanced the exploit need to be in order to exploit the vulnerability. If the vulnerability was difficult to discover and a very advanced exploit is needed, and has been developed by the Attacker or has been published, and the exploit work reliably when executed, then the Attack Complexity is considered low.

This property is defined by the HighComplexityExploitRequired parameter.

User Interaction

For vulnerabilities in client applications, like for instance Office applications, mail clients and web browsers, the Attacker is required to convince the victim to make contact with a location in the model where the Attacker already have access (like for instance Internet or an already compromised network zone). This is done via phishing or by waiting for an incoming connection from the client application (in case of a drive-by-attack).

In these cases, the parameter UserInteractionRequired shall be set to on.


The Impact of a vulnerability, once successfully exploited, also depends on the type of vulnerability. The corresponding pparameters in the SoftwareVulnerability object are ConfidentialityImpactLimitations, IntegrityImpactLimitations and AvailabilityImpactLimitations.


The Remove parameter is used for attenuating the presence of the vulnerability in question.

Vulnerability context

Remove value

Confirmed vulnerability reported by a vulnerability scanner or found via manual inspection


Potential/unknown vulnerability in case of lacking information (a scan or investigation might no be possible or feasible)


Applying a mitigation to remove/patch the vulnerability to evaluate the security improvement it might bring (by simulating the model again)


Unknown Vulnerability

Unknown vulnerabilities are recommended to use when information about the vulnerability status of an application is missing like when a scan or investigation is not possible to carry out (like for instance with SCADA environments or when modeling the impact of remote environments beyond our control).

Also, when using vulnerability scanner data, it is recommended to still keep a SoftwareVulnerability like below but with Remove set to a high value to account for the case of the vulnerability scanner missing vulnerabilities due to lacking database updates or for the case when a vulnerability is discovered after the scan was run.

Defense parameter

Recommended value












0 for a network-capable application, 1 for a non-network application




1 for a network-capable application, 0 for a non-network application


0 (in most cases)


0,5 in case of unknown security status, leave at for instance 0,95 even when scanner data is used


0 for a service application, 1 for a client application



Attack step name

Attack step purpose


Successfully abusing the vulnerability, leading to the Impact parameters affecting the connected Application.


Deny impact on the connected Application.


Prerequisite to Abuse.


When AttackComplexity is low or zero, ExploitTrivially lead to Exploit.


When AttackComplexity is high or one, ExploitWithEffort lead to Exploit.


The impact on the connected Application caused by successfully exploiting the vulnerability.


Successfully modifying the connected Application's data and/or source code.


Successfully reading the connected Application's data and/or source code.


For a detailed description of the defense parameters, see the Configuration section above.

Defense name

Defense purpose


Availability impact on the connected Application.


Confidentiality impact on the connected Application.


An exploit depending on requirements beyond the attacker's control is considered complex.


Fully authenticated user is required. Set to zero if no authentication is required.


Integrity impact on the connected Application.


Local attack vector.


Limited access is required. Set to zero if no authentication is required.


Network attack vector.


Physical attack vector.


Existence parameter for non-confirmed vulnerabilities.


Client-side attacks require user interaction.