Vulnerability Exposure Assessment release notes

  • Release version: Store
  • Updated June 16, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Exposure Assessment Release Notes

    The Vulnerability Exposure Assessment application on the ServiceNow Store provides continuous improvements for assessing and managing exposure to software vulnerabilities. The release notes detail enhancements, fixes, and new capabilities introduced over multiple versions from August 2024 through June 2026. These updates are designed to optimize performance, increase data accuracy, improve security, and streamline vulnerability exposure workflows within your ServiceNow environment.

    Show full answer Show less

    Key Enhancements and Features

    • Active Component Focus: Recent versions exclude inactive component dependencies from vulnerability exposure assessments, ensuring only actively used components linked to Bills of Materials (BOM) are analyzed. This reduces noise and improves relevance in risk assessments.
    • Improved Filtering: Introduction of a configuration item (CI) filter using a condition builder allows scoped vulnerability assessments based on environment, operational status, or other CI attributes, enabling targeted evaluation rather than broad scans.
    • Priority Roll-down: Prioritization set at the Vulnerability Assessment level now cascades automatically to related Vulnerable Items (VITs) and Application Vulnerable Items (AVITs), maintaining consistent severity prioritization across related records.
    • Performance Optimizations: Enhancements to handling large tables and scheduled jobs reduce unnecessary full table scans and improve processing speed during deletion and assessment operations.
    • Security Improvements: Access controls have been tightened on sensitive tables and data brokers to prevent unauthorized access and ACL bypass, enhancing data security compliance.
    • Hardware Vulnerability Assessment: New capabilities allow assessing discovery models without normalization content, applying confidence scores, and managing partial assessments and expiring assessments based on firmware version updates.
    • Exposure Assessment UI Enhancements: Added a Re-assess action in the Vulnerability Assessment Workspace for re-evaluating existing CVEs and software records. Interface improvements also support alerting for duplicate CVE records and streamlined assessment creation.
    • Integration and Workflow: Vulnerability Emergency Response and Crisis Management workflows offer end-to-end vulnerability crisis handling with cross-team collaboration, exposure assessment, and incident management within a unified workspace.

    Practical Benefits for ServiceNow Customers

    • Accurate Exposure Analysis: By focusing on active components and filtering CIs, assessments become more precise and actionable, helping you prioritize remediation efforts effectively.
    • Consistent Prioritization: Automated priority roll-down ensures that severity assessments propagate correctly, aiding in unified risk management across related vulnerability records.
    • Improved Performance: Optimizations reduce system load and speed up vulnerability item processing, enhancing overall platform responsiveness.
    • Enhanced Security Compliance: Strengthened ACLs and data broker role requirements protect sensitive vulnerability data, supporting your organization's security policies.
    • Comprehensive Hardware Assessment: Expanded support for hardware vulnerabilities enables more complete risk evaluations, including handling of partial and expiring assessments tied to firmware changes.
    • Streamlined User Experience: New UI actions and alerts simplify managing exposure assessments, reducing manual effort and minimizing errors.
    • Integrated Crisis Management: The Vulnerability Emergency Response workflow facilitates coordinated, rapid response to vulnerability crises, improving organizational readiness and mitigation.

    Additional Information

    For system requirements and family compatibility details, customers should refer to the application listing on the ServiceNow Store. These release notes reflect ongoing commitment to enhancing vulnerability exposure management aligned with internal security directives and industry best practices.

    Version history for the Vulnerability Exposure Assessment application on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 30.6.0 - June 2026 (USEM)
    • Changed:
      • The vulnerability exposure assessment workflow now excludes inactive component dependencies from analysis. Application Vulnerable Items (AVITs)and related records are no longer created for components that are not actively associated with a Bill of Materials (BOM) entity. This ensures only relevant,active components are considered during exposure assessments.
      • Enhancements and changes to the Vulnerability Exposure Assessment application to support internal security directives.
    • Fixed: Large tables are now handled efficiently when deleting vulnerability items, preventing unnecessary scans and improving performance when processing related records.
    Version 5.5.2 - June 2026
    • Fixed: An issue where null related records might trigger unnecessary full table scans when vulnerable items (VITs) and application vulnerable items (AVITs) are being deleted.
    • Changed:
      • Inactive component dependencies are now excluded from vulnerability exposure assessment. The system no longer creates vulnerability records or affectedproduct entries for component dependencies marked as inactive, ensuring only active components are considered during SBOM-based exposure analysis.
      • Enhancements and changes to the Vulnerability Exposure Assessment application to support internal security directives.
    Version 30.4.0 - April 2026 (USEM)
    • Changed:
      • CI filtering for vulnerability assessments: You can now filter which configuration items are included in a vulnerability assessment using a condition builder.
      • Business Application population on AVITs: AVITs created from SBOM assessment results now include Business Application information, helping you understand application impact and prioritize remediation.
      • Priority roll‑down from vulnerability assessments: Updates to the priority of a vulnerability assessment now automatically roll down to associated VITs and AVITs, ensuring consistent prioritization based on the highest severity.
    Version 5.5.0 - April 2026
    • New:
    • CI Filter on Vulnerability Assessment
      • With a new ci_filterconditions field scoped to cmdb_cithat has been added to sn_vul_analyst_vulnerability_assessment, you can define a CI filter on a Vulnerability Assessment record to scope the assessment for CIs that match specified conditions such as environment or operational status, rather than evaluating all the CIs.
      • The ci_filter field is supported in both the default and Vulnerability Analyst Workspace views.
      • The new assessment creation modal includes a condition builder for CI filtering alongside the Title and Primary CVE (typeahead) inputs. The modal also shows an inline alert if a record with a matching CVE already exists, and state is reset upon record closure.
    • Priority roll-down from vulnerability assessment to VIT and AVIT
    • If a Vulnerability Assessment (VA) priority is set or updated, that priority automatically rolls down to all linked Vulnerable Items (VIT)s and App Vulnerable Items (AVIT)s.
    Version 5.3.0 - January 2026
    Performance enhancements in Exposure Assessment scheduled job.
    Version 30.2.1 - January 2026 (USEM)
    Minor defect fix as part of this release, related to the functionality of adding a new affected product in Vulnerability Assessment Workspace.
    Version 5.2.3 - December 2025
    • Fixed:
      • PRB1926442: [Security Bug] ACL Bypass via 'sn_vul_analyst.Activate CVE' Data Broker
        • Removed sn_vul_analyst.emergency_response role from CVE activation data broker ACL
        • Added sn_vul_analyst.vul_event_manager role requirement to data broker ACL
      • PRB1944031: VCM workspace not visible in Zurich platform
        • Corrected plugin name fromvulnerability_crisis_management tosn_vul_vcm in sys_ux_page_property configuration.
    Version 5.2.2 - August 2025
    • New:
      • The following improvements are available in Hardware Vulnerability Assessment:
      • Assessments without Normalization: Ability to assess discovery models without content available for normalization.
      • Confidence Scores: New scoring mechanism for all types of assessments.
      • Partial assessment for partially normalized discovery model: Creates partial assessments for discovery models without firmware version. The partial assessments are done if the other versions of the discovery model have the same publisher and model.
      • Expiring of assessments: If you update the firmware version of a CI, the corresponding normalized discovery model also updates. The assessment records based on the older firmware version expires while new assessments are generated for new firmware version.
    • Fixed:
      • Update code to create assessments for unmapped discovered models
      • Created assessments for range criteria having empty in cpe mapping and observe that partial match assessments have confidence score as 1.
      • fixed few security ACLs related to Data brokers and Script includes.
    Version 5.1.2 - June 2025
    Fixed: Population of "Installation count" field was fixed when VEX Record was created via Vulnerability Assessment.
    Version 5.1.1 - May 2025
    Fixed: Access to sn_vul_analyst_exposure_manifest and sn_vul_analyst_software_risk tables has been restricted for all users via ACL configuration to improve data security.
    Version 5.0.2 - February 2025
    Changed: Starting with v25.0.4 of Vulnerability Response and 5.0.2 of Vulnerability Exposure Assessment, you can assess your assets' exposure to vulnerabilities by the publisher in addition to the assessment by Common Vulnerabilities and Exposures (CVEs) or software.
    Version 4.0.1 - November 2024
    • Changed: If a Common Vulnerability Entry (CVE) has not been updated or had vulnerable items (VITs) created in the past 30 days, the exposure assessment record for that CVE is automatically marked as inactive. However, you can manually activate or deactivate these records. Additionally, the scheduled job Check potential vulnerability exposure scans for such CVEs to designate them as inactive/active.
    • Fixed: Minor fixes for this release.
    Version 3.2.2 - August 2024
    • New: Added the Re-assess UI action in the Vulnerability Assessment Workspace to re-assess the exposure assessment of existing Common Vulnerability Entries (CVEs)and software records.
    • Changed: Vulnerability Response Pro and Enterprise customers can access the Exposure Assessment in the Vulnerability Manager Workspace or Vulnerability Assessment Workspace based on the user role, upon clicking the Exposure Assessment link in the All menu. Vulnerability Response Standard customers can still access the Exposure Assessment in the classic UI.
    Version 3.1.3 - May 2024
    Vulnerability Emergency Response is a comprehensive solution for proactive vulnerability management and crisis response. In a single workspace, it offers, standalone assessments for single CVEs and vulnerable product versions, while the newly introduced Vulnerability Crisis Management Workflow enables you to efficiently handle vulnerability crisis events from end to end. This workflow includes holistic exposure assessment to identify vulnerable Configuration Items, vulnerable item creation, and crisis declaration with major security incident management enabling cross-team engagement, collaboration, coordination and reporting for rapid response.