Get a first look at what's coming. The Developer Passport Australia Release Preview kicks off March 12. Dive in! 

Zero day Vulnerability - Best Practice

Go to solution
sach1
Tera Guru

‎11-13-2025 12:29 AM

Hi All,

 

I am looking for guidance and best practice on how to handle Zero day Vulnerabilities in ServiceNow for cases where CVE's are not available.

 

Came across the below KB article which talks about creating a new table by extending OOTB Vulnerability table, is that the only way ?

How to handle Zero Day Vulnerabilities in Vulnerability Module - Support and Troubleshooting

 

We want to create VIT's and remediation tasks for the vulnerabilities for which CVE's are not created.

 

#secops #vulnerability 

#SIR #VR

  • 2,980 Views
1 ACCEPTED SOLUTION

Go to solution
Sarath S
ServiceNow Employee

‎11-19-2025 08:59 AM - edited ‎11-19-2025 09:40 AM

@sach1 : For Zero-Day vulnerabilities where a CVE is not yet published, you don’t need to extend the Vulnerability table. A more effective and scalable approach is to use Exposure Assessment in Vulnerability Response.

With Exposure Assessment, an analyst can initiate an assessment using only the impacted software, even when the CVE ID is not available. You simply input the affected software , and the assessment automatically identifies installations from the cmdb_sam_sw_install. Once the software match is established, users can :

  • Create Vulnerability Items (VITs) tied to the impacted CIs

  • Trigger existing automation rules, including

    • VIT assignment

    • Remediation Task generation

    • Remediation Target Rules etc 

  • Continue through your full workflow exactly as it would for CVE-based vulnerabilities

  • Finally, close VITs using Auto-Close Rules once remediation is complete

This approach allows you to operationalize Zero-Day vulnerabilities seamlessly, without waiting for a CVE to be published and without creating custom tables. 

 

In short: Exposure Assessment by software is best practice for handling Zero-Day vulnerabilities in ServiceNow. It allows you to identify the exposure, generate VITs, and drive remediation end-to-end—even before official CVE details exist.

 

If you're looking for an even more streamlined and coordinated process during high-severity Zero-Day events, you can also leverage Vulnerability Crisis Management. It provides an orchestrated workspace to track the Zero-Day, collaborate across teams,and monitor remediation progress all while your Exposure Assessment driven VITs and remediation tasks flow automatically in the background.

 

Exposure assessment document :

https://www.servicenow.com/docs/bundle/zurich-security-management/page/product/vulnerability-respons...

 

Vulnerability Crisis Management document: https://www.servicenow.com/docs/bundle/zurich-security-management/page/product/vulnerability-respons...

 

Thanks,
Sarath S

View solution in original post

15 REPLIES 15

Go to solution
Dave Winsor
Tera Contributor

‎11-20-2025 07:58 AM

A zero day by definition is a vulnerability that is published prior to the vendor/owner having a patch. In other words its a flaw you cannot fix on 'day zero'. While you could create VIT's via Exposure Assessment if there is a known CVE published, using the software publisher, product, version option, or even manual upload, you may want to think thru the necessity of doing so. Big 3 scanning vendors (Qualys, Tenable, Rapid7) are pretty quick to publish their signatures and most likely would be 24 hours or less. Going thru the trouble of creating VIT's outside your BAU process might be an overkill during this short window. There is also the issue of duplicate tickets once the scanners start feeding you detections as well. You may want to look at beginning a Security or regular Incident process (if the zero day is Critical) for tracking, running targeted scans once the signature is published, and adhoc imports of the results into ServiceNow for holistic tracking.

In my experience, anything truly Critical usually has a more manual and focused response and we backfill the documentation of VIT's while "flying the plane". If a Zero Day is not Critical (not all of them are!), your routine SLA's should not be greatly impacted by a day or two of missing VIT's.

0 Helpfuls

Go to solution
Aaron Molenaar
Mega Guru
In response to Dave Winsor

‎11-20-2025 08:16 AM

In general, I agree that scanning vendors are mostly responsive to providing checks for new vulnerabilities - though we have had cases of weeks for some critical items, but that is rare. I think the greater case for a non-scan driven VIT process is for software not covered by scan vendors, which we find to be more common as time goes by and malicious actors investigate greater parts of the technology stack.

 

This is where we often find ourselves "flying the plane" (as you aptly say) and building the documentation as best we can in VR using manual determinations of impacted assets/software. This is frequently just a list attached to a VUL with no VITs in it. 

Go to solution
MaxMixali
Mega Sage

‎11-20-2025 08:54 AM - edited ‎11-20-2025 10:27 AM

 

  

0 Helpfuls

Go to solution
Simon Hendery
Tera Patron
In response to MaxMixali

‎11-20-2025 09:57 AM

@MaxMixali 

 

Stop cutting and pasting #AI_slop !

 

slop.jpg

---

 

Everyone: Please consider joining the efforts to keep AI content out of the community:

https://www.servicenow.com/community/community-resources/servicenow-community-code-of-conduct-for-al...

 

0 Helpfuls

Go to solution
MaxMixali
Mega Sage
In response to Simon Hendery

‎11-20-2025 10:28 AM

I'm trying to help 

0 Helpfuls