Vulnerability Exposure Assessment release notes
Version history for the Vulnerability Exposure Assessment application on the ServiceNow Store.
Important:
For details on system requirements and family compatibility, view the application
listing on the ServiceNow Store
website.
Version history
- Version 30.6.0 - June 2026 (USEM)
-
- Changed:
- The vulnerability exposure assessment workflow now excludes inactive component dependencies from analysis. Application Vulnerable Items (AVITs)and related records are no longer created for components that are not actively associated with a Bill of Materials (BOM) entity. This ensures only relevant,active components are considered during exposure assessments.
- Enhancements and changes to the Vulnerability Exposure Assessment application to support internal security directives.
- Fixed: Large tables are now handled efficiently when deleting vulnerability items, preventing unnecessary scans and improving performance when processing related records.
- Changed:
- Version 5.5.2 - June 2026
-
- Fixed: An issue where null related records might trigger unnecessary full table scans when vulnerable items (VITs) and application vulnerable items (AVITs) are being deleted.
- Changed:
- Inactive component dependencies are now excluded from vulnerability exposure assessment. The system no longer creates vulnerability records or affectedproduct entries for component dependencies marked as inactive, ensuring only active components are considered during SBOM-based exposure analysis.
- Enhancements and changes to the Vulnerability Exposure Assessment application to support internal security directives.
- Version 30.4.0 - April 2026 (USEM)
-
- Changed:
- CI filtering for vulnerability assessments: You can now filter which configuration items are included in a vulnerability assessment using a condition builder.
- Business Application population on AVITs: AVITs created from SBOM assessment results now include Business Application information, helping you understand application impact and prioritize remediation.
- Priority roll‑down from vulnerability assessments: Updates to the priority of a vulnerability assessment now automatically roll down to associated VITs and AVITs, ensuring consistent prioritization based on the highest severity.
- Changed:
- Version 5.5.0 - April 2026
-
- New:
- CI Filter on Vulnerability Assessment
- With a new ci_filterconditions field scoped to cmdb_cithat has been added to sn_vul_analyst_vulnerability_assessment, you can define a CI filter on a Vulnerability Assessment record to scope the assessment for CIs that match specified conditions such as environment or operational status, rather than evaluating all the CIs.
- The ci_filter field is supported in both the default and Vulnerability Analyst Workspace views.
- The new assessment creation modal includes a condition builder for CI filtering alongside the Title and Primary CVE (typeahead) inputs. The modal also shows an inline alert if a record with a matching CVE already exists, and state is reset upon record closure.
- Priority roll-down from vulnerability assessment to VIT and AVIT
- If a Vulnerability Assessment (VA) priority is set or updated, that priority automatically rolls down to all linked Vulnerable Items (VIT)s and App Vulnerable Items (AVIT)s.
- Version 5.3.0 - January 2026
- Performance enhancements in Exposure Assessment scheduled job.
- Version 30.2.1 - January 2026 (USEM)
- Minor defect fix as part of this release, related to the functionality of adding a new affected product in Vulnerability Assessment Workspace.
- Version 5.2.3 - December 2025
- Fixed:
- PRB1926442: [Security Bug] ACL Bypass via 'sn_vul_analyst.Activate CVE' Data Broker
- Removed sn_vul_analyst.emergency_response role from CVE activation data broker ACL
- Added sn_vul_analyst.vul_event_manager role requirement to data broker ACL
- PRB1944031: VCM workspace not visible in Zurich platform
- Corrected plugin name fromvulnerability_crisis_management tosn_vul_vcm in sys_ux_page_property configuration.
- PRB1926442: [Security Bug] ACL Bypass via 'sn_vul_analyst.Activate CVE' Data Broker
- Fixed:
- Version 5.2.2 - August 2025
- New:
- The following improvements are available in Hardware Vulnerability Assessment:
- Assessments without Normalization: Ability to assess discovery models without content available for normalization.
- Confidence Scores: New scoring mechanism for all types of assessments.
- Partial assessment for partially normalized discovery model: Creates partial assessments for discovery models without firmware version. The partial assessments are done if the other versions of the discovery model have the same publisher and model.
- Expiring of assessments: If you update the firmware version of a CI, the corresponding normalized discovery model also updates. The assessment records based on the older firmware version expires while new assessments are generated for new firmware version.
- Fixed:
- Update code to create assessments for unmapped discovered models
- Created assessments for range criteria having empty in cpe mapping and observe that partial match assessments have confidence score as 1.
- fixed few security ACLs related to Data brokers and Script includes.
- New:
- Version 5.1.2 - June 2025
- Fixed: Population of "Installation count" field was fixed when VEX Record was created via Vulnerability Assessment.
- Version 5.1.1 - May 2025
- Fixed: Access to sn_vul_analyst_exposure_manifest and sn_vul_analyst_software_risk tables has been restricted for all users via ACL configuration to improve data security.
- Version 5.0.2 - February 2025
- Changed: Starting with v25.0.4 of Vulnerability Response and 5.0.2 of Vulnerability Exposure Assessment, you can assess your assets' exposure to vulnerabilities by the publisher in addition to the assessment by Common Vulnerabilities and Exposures (CVEs) or software.
- Version 4.0.1 - November 2024
-
- Changed: If a Common Vulnerability Entry (CVE) has not been updated or had vulnerable items (VITs) created in the past 30 days, the exposure assessment record for that CVE is automatically marked as inactive. However, you can manually activate or deactivate these records. Additionally, the scheduled job Check potential vulnerability exposure scans for such CVEs to designate them as inactive/active.
- Fixed: Minor fixes for this release.
- Version 3.2.2 - August 2024
- New: Added the Re-assess UI action in the Vulnerability Assessment Workspace to re-assess the exposure assessment of existing Common Vulnerability Entries (CVEs)and software records.
- Changed: Vulnerability Response Pro and Enterprise customers can access the Exposure Assessment in the Vulnerability Manager Workspace or Vulnerability Assessment Workspace based on the user role, upon clicking the Exposure Assessment link in the All menu. Vulnerability Response Standard customers can still access the Exposure Assessment in the classic UI.
- Version 3.1.3 - May 2024
- Vulnerability Emergency Response is a comprehensive solution for proactive vulnerability management and crisis response. In a single workspace, it offers, standalone assessments for single CVEs and vulnerable product versions, while the newly introduced Vulnerability Crisis Management Workflow enables you to efficiently handle vulnerability crisis events from end to end. This workflow includes holistic exposure assessment to identify vulnerable Configuration Items, vulnerable item creation, and crisis declaration with major security incident management enabling cross-team engagement, collaboration, coordination and reporting for rapid response.