Applies to:

Want to experience Microsoft Defender ATP? Sign up for a free trial.


Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.

The Weaknesses page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, and threat insights.


To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:

Access the Weaknesses page a few different ways:

Go to the Threat & Vulnerability Management navigation menu and select Weaknesses to open the list of CVEs.

  1. Go to the global search drop-down menu.
  2. Select Vulnerability and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then select the search icon. The Weaknesses page opens with the CVE information that you are looking for. Global search box with the dropdown option "vulnerability" selected and an example CVE.
  3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.

To see the rest of the vulnerabilities in the Weaknesses page, type CVE, then click search.

Weaknesses overview

If the Exposed Devices column shows 0, that means you are not at risk. If exposed devices exist, the next step is to remediate the vulnerabilities in those devices to reduce the risk to your assets and organization.


Breach and threat insights

You can view the related breach and threat insights in the Threat column when the icons are colored red.


Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon Simple drawing of a red bug. and breach insight icon Simple drawing of an arrow hitting a target..

The breach insights icon is highlighted if there is a vulnerability found in your organization. Example of a breach insights text that could show up when hovering over icon. This one says "possible active alert is associated with this recommendation.

The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit or connected to specific advanced persistent campaigns or activity groups. Threat Analytics report links are provided that you can read with zero-day exploitation news, disclosures, or related security advisories.

Threat insights text that that could show up when hovering over icon. This one has multiple bullet points and linked text.

View Common Vulnerabilities and Exposures (CVE) entries in other places

Top vulnerable software in the dashboard

  1. Go to the Threat & Vulnerability Management dashboard and scroll down to the Top vulnerable software widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.

    Top vulnerable software card with four columns: software, weaknesses, threats, exposed devices.

  2. Select the software that you want to investigate to go a drill down page.

  3. Select the Discovered vulnerabilities tab.

  4. Select the vulnerability that you want to investigate. A flyout panel will appear with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.

    Windows Server 2019 drill down overview.

Discover vulnerabilities in the device page

View related weaknesses information in the device page.

  1. Go to the Microsoft Defender Security Center navigation menu bar, then select the device icon. The Devices list page opens.

  2. In the Devices list page, select the device name that you want to investigate.

    Screenshot of device list with selected device to investigate

  3. The device page will open with details and response options for the device you want to investigate.

  4. Select Discovered vulnerabilities.

    Screenshot of the device page with details and response options

  5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.

CVE Detection logic

Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the device page) that shows the detection logic and source.

Detection Logic example which lists the software detected on the device and the KBs.

Report inaccuracy

You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information.

  1. Open the CVE on the Weaknesses page.
  2. Select Report inaccuracy.
  3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
  4. Select Submit. Your feedback is immediately sent to the Threat & Vulnerability Management experts.