Platform/ CVE intelligence

Stop chasing the same CVE across every host.

oxharden turns distro advisories, exploit signals, package matches, and host observations into one fleet-wide CVE record, so you see whether it is exploited, where it exists, and what fixes it by distro.

Start free trial Explore the live demo

fleet-wide

one record per CVE

KEV + EPSS

exploit signals included

per-distro

affected packages and fixes correlated

acme-prod / cves

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › CVEs

Search hosts, packages, CVEs…⌘K

CVEs

One record per CVE — not one finding per host.

Refresh

severity ≥ high×kev only×has fixepss

CVE	Exploit	Hosts	Distros	Fix status
CVE-2024-1086	KEV	42 hosts	RHEL 9Rocky 9	fixed-in available
CVE-2025-27363	KEV	18 hosts	Amazon 2023	reboot pending
CVE-2023-4911	EPSS 91%	63 hosts	RHEL 8Alma 8	package fix
CVE-2023-44487	EPSS 88%	11 hosts	RHEL 8Alma 8	no fix yet

CVE-2024-1086HighKEVLinux kernel · nf_tables use-after-free

Affected

42 hosts

Fixed-in

kernel-5.14.0-503

Status

31 open · 11 pending reboot

Sources

NVDCISA KEVRHSA

Exact fix by distroRHEL 9→kernel-5.14.0-503.el9Rocky 9→kernel-5.14.0-503.el9+4 distros

A CVE row is not an answer.
oxharden shows whether it is being exploited, which hosts are still affected, and what fixes it for each distro, all in one fleet-wide record.

01 · Exploitability, scored honestly

Exploitation beats severity.

Each CVE record combines KEV, EPSS, and CVSS so confirmed and likely-exploited vulnerabilities rise above raw severity. KEV due dates are surfaced where available, so overdue exploited CVEs stay impossible to miss.

KEV: confirmed exploited, with CISA due dates where available

EPSS: 30-day exploitation probability

CVSS: impact and severity context

CISA KEV

confirmed exploited in the wild

LISTED

EPSS

exploitation probability (30d)

p99

CVSS v3.1

AV:N · impact C/I/A:H

8.1

FIX FIRSTPatch-by 2025-05-27OVERDUE4 hosts affected

02 · One record, every host

See every host a CVE still affects.

Each CVE record rolls up affected, fixed, and unresolved hosts, including systems that read as patched but still need a reboot or service restart. Break blast radius down by OS, workspace, and system so teams know exactly where the risk remains.

Per-host status: affected · pending restart · pending reboot · fixed · exceptioned

Blast radius broken down by OS, workspace, and system

Installed version vs fix version for every affected host

acme-prod / cves / CVE-2025-27363

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › CVE-2025-27363

Search hosts, packages, CVEs…⌘K

Hosts affected41 package

Fix available4/4100%

Open20 pending reboot

Fixed20 suppressed

Median MTTR—first-seen → fixed

By OS

Oracle Linux Server 9.72

Rocky Linux 8.92

By system

compliance-testing2

testing-agent-updates2

Affected hosts

Host	OS	Installed	Fix in	Status
ip-10-20-2-85.us-east-2.compute.internal	Rocky Linux 8.9	2.9.1-9.el8	0:2.9.1-10.el8_10	open
ip-10-20-2-226.us-east-2.compute.internal	Rocky Linux 8.9	2.9.1-9.el8	0:2.9.1-10.el8_10	open
ip-10-20-3-181.us-east-2.compute.internal	Oracle Linux Server 9.7	2.10.4-10.el9_5	0:2.10.4-10.el9_5	fixed
ip-10-20-2-17.us-east-2.compute.internal	Oracle Linux Server 9.7	2.10.4-10.el9_5	0:2.10.4-10.el9_5	fixed

03 · Distro-aware remediation

CPE guessing stops here.

One upstream CVE can mean different package names, fixed versions, and advisories across RHEL, Rocky, AlmaLinux, Oracle Linux, and Amazon Linux. oxharden maps each affected package to the distro advisory and fixed-in NEVRA where available, so teams fix the right package on the right hosts.

Fixed-in NEVRA tied to the distro advisory where available

Linked advisories: RHSA · ELSA · ALAS · RLSA

Per-distro fix state, including the hosts each fix would close

acme-prod / cves / CVE-2025-27363

Monitor

Dashboard

Hosts347

Packages2,184

Ports4,218

CVEs189

Compliance

Exposure47

Scans

Manage

Enroll host

Organization

acme-prod › CVE-2025-27363

Search hosts, packages, CVEs…⌘K

Affected products

Eco	Package	Distro	State	Fixed in	Source
RPM	freetype	amazon 2023	FIXED	2.13.2-5.amzn2023.0.1	ALAS
RPM	freetype-debuginfo	amazon 2023	FIXED	2.13.2-5.amzn2023.0.1	ALAS
RPM	freetype-debugsource	amazon 2023	FIXED	2.13.2-5.amzn2023.0.1	ALAS
RPM	freetype-demos	amazon 2023	FIXED	2.13.2-5.amzn2023.0.1	ALAS
RPM	freetype-demos-debuginfo	amazon 2023	FIXED	2.13.2-5.amzn2023.0.1	ALAS
RPM	freetype-devel	amazon 2023	FIXED	2.13.2-5.amzn2023.0.1	ALAS

Advisories

Source	Advisory	Distro	Severity	Published
RHSA	RHSA-2025:9380	rhel 8	High	2025-06-23
RHSA	RHSA-2025:8292	rhel 8	High	2025-05-29
RHSA	RHSA-2025:8253	rhel 8	High	2025-05-28
RHSA	RHSA-2025:8195	rhel 8	High	2025-05-27
RHSA	RHSA-2025:8219	rhel 8	High	2025-05-27

04 · Provenance you can audit

No black-box CVE scoring.

Each CVE record shows the sources, advisories, exploit signals, and fleet observations behind the score, so teams can explain why a vulnerability was prioritized and what changed over time.

References to NVD · MITRE · CISA KEV · vendor advisories

Timeline from disclosure to first seen on your fleet

CWE weakness classification where available

2025-03-11

CVE published

2025-03-31

First advisory (RHSA)

2025-05-06

Listed in CISA KEV

2025-05-27

KEV remediation due

2026-06-03

First seen on fleet

2026-06-06

CVE record modified

How it works

From scattered advisories to one record.

Correlate

Installed NEVRA on each host is matched against distro security advisories and NVD records, then deduplicated into a single fleet-wide CVE.

NVDNEVRA matchdedupe

Enrich

Each CVE record is layered with exploit intelligence and provenance: KEV status, EPSS percentile, CVSS, CWE, references, and every advisory that addresses it.

CISA KEVFIRST EPSSCVSSCWERHSA / ELSA / ALAS

Resolve

For each affected host, oxharden resolves current status: affected, fixed, pending restart, pending reboot, or exceptioned, with fixed-in version data where available.

per-host statusfixed-infirst-seen

Under the hood

The technical details, up front.

No black box. Here's exactly where each CVE record comes from, how it's matched, and how status is resolved per host.

CVE record sources

NVD, MITRE, CISA KEV, FIRST EPSS, CVSS, and CWE, with source links preserved on each record.

Advisory feeds

Per-distro advisories mapped to each CVE: RHSA, ELSA, ALAS, and Rocky / Alma errata where available.

Matching

Installed NEVRA is compared to fixed-in versions in each distro advisory, avoiding CPE-only guesswork where distro data is available.

Per-host status model

affected · pending restart · pending reboot · fixed · exceptioned, resolved per host so a CVE only closes when the fix is in effect.

Exploit ranking

KEV, EPSS, and CVSS are combined for prioritization, with KEV due dates flagged when available.

Breakdowns

Blast radius rolled up by OS, workspace, and system, with affected-product and advisory matrices.

Export

JSON and CSV today. Additional exports and API workflows are planned for reporting and integrations.

Deployment

SaaS today. Self-hosted and air-gapped enterprise deployment are planned for environments that require offline CVE and advisory feeds.

The rest of the platform

Do not stop at the CVE ID.

oxharden connects each CVE to the package that fixes it, the hosts still affected, and the other risk views that explain priority.

Get started

Launch your first scan in minutes.

Not ready to install? Click around the live demo with real fleet data first. Then start a 14-day free trial on up to 30 of your own hosts.

Explore the live demo Start free

No signup, no agent, or book a guided demo with our team.

install.sh

curl -fsSL https://packages.executepath.dev/install.sh \
  | sudo EXPECTED_GPG_FINGERPRINT=13094D5AB037E6CD79CDFA3A51687EAC6B931A09 bash

✓ agent enrolled · ip-10-20-2-107
✓ inventory synced · 410 packages · 4 ports
✓ first scan complete · 12 critical · 19 vulnerable pkgs

FAQ

CVE records, answered.

A scanner often creates one finding per vulnerable package per host. oxharden deduplicates those into one fleet-wide record per CVE: affected hosts, impacted packages, distro-specific fix data, and exploit signals in one place. You triage the vulnerability once, then act on the hosts and packages it touches.

CVSS comes from NVD and vendor records where available, KEV from CISA's Known Exploited Vulnerabilities catalog, and EPSS from FIRST. oxharden keeps the sources visible on the record and prioritizes confirmed exploitation, exploitation likelihood, and severity together.

Because the fix may be installed but not live: a kernel update awaiting reboot, or a shared library updated on disk while long-running services still map the old copy. oxharden keeps the CVE open for that host until the fixed code is actually in effect.

Per-distro vendor advisories such as RHSA, ELSA, ALAS, and Rocky / Alma errata, mapped to fixed-in NEVRA where available.

JSON is available today. CSV, SARIF, and API workflows are planned for reporting and integrations.

CPEs are useful, but Linux vendors often backport fixes without changing upstream version numbers. oxharden uses distro advisories and fixed-in package versions where available so remediation follows the vendor's security data, not CPE guesswork.

Yes. The same upstream CVE can map to different package names, advisories, and fixed-in versions across RHEL, Rocky, AlmaLinux, Oracle Linux, and Amazon Linux. oxharden keeps those distro-specific fixes attached to the same CVE record.

It means the package fix is present, but vulnerable code may still be running. Reboot applies a fixed kernel; service restart clears processes still mapped to replaced shared libraries.

Exploitation beats severity.

See every host a CVE still affects.

CPE guessing stops here.

No black-box CVE scoring.

From scattered advisories to one record.

Correlate

Enrich

Resolve

The technical details, up front.

Do not stop at the CVE ID.

Package Risk

Fleet Inventory

Compliance & STIG

Launch your first scan in minutes.

CVE records, answered.