Does Virima Include Vulnerability Management? How NIST NVD Integration Works with CMDB
Does Virima Include Vulnerability Management? How NIST NVD Integration Works with CMDB
Virima 6.1.1 — Published by Virima, Inc.
Virima is best known as a CMDB and IT discovery platform, but Virima 6.1.1 includes built-in vulnerability management that automatically surfaces CVEs against discovered assets — at no additional cost. The following questions cover exactly how it works.
Does Virima Include Built-In Vulnerability Management?
Yes. Virima 6.1.1 includes vulnerability management as part of its core IT discovery and CMDB capabilities. It does not require a separate module or additional license.
When Virima’s discovery engine scans the environment and captures installed software — names, versions, and vendors — it automatically checks each software version against known CPE (Common Platform Enumeration) entries and retrieves associated CVEs from the NIST National Vulnerability Database. The result is a vulnerability picture tied directly to the CMDB, not a separate database that needs manual reconciliation.
Is the NIST NVD Integration Included at No Extra Cost?
Yes. NIST NVD integration is included in Virima 6.1.1 at no additional charge.
Many vulnerability management platforms treat database access as an add-on or require separate licensing for CVE correlation. In Virima, the NIST NVD integration is part of the discovery and CMDB workflow. Organizations get CVE correlation against every discovered software version as part of the platform they already run.
How Does Virima Automatically Link CVEs to CMDB Assets?
The process runs in four stages:
- Discovery — Virima scans the environment (agentless or agent-based) and records all installed software, including name, version, and vendor, as part of each CI’s record in the CMDB.
- CPE matching — Virima checks each discovered software version against the CPE dictionary in the NIST NVD to identify an exact or near match.
- CVE retrieval — Where a CPE match exists, Virima retrieves all CVEs associated with that software version, including CVSS scores and severity ratings.
- CI linkage — Each CVE is linked directly to the CI that runs the affected software version. This link lives in the CMDB as a relationship — not a separate report or export.
The linkage is dynamic. As new discovery cycles run and new CVEs are published to the NIST NVD, the links update automatically. No manual data entry or reconciliation is required.
What Does the Vulnerability Drill-Down in Virima Show?
Virima provides a three-level drill-down that allows security and IT operations teams to navigate from a high-level summary to a specific CVE on a specific CI.
Level 1 — Software: All software titles in the environment that carry at least one known vulnerability. Each entry shows the software name, CVE count, and highest severity rating.
Level 2 — Version: All versions of the selected software found across the environment, each with its specific CVE list. Different versions of the same software often have different CVE profiles — this level makes those differences visible without manual comparison.
Level 3 — CVE: Individual CVEs for the selected version, with full detail: CVE ID, CVSS score, CVSS vector string, vulnerability description, affected IT assets, and links to remediation references. From this view, the team can see exactly which assets run the affected version and initiate remediation directly.
This structure eliminates the manual pivot-table work that scanner-only approaches require.
How Does ViVID Help with Vulnerability Remediation Prioritization?
ViVID is Virima’s automated service mapping capability. It builds and maintains visual, dependency-aware maps of IT services — showing which CIs support which services and how those services relate to each other.
When vulnerability data overlays on a ViVID Service Map, teams see:
- Which vulnerable CIs sit on business-critical service maps
- What downstream services and CIs depend on the affected asset
- The potential blast radius if the vulnerability is exploited or if the CI is taken offline for patching
This context changes remediation priority. A medium-severity CVE on a CI that is the sole dependency of a tier-1 revenue service is a higher remediation priority than a critical-severity CVE on an isolated development server. ViVID makes those relationships explicit and always current, because service maps update automatically with each discovery cycle.
CISA’s Known Exploited Vulnerabilities (KEV) catalog tracks CVEs that are actively exploited in real-world attacks. Identifying which CIs in your environment are exposed to KEV-listed CVEs — and what services those CIs support — is exactly the kind of question ViVID and CMDB-linked vulnerability data are built to answer quickly.
Can Virima Replace a Standalone Vulnerability Scanner?
Virima and standalone vulnerability scanners serve different but complementary functions.
Virima’s vulnerability management is discovery-driven — it identifies installed software versions and correlates them against the NIST NVD to surface known CVEs. This approach gives deep CMDB and service context for every finding.
Standalone vulnerability scanners often add active exploit testing capabilities — attempting to trigger known vulnerabilities in a controlled way to confirm exploitability. For organizations whose compliance or security posture requires active exploit validation, Virima works alongside scanners: the scanner finds and validates the vulnerability, Virima provides the CI identity, ownership, and service context that make remediation actionable.
For organizations whose requirement is CVE-to-CI linkage, prioritization by asset criticality, and CMDB-backed remediation tracking, Virima’s built-in vulnerability management covers the workflow end to end.
How Are Vulnerability Reports Generated for Stakeholders and Auditors?
Virima 6.1.1 generates vulnerability reports from live CMDB data, so reports reflect the actual state of the environment at the moment of generation — not a point-in-time export that ages the moment it is produced.
Available reporting views include:
- Vulnerability summary by severity (Critical, High, Medium, Low counts)
- Vulnerable assets by business unit, location, or CI owner
- Remediation progress — CVEs opened vs. closed over a defined period
- Aging vulnerabilities — open CVEs that exceed defined remediation SLA thresholds
- Service-level risk — vulnerable CIs mapped to the business services they support
Auditors get the traceability they need: CVE ID, affected CI, software version, discovery date, remediation status, and CI ownership — all in a single report sourced from the CMDB.
Conclusion
Virima 6.1.1 includes vulnerability management as a native capability, integrated with CMDB discovery and ViVID Service Mapping. CVEs link automatically to affected CIs, NIST NVD integration runs at no extra cost, and ViVID provides the service context that makes remediation prioritization based on real business risk — not just CVSS score.
