Vulnerability API

Modified on Fri, 8 May at 8:22 AM

TABLE OF CONTENTS

Explanation
Requirements
List of API methods
1. Getting Started with PowerShell
2. Requesting vulnerability information
3. Fetching all pages
4. VulnerabilityResponse Example
Severity Values
Type Values

Explanation

This API allows you to retrieve vulnerability definitions managed by the five(9s) Console and provide additional details for the vulnerabilities returned by the Device API. It supports paging and incremental synchronization, making it efficient to retrieve large datasets or keep external systems synchronized with the latest vulnerability information.

Unlike the Device API, vulnerability data requests are processed synchronously and return immediately.

Requirements

You will need to create/edit a Personal Access Token in the five(9s) Console and grant it access to the "/api/vulnerabilities/" right.
This API is available with Console Version 5.1.67 and later.

A PowerShell script or any other tool that can make REST API calls can be used.

List of API methods

Name	Description	Request Parameters	Response
GetVulnerabilityInfos	Retrieve vulnerability information with pagination support	Page (int, default: 1) Page number to retrieve (1-based) PageSize (int, default: 1000) Number of records per page (1-100000) LastSyncDate (DateTime?, optional) Only return vulnerabilities updated since this date	VulnerabilityResponse (see example below)

1. Getting Started with PowerShell

Here we define some variables that will be used for all the following code snippets.

cls;
$ErrorActionPreference = "Stop"

# General
$baseUri = "http://<yourEpmHostname>/five9sWS/api/vulnerabilities";
$personalAccessToken = "ABC123456789DEF123456789XYZ123456789"; # needs to have access to this api
$headers = @{
    "Authorization" = "PAT $personalAccessToken"
    "Content-Type"  = "application/json"
}

2. Requesting vulnerability information

Request a single page of vulnerability data:

# Example request - single page
$body = @{
    Page = 1
    PageSize = 1000
    LastSyncDate = [DateTime]::UtcNow.AddDays(-7)  # Optional: only vulnerabilities updated in last 7 days
} | ConvertTo-Json -Depth 100

$response = Invoke-RestMethod -Uri "$($baseUri)/GetVulnerabilityInfos" -Method Post -Headers $headers -Body $body
Write-Host "Returned $($response.ReturnedCount) of $($response.TotalCount) total vulnerabilities"
Write-Host "Page $($response.ReturnedPage) of $($response.TotalPage)"
$response.Results | Format-Table Vulnerability_Idn, Vul_ID, Title, Severity, Vendor -AutoSize

3. Fetching all pages

Loop through all pages until all vulnerabilities are retrieved:

# Fetch all vulnerabilities with pagination
$allVulnerabilities = @()
$currentPage = 1
$pageSize = 1000
$lastSyncDate = [DateTime]::UtcNow.AddDays(-30)  # Optional: only vulnerabilities updated in last 30 days

do {
    Write-Host "Fetching page $currentPage..."
    
    $body = @{
        Page = $currentPage
        PageSize = $pageSize
        LastSyncDate = $lastSyncDate  # Remove this line to fetch all vulnerabilities
    } | ConvertTo-Json -Depth 100
    
    $response = Invoke-RestMethod -Uri "$($baseUri)/GetVulnerabilityInfos" -Method Post -Headers $headers -Body $body
    
    Write-Host "Retrieved $($response.ReturnedCount) vulnerabilities (Page $($response.ReturnedPage) of $($response.TotalPage))"
    
    # Add results to collection
    $allVulnerabilities += $response.Results
    
    # Check if we've retrieved all data
    $hasMorePages = $response.ReturnedCount -ge $pageSize
    $currentPage++
    
} while ($hasMorePages)

Write-Host "`nTotal vulnerabilities retrieved: $($allVulnerabilities.Count)"

# Example: Export to CSV
$allVulnerabilities | Export-Csv -Path "vulnerabilities.csv" -NoTypeInformation

# Example: Filter and display critical vulnerabilities
$criticalVulnerabilities = $allVulnerabilities | Where-Object { $_.Severity -eq 5 }
Write-Host "`nCritical vulnerabilities: $($criticalVulnerabilities.Count)"
$criticalVulnerabilities | Format-Table Vul_ID, Title, Vendor, PublishDate -AutoSize

4. VulnerabilityResponse Example

The response includes pagination information and a list of vulnerability objects:

{
  "ReturnedCount": 1000,
  "TotalCount": 15847,
  "ReturnedPage": 1,
  "TotalPage": 16,
  "Results": [
    {
      "Vulnerability_Idn": 4980,
      "CVE_ID": "CVE-2017-0283,CVE-2017-0286,CVE-2017-0287",
      "CVSS": "8.8,5.0,5.0,5.0,5.0,8.8,6.5,6.5,6.5",
      "Vul_ID": "MS17-010",
      "Lang": "ENU",
      "Title": "Security Update for Microsoft Windows SMB Server",
      "Description": "This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.",
      "MoreInfoURL": "https://support.microsoft.com/kb/4013389",
      "FAQURL": "https://support.microsoft.com/kb/4013389",
      "Severity": 5,
      "Vendor": "Microsoft",
      "Type": 1,
      "Autofix": 0,
      "Scan": 1,
      "PublishDate": "2017-03-14T00:00:00",
      "LastSerialized": "2025-04-14T10:30:45.123",
      "Tags": "Emergency,CriticalInfrastructure"
    },
    {
      "Vulnerability_Idn": 5120,
      "CVE_ID": "CVE-2021-44228",
      "CVSS": "10.0",
      "Vul_ID": "LOG4J-CVE-2021-44228",
      "Lang": "ENU",
      "Title": "Apache Log4j Remote Code Execution Vulnerability",
      "Description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.",
      "MoreInfoURL": "https://logging.apache.org/log4j/2.x/security.html",
      "FAQURL": "https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance",
      "Severity": 5,
      "Vendor": "Apache",
      "Type": 2,
      "Autofix": 1,
      "Scan": 1,
      "PublishDate": "2021-12-10T00:00:00",
      "LastSerialized": "2025-04-14T10:30:45.456",
      "Tags": "Emergency,ZeroDay"
    }
  ]
}

Severity Values

Vulnerability severity levels:

Value	Severity Level	Description
0	Service Pack	Major update package (not a severity level)
1	Critical	Urgent risk, immediate action required
2	High	Serious issue, high priority fix
3	Medium	Moderate risk, should be addressed
4	Low	Minor risk, low priority
5	N/A	Not applicable
6	Unknown	Severity not determined
7	Any	Wildcard / no filter
8	Unassigned	Not yet classified
9	Preview Pack	Pre-release update

Type Values

Vulnerability types:

Value	Type	Description
-1	Unknown	The vulnerability type could not be determined or was not provided by Ivanti.
0	Vulnerability	A standard operating system or application vulnerability requiring remediation.
1	Spyware	Malicious software designed to collect information or monitor user activity without consent.
2	Security Threat	A detected security risk such as malware, exploits, or potentially harmful software.
3	LANDesk Update	An update or patch provided specifically for Ivanti / LANDesk managed components.
4	Custom Definition	A user-created or manually imported vulnerability definition configured in Ivanti.
5	Blocked Application	An application identified as unauthorized, restricted, or blocked by security policy.
6	Software Update	A general software patch or version update intended to fix issues or improve functionality.
7	Driver Update	An update for hardware device drivers to improve compatibility, stability, or security.
8	Antivirus	An antivirus-related definition, signature, engine update, or protection component.

Additional Field Information

Autofix: 0 = No autofix available, 1 = Global autofix enabled
Scan: 1 = Include in scans, 0 = Exclude from scans
Tags: Comma-separated custom tags (e.g., "Emergency,DoNotFix,CriticalInfrastructure")
LastSyncDate: Use this parameter in subsequent API calls to retrieve only vulnerabilities that have been updated since your last sync