Updated: Launching critical severity in Acunetix Standard & Premium

With the release of Acunetix Standard and Acunetix Premium versions 23.8 and 23.9 comes the addition of critical severity as a new vulnerability classification.

Find out which vulnerabilities have changed to critical here.

What’s changing?

Our vulnerability classification system (High-Medium-Low) has expanded to include a fourth threat level — Critical Severity. On 5 September 2023, we added Critical Severity and Threat Level 4 throughout the products as part of the 23.8 release. At that time, there was no change in the product behavior. All critical vulnerabilities remained categorized as High. 

The second stage of implementation came with the release of v23.9 at the end of September 2023. At this time, we reclassified selected vulnerabilities from High to Critical. We deliberately chose to implement these changes in two stages so that our customers who extract data via APIs had time to update their scripts before the reclassification came into effect.

We encouraged all customers using API integrations or workflows to prepare for the reclassification of select vulnerabilities from High to Critical by updating their scripts to account for the new critical severity threat level. More on this below.

You can find the current list of all vulnerabilities and their severity classification on our website.

Timeline

Why are we making this change?

Currently, Acunetix Standard and Acunetix Premium classify all critical level vulnerabilities as ‘high’. This differs from other IT industry security standards and frameworks, which include a ‘critical’ severity rating for security vulnerabilities. By adding a fourth ‘critical’ threat level, we are bringing both products in line with modern classification systems, such as the Common Vulnerability Scoring System (CVSS).

How do I prepare for this change?

If you leverage our API, we recommend obtaining the latest API documentation and updating your internal scripts that work with data from Acunetix. You can download the latest API documentation from the Acunetix user interface by clicking your name in the top-right corner and selecting Profile. Then click the Acunetix API Documentation link that is listed in the API Key section of your profile.

Shown below is a list of endpoints where the critical severity level has been added. For some endpoint responses (e.g. scan-related or vulnerability-related endpoints), critical severity is referred to as the criticality of a vulnerability. Other endpoint responses, such as target or target group-related endpoints, now include severity counts (e.g. criticality=30). Here is an example of how critical severity is now shown in the API documentation:

Endpoints with critical severity added

/config/agents
/reports
/scans
/scans/{scan_id}
/scans/{scan_id}/results/{result_id}/crawldata
/scans/{scan_id}/results/{result_id}/crawldata/{loc_id}
/scans/{scan_id}/results/{result_id}/crawldata/{loc_id}/vulnerabilities
/scans/{scan_id}/results/{result_id}/statistics
/scans/{scan_id}/results/{result_id}/technologies
/scans/{scan_id}/results/{result_id}/vulnerabilities
/scans/{scan_id}/results/{result_id}/vulnerability_types
/scans/{scan_id}/results/{result_id}/vulnerabilities/{vuln_id}
/targets
/targets/add
/targets/cvs_export
/targets/{target_id}
/targets/{target_id}/technologies/{tech_id}/vulnerabilities
/target_groups
/target_groups/{group_id}
/target_groups/{group_id}/scan
/vulnerabilities
/vulnerabilities/{vuln_id}
/vulnerability_types
/vulnerability_groups
/me/license/fqdns
/me/stats
/web_assets
/events
/notifications
/users
/user_groups
/roles

Here is an example of the new criticality parameter in practice:

Frequently asked questions

THE AUTHOR

Anna Wratislav
Senior Technical Writer