With the release of Acunetix Standard and Acunetix Premium version 23.8 comes the addition of critical severity as a new vulnerability classification.

What’s changing?

Our vulnerability classification system (High-Medium-Low) is expanding to include a fourth threat level: Critical Severity. From 5 September 2023, you’ll notice Critical Severity and Threat Level 4 added throughout the products.

What you won’t see straight away is any change in the product behavior. For now, all critical vulnerabilities remain categorized as High. This includes existing vulnerabilities and newly found vulnerabilities. That’s why, at the moment, you’ll see 0 critical vulnerabilities displayed throughout the product where the new critical severity category has been added.

A second stage of implementation is planned for release at the end of September 2023. At this time, we’ll be reclassifying selected vulnerabilities from High to Critical. We’ve deliberately chosen to implement these changes in two stages so that our customers who extract data via APIs have time to update their scripts before the reclassification comes into effect.

Between now and the end of September 2023, we encourage all customers using API integrations or workflows to prepare for the reclassification of select vulnerabilities from High to Critical. This will require updating scripts to account for the new critical severity threat level. More on this below.

You can find the current list of all vulnerabilities and their severity classification on our website. We’ll be updating this list with the new classifications along with the release of version 23.9 at the end of September.

Timeline

Timeline from 5 September to 28 September 2023

Why are we making this change?

Currently, Acunetix Standard and Acunetix Premium classify all critical level vulnerabilities as ‘high’. This differs from other IT industry security standards and frameworks, which include a ‘critical’ severity rating for security vulnerabilities. By adding a fourth ‘critical’ threat level, we are bringing both products in line with modern classification systems, such as the Common Vulnerability Scoring System (CVSS).

How do I prepare for this change?

If you leverage our API, we recommend obtaining the latest API documentation and updating your internal scripts that work with data from Acunetix. You can download the latest API documentation from the Acunetix user interface by clicking your name in the top-right corner and selecting Profile. Then click the Acunetix API Documentation link that is listed in the API Key section of your profile.

Shown below is a list of endpoints where the critical severity level has been added. For some endpoint responses (e.g. scan-related or vulnerability-related endpoints), critical severity is referred to as the criticality of a vulnerability. Other endpoint responses, such as target or target group-related endpoints, now include severity counts (e.g. criticality=30). Here is an example of how critical severity is now shown in the API documentation:

An example of critical severity in the API documentation.

Endpoints with critical severity added

/config/agents
/reports
/scans
/scans/{scan_id}
/scans/{scan_id}/results/{result_id}/crawldata
/scans/{scan_id}/results/{result_id}/crawldata/{loc_id}
/scans/{scan_id}/results/{result_id}/crawldata/{loc_id}/vulnerabilities
/scans/{scan_id}/results/{result_id}/statistics
/scans/{scan_id}/results/{result_id}/technologies
/scans/{scan_id}/results/{result_id}/vulnerabilities
/scans/{scan_id}/results/{result_id}/vulnerability_types
/scans/{scan_id}/results/{result_id}/vulnerabilities/{vuln_id}
/targets
/targets/add
/targets/cvs_export
/targets/{target_id}
/targets/{target_id}/technologies/{tech_id}/vulnerabilities
/target_groups
/target_groups/{group_id}
/target_groups/{group_id}/scan
/vulnerabilities
/vulnerabilities/{vuln_id}
/vulnerability_types
/vulnerability_groups
/me/license/fqdns
/me/stats
/web_assets
/events
/notifications
/users
/user_groups
/roles

Here is an example of the new criticality parameter in practice:

An example of criticality in the API documentation.

Frequently asked questions

Your scan results prior to the 28 September 2023 release will remain, but you will notice that some previously ‘High’ vulnerabilities have been reclassified as ‘Critical’. Historical trend charts and reports won’t change.

Critical severity is used in other IT industry security standards and frameworks for rating vulnerabilities. Adding critical severity brings Acunetix in line with modern classification systems such as the Common Vulnerability Scoring System (CVSS).

Currently no vulnerabilities have changed to critical. The reclassification of selected vulnerabilities from high to critical will occur with the release of v23.9.0 on 28 September 2023.

The current list of vulnerabilities and their severity classification will be updated and published on the Acunetix website with the release of v23.9.0 at the end of September.

Some ‘High’ vulnerabilities from scans launched prior to updating to version 23.9 will change to ‘Critical’. For example: RCE (Remote Code Execution), SQLi (SQL injection), and XSS (Cross-site scripting) vulnerabilities will newly show as critical.

Vulnerabilities found by a newly launched scan after updating to v23.9.0 will be classified using the new threat levels – critical, high, medium, low, and informational.


SHARE THIS POST
THE AUTHOR
Anna Wratislav
Senior Technical Writer