Package Default Status in vulnerability scanner condition
22 views
Skip to first unread message
Om Narayan
Jun 5, 2026, 8:25:43 AM (2 days ago) Jun 5
to Wazuh | Mailing List
For the CVEs with "Package Default Status" in the vulnerability scanner condition field in Wazuh vulnerability report, the recommended steps given by Wazuh team are:-
- Review the vendor's security advisory for the CVE.
- Verify whether a fix has been backported to the installed package version.
- Check whether an updated package is available through the operating system's repositories.
- Assess the risk based on the CVSS score, package exposure, and the system's role.
- Apply any vendor-recommended mitigations if no package update is currently available.
My question is:
We have around 40k instances in wazuh at this point and this number is going to increase. And we get tens of thousands and million of CVEs with "package default status " , So, Is it practically feasible/possible to go through all the recommended steps for all the CVEs with "package default status"?? the numbers could go to tens of thousands to millions ...
Marcel Kemp
Jun 5, 2026, 10:29:24 AM (2 days ago) Jun 5
to Wazuh | Mailing List
Hi Om Nayaran,
The ‘Package Default Status’ condition applies whenever a package is vulnerable but there is no versioned patch available to fix that vulnerability.
Consequently, it is marked as vulnerable; however, as the package that fixes it is unknown (because it does not yet exist, and the feed displays the condition as ‘Affected’), this condition applies.
Consequently, these conditions will be updated as soon as the original provider’s feed adds this information.
The vast majority of cases may appear this way because support for that OS has been discontinued; therefore, the best course of action would be to check whether the agent is running a deprecated OS (for example, you could check this on the following website: https://endoflife.date/tags/os), and if so, update it to a supported version.
If not, simply wait for the vulnerability publisher to update the information, so that you can ascertain the status and the action to be taken.
In the meantime, you can verify the details of a case by checking the CTI, which contains all the information and references to the original providers, to find out more about the vulnerability:
Consequently, these conditions will be updated as soon as the original provider’s feed adds this information.
The vast majority of cases may appear this way because support for that OS has been discontinued; therefore, the best course of action would be to check whether the agent is running a deprecated OS (for example, you could check this on the following website: https://endoflife.date/tags/os), and if so, update it to a supported version.
If not, simply wait for the vulnerability publisher to update the information, so that you can ascertain the status and the action to be taken.
In the meantime, you can verify the details of a case by checking the CTI, which contains all the information and references to the original providers, to find out more about the vulnerability:
Reply all
Reply to author
Forward
0 new messages