Fixes and Top Fix Groups

You can manage individual fixes or fix groups.


The fixes view on the VM Explore page will show all available fixes for the vulnerabilities and assets that are being displayed. Fixes are sorted by the number of associated vulnerabilities:


Each Fix displays all of the related CVEs and each of the assets that those CVEs affect. Cisco Vulnerability Management also includes diagnosis (a brief description of the vulnerability), consequence (what a successful exploit could result in or allow an attacker to do), and solution (how, specifically, to remediate the vulnerability), based on vendor data.

Users can filter by Cisco Security Risk Score and threat vectors to display the highest risk items and view the number of assets and vulnerabilities that would be involved in the remediation.

Note: If there are more fixes available for the fix that you are viewing, an Alternate Fixes Available button displays. When you click the button, a list of links to alternate fixes displays. You can click the links to see more information about the fixes.


Top Fixes

For each risk group, Cisco Vulnerability Management provides Top Fixes. To access the top fixes, on the VM Dashboard page, navigate to the risk meter that you want to see the top fixes for and click the Top Fixes button. Each Top Fix is a group of up to 3 fixes, which fall in the top 10 largest risk reductions for that Risk Meter. The Top Fix view for a Risk Meter contains its current Risk Score, and the lower score that the Risk Meter would move to after remediating all vulnerabilities in a specific Fix Group. These are sorted by largest risk reduction, left to right, with a button on the right side to move to the second page of Top Fixes.


In the example above, remediating the vulnerabilities for all 3 listed Fixes will reduce the current risk score of 880 by 9 points, down to a new score of 871.

All of the Top Fix Groups (not just the one currently displayed) can be exported in this view by clicking the "Export CSV" button or you can also create a ticket to send out the fix information to the remediation owner (if you have a ticketing connector set up).

Top Fixes Best Practices

Top Fixes are valuable for quickly reducing overall risk. They are based on a simple mathematical calculation that looks at the possible risk reduction to the average risk meter score achieved through applying up to 3 fixes. The calculation depends on two things: 

  1. There are a good number of assets that have the same vulnerabilities in the Risk Meter.

  2. A score reduction can be found with three or less fixes applied. 

Top Fixes is good for:

  • Providing remediation teams a place to focus efforts, particularly early on, and achieve quick wins in risk reduction.
  • Grouping fixes together in a way that will achieve the biggest risk reduction for the remediation efforts.

Top Fixes is not good for:

  • Remediating "legacy” devices with lots of vulnerabilities
  • Risk Meters with dissimilar machines and operating systems
  • Finding quick wins when there are more than three vulnerabilities at the same score level on many of the assets

As customers mature and take care of the highest-level vulnerabilities, top fixes become less and less useful because most vulnerabilities in Cisco Vulnerability Management are scored in the 30-40 range. Therefore, when a customer has most assets remediated to reflect a lower score, Top Fixes will find fewer and fewer recommended fixes. In addition to using Top Fixes, Cisco recommends that Cisco Vulnerability Management admin teams train their staff to look at vulnerabilities by risk score from the Explore view, and remediate any vulnerabilities that are out of risk appetite.

Why are there no Top Fixes?

When no individual fixes would change the overall score of a Risk Meter, no "Top Fixes" are populated. A message that appears which states: "There are no fixes for the vulnerabilities in this group of assets which would lower the group's score."


There are many reasons why you many not see any top fixes, but here are some examples:

  • If your risk meter is vulnerability-based, and none of the vulnerabilities contained in the risk meter are the highest vulnerability on the asset, there will be no opportunity for risk reduction because the vulnerabilities that would affect the score were excluded. Risk Meter scores are an average of asset scores and assets are only scored on the highest vulnerability on the asset.
  • If you have a vulnerability-based risk meter focusing only on vulnerabilities scored at 100, even if you remediate those highest-scored vulnerabilities on the assets, the remaining vulnerabilities will still result in a risk meter score of 1000.
  • If all assets in the risk meter have so many high scored vulnerabilities on them that it would take more than 3 fixes to achieve a risk reduction, no fixes will be displayed. Cisco Vulnerability Management shows you fix groups that contain up to three fixes only to provide manageable achievable risk reductions. In this scenario, go to the VM Explore page for the risk meter, sort or filter on the highest vulnerabilities, and then look at the associated fixes.
  • If your risk meter has no data, contains only inactive assets, or only contains assets scored at 0, the risk meter score will always be 0 and no top fixes will change that.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.