I'm starting this post as a living document to track CVEs that Rapid7 fails to detect. I will update this post regularly whenever I come across a vulnerability that is not covered and I invite all of you to do the same!
Why? Because submitting IDEA cases doesn't work. They disappear into a black hole, nobody processes them, and support simply ignores the issue. So let's make this visible together.
Yes, we are aware of the official coverage list: Recurring vulnerability coverage for third-party software | Vulnerability Management Documentation
But honestly – it's disappointing how little is actually in there. On one hand, Rapid7 heavily promotes how many vulnerabilities can be detected and that recent updates should cover even more. On the other hand, we haven't noticed much of a difference in practice. The gap between marketing and reality is hard to ignore.
This is a very relevant topic. I have already opened a support case on this matter regarding Python and other standard or widely used software.
We also have Microsoft Defender Vulnerability Management enabled on all our Windows 11 clients, as well as on many RHEL and Windows Server systems. This allows me to directly compare the results of these two security solutions.
Finding:
Python (3.1.0.0) → 42 CVEs
Proof from MS Defender: C:\Program Files\Python311\python.exe
Rapid7 also detects this application:
However, it does not check which vulnerabilities are associated with the installed Python version. In my opinion, this is a missed opportunity.
And yes, we have installed the Rapid7 Insight Agent on all Windows 11 clients.
What I have to do now, is to also create a PowerBI Dashboard with Microsoft Defender Data, to get a better picture of our vulnerability landscape.
I really hope that Rapid7 will take this seriously, because it is getting harder and harder to explain management, why we have two vulnerability management systems.
Please be aware that the Tenable website will also show results for CVE’s that they do not have coverage for either. These results show up in their Analytics section, which lives below the Plugins section of their website. I’ve seen this lead to some confusion as to whether a search result hit on the Tenable website means there is a plugin for it.
For example, with CVE-2026-4681, it appears that you linked us to the Tenable Analytics page for that CVE. If you drill into that CVE and then click on the plugin tab for that CVE, you’ll see that they don’t have coverage for it either. I get around this by always starting my search under the plugins search, rather than the analytics search, when trying to compare coverages.
I hope this helps to clear up at least some of your concerns around coverage gaps.
The lack of coverage for Microsoft .NET software (SDKs and runtimes) is surprising given its ubiquity and frequent security updates. Note, this is different to the Microsoft .NET Framework, which is covered.
@Dave’s comment of explaining to management “why we have two vulnerability management systems” particularly hits home; we have had to supplement InsightVM with Tenable One in order to meet compliance requirements for software patching, due to its more extensive coverage and speed of updates.
thanks for the update. Yes, I missed out on this one, but it does not change the fact that Rapid7 is still not able to detect this vulnerability. It would also be great if we could upload custom checks to the cloud platform, so that if R7 is unable to detect something, we can. Or implement community checks so we can verify software versions, or fix vulnerabilities like the Microsoft Windows 10 EOL check, which does not verify whether the version has ESU. Another example is the issue @Dave mentioned above you have all the software installed on the hosts, so just implement an early warning system: for example, a notification that you could be vulnerable because the software was detected, followed by the actual check once it is released.
There are already products out there which can achieve the "early warning system" functionality.
We need to differentiate: a vulnerability scanner is more of a reactive, after-the-fact alerting mechanism rather than a proactive defense layer. Its primary purpose is to detect gaps in your environment, not to identify exposure the moment a CVE is released. This means that in practice, you will always remain exposed for a period of hours or even days after a vulnerability is published, simply waiting until the scanner completes its next cycle and surfaces the finding.
Opened a ticket about Winzip coverage, see @Cyb3r ‘s link to my post above, this was their answer:
”Since WinZip is not currently included in our recurring coverage at this time, this CVE has not been added as of yet.To review the list of our product coverage, you may refer to this link:
This is a very fair concern, and I agree that this is exactly the kind of visibility customers expect from a modern vulnerability management program.
One important point to call out is that Rapid7’s direction here is not limited to vulnerabilities discovered only by the Insight Agent or traditional authenticated scans. Rapid7 can ingest asset, software, and vulnerability data from multiple third-party sources through CAASM, Surface Command. That means data from tools like Microsoft Defender Vulnerability Management can be brought into Rapid7 and normalized into a vendor-agnostic view of risk across the environment.
From there, Rapid7’s Remediation Hub can help centralize and prioritize vulnerabilities across the broader security stack, rather than forcing teams to manage findings separately in Defender, Rapid7, cloud tools, endpoint tools, and other platforms. The goal is to give security teams one unified place to understand exposure, prioritize remediation, assign ownership, and track progress.
That said, your Python example is a good one. If Rapid7 is detecting the installed application but not associating the relevant CVEs to that detected version, that is absolutely worth raising through Support and Product as a detection coverage gap. Especially for widely deployed software like Python, Java, Node, OpenSSL, browsers, runtimes, and other common packages, customers need consistent version-to-CVE mapping wherever technically possible.
In our company, I need to find a way to present vulnerability data in a consolidated format that is easy to access and use. We already have many tools in place, and our asset owners are understandably reluctant to use yet another platform just to review their vulnerabilities. That is why we have relied on Power BI from the beginning, since I implemented Rapid7 Nexpose in 2020 and later transitioned to InsightVM.
The Power BI dashboard has been well accepted, and users are familiar with searching for their assets and reviewing their findings there. As mentioned in my other post, I am currently building a new dashboard that incorporates Defender data. At present, the data remains separate, and I am analyzing the gaps between Rapid7 and Defender in detail.
The next logical step is to combine InsightVM and Defender data into a single source of truth. I hope to leverage our internal AI capabilities to make this possible without creating a significant amount of manual work. I am following the same approach for findings from Insight Cloud Security, including host and container vulnerabilities.
Yes, we are aware of the official coverage list:
Recurring vulnerability coverage for third-party software | Vulnerability Management Documentation
Undetected CVEs (Community List):
Please add any CVEs you have found missing in Rapid7 detection in the comments below. Include:
