When Scanners Fail: Why CVE Feeds and VEX Matter More Than Ever

Modern vulnerability management faces a critical blind spot: the lag between when fixes are available and when security scanners recognize them. When specialized remediation providers deliver patches hours ahead of traditional vendor cycles, outdated scanner feeds create a dangerous gap—leaving teams chasing false positives while real threats persist. The recent CVE-2025-48384 incident perfectly illustrates how feed integration choices can determine whether your security posture reflects reality or yesterday's snapshot.

How Scanner Feeds Work (and Don’t)

Every scanner is only as good as the feeds it consumes. MITRE and NVD are the usual baselines. Most scanners also slurp up vendor-specific feeds: Debian, Alpine, AWS, Red Hat, Oracle, Microsoft, you name it. Some even enrich with aggregators like Vulners or OpenCVE.

But here’s the catch: scanner vendors decide, arbitrarily, which feeds to trust and ingest. That’s customer-demand driven, not threat-driven. Which means when a new player publishes intelligence and remediation (like Root), it doesn’t automatically show up in your scan results — regardless of its relevance or urgency.

The CVE-2025-48384 Case Study

This Git vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog on August 25. Ubuntu shipped fixes same-day. Debian punted: “no-DSA,” no immediate patch.

Root was first to industry with remediated Debian images, patched in hours. We didn’t stop there:

• ✅ Patched containers, free for anyone at app.root.io

• ✅ VEX statements proving the CVE is fixed

• ✅ SBOMs and audit trails for compliance evidence

• ✅ Code diffs in a public repo (Root CVE Feed)

No black boxes. No waiting for a point release. Just proof, transparency, and working images.

And yet — some scanners still flag this as unfixed.

Scanner Ecosystem Snapshot

Let’s give credit where it’s due:

Props to Trivy, Aqua, and Aikido — they did the work, quickly vetted our feed, and shipped it. Their customers (and the downstream adopters) are already covered.

👉 Extra props to Aikido for going the extra mile and surfacing Root remediations directly in their UI — a strong sign of deep interest and leadership.

The rest? Still asleep at the wheel.

It’s Time to Step Up

Root was first to deliver remediation for CVE-2025-48384. Debian shrugged it off. We shipped patched images, SBOMs, VEX, and audit trails in hours — and offered it free so federal agencies and contractors could meet CISA’s KEV deadline.

That’s not marketing spin. That’s protecting U.S. infrastructure.

And yet scanners still don’t recognize the fix because they’ve chosen not to take our feed. They’ll happily ingest NVD, Debian, Red Hat, Alpine, AWS — but ignore Root, even when we’re first with remediation.

Really? In 2025? While CISA is sounding the alarm and adversaries are exploiting this in the wild? False positives aren’t harmless noise. They waste analysts’ time, create compliance gaps, and ultimately help attackers, not defenders.

👉 Scanner vendors: step up. We’ve done the hard work. You have no excuse. Integrate Root’s feed, accept VEX inputs, and show the truth in your dashboards.

Call to Action

• Users: If your scanner still flags CVE-2025-48384 as vulnerable, but its been patched by Root AVR, ask your vendor: “Do you ingest Root’s CVE feed? Can I import VEX?” If the answer is no, demand better!

• Vendors: The path is clear. Root provides patches, VEX, SBOMs, audit trails, and a public feed. Integrating should be table stakes.
  
  
  

Closing Thought

Root is showing what’s possible: automated (agentic) remediation at container speed and OSS scale, transparent proof, and public evidence. If scanners don’t keep pace, they’re failing their customers — and failing the mission to protect critical systems.

The choice is simple: step up, or keep getting in the way.