CVE Import Wizard
Applies to: Patch My PC Publisher
Overview
OverviewThe CVE Import Wizard allows you to bulk match Common Vulnerabilities and Exposures (CVEs) against the Patch My PC catalog to quickly determine whether a fix is available, already published, or unavailable. This feature is commonly used when security teams provide a list of CVE IDs (for example from a vulnerability scanner or audit report) that need to be assessed and remediated.
Important
The CVE Import Wizard can only match CVE IDs that are present in the latest Patch My PC catalog metadata. If a CVE has been fixed in a newer version of an application but is not explicitly referenced in the catalog, it may not appear as Available in the wizard.
With this in mind, it’s important to note that vulnerabilities are often remediated by upgrading to a later version of an application. In some cases, deploying the latest version of a product by enabling it in the product tree may resolve a CVE, even if that CVE is not directly identified or matched by the CVE Import Wizard.
Import a List of CVE IDs
Open the CVE Import Wizard.
Click Browse, and select a .csv or .txt file that contains the CVE IDs you wish to process.
Note
The Publisher will perform a regex against all columns and rows in the csv/txt file to look for the well known CVE ID format e.g. CVE-2025-34092
Click Process.
After the processing is complete, you will see the list of all CVE IDs detected in the table grouped by the state.
Available An update is available within the Patch My PC catalog, but it is not published within your environment yet.
Published The update is already published to WSUS/ConfigMgr and is available for deployment.
Unavailable No update is published that contains that CVE ID and there is no update in the Patch My PC catalog matching it.
Grouping Results
When Group By Products is enabled, the CVE Import Wizard organizes detected CVE IDs by vendor, and indicates the number of vulnerabilities by vendor. This view is makes it easier to understand which products are responsible for the highest number of CVEs and to prioritize remediation.
Importing Selected Patches
You can either individually select updates that are in an Available state or click the Select All Available button.
Once the desired updates are selected, click Import Selected Patches to publish them immediately. Importing in this context means publishing the selected updates immediately, outside of the normal sync schedule. After clicking this button, a dialog is displayed allowing you to monitor progress in the PatchMyPC.log file.
A confirmation confirms the outcome of the import operation.
The PatchMyPC.log log file indicates that publish on demand was requested.
Important
Even if a product is not enabled in the Updates tab, any update selected in the CVE Import Wizard will be published immediately when Import Selected Patches is clicked.
Importing patches through the CVE Import Wizard does not automatically enable the corresponding product in the Updates tab. If the security team who provided the list of CVE IDs determined that a product should continue to be patched, we recommend enabling the product in the product tree, on the Updates tab, to ensure that future updates for that product are published automatically.
Reporting on Updates Imported
After updates are imported through the CVE Import Wizard, a report is generated based on the Alerts you have configured. Depending on your alert configuration, you may receive notifications via Microsoft Teams, Slack, Email, or a combination of these.
In the example below, both a Teams webhook notification and an email report were received, confirming the updates that were imported.
Last updated
Was this helpful?