All Products
Search
Document Center

Elastic Compute Service:Fix high-risk vulnerabilities

Last Updated:May 15, 2026

Patch high-risk vulnerabilities on your ECS instances promptly to prevent exploits such as privilege escalation and remote code execution.

Important

After vendors release patches, malicious actors quickly develop exploits from the patch details. Apply patches as soon as they become available.

Prerequisites

Ensure that you have:

Monitor vulnerabilities

After you enable host security protection, Security Center continuously detects known vulnerabilities on your servers and applications. By default, scans run every two days.

Set up alert notifications

Configure Notification Settings in Security Center to receive alerts when vulnerabilities are detected.

Check security notices

Regularly check Alibaba Cloud Security notices for the latest vulnerability details and recommended patches.

View scan results

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Risk Management > Vulnerabilities. Select the region of the target asset.

  3. On the Vulnerabilities page, run a manual scan or configure automatic scans.

Fix vulnerabilities

Vulnerability fixing is a paid Security Center feature. Enable vulnerability fixing, then fix detected vulnerabilities.

Important

Set the Snapshot Retention Period to create a snapshot before patching. This allows you to roll back if a patch causes issues.

Console

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Risk Management > Vulnerabilities. Click the number under High-priority Vulnerabilities (CVE). Find vulnerabilities with a status of Unfixed and a severity of High.

  3. In the Actions column, click Fix. Set the Snapshot Retention Period, then click Fix Now > OK.

  4. After the fix task runs, the vulnerability status changes to Fixing.

Verify the fix

After the fix completes, click Verify or wait for the next scan cycle. Confirm that the status changes to Handled or the vulnerability no longer appears. If the fix fails, troubleshoot based on the error details.

API

See Vulnerability fixing for all vulnerability management API operations.

Check compliance posture

Use CSPM to identify ECS instances with unpatched high-risk vulnerabilities.

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Risk Management > CSPM. Click the Cloud Service Configuration Risk tab, find Computers with unpatched high-risk system vulnerabilities, and click Scan in the Operation column.

  3. If the status is Not Passed, unpatched high-risk vulnerabilities exist. Click Details to view affected instances.

See Cloud Security Posture Management overview.