USER PROBLEM

The customer uses the “Days since CVE was first discovered in system” rule in the policy to validate the CVE discovered for the first time in the system. 

The rule does not work as expected. As this rule used to work as expected in 4.8.2, but not in 4.8.4.

Here is the customer example.

• Today's date: Nov 18, 2025
• CVE Discovered time in the system: Oct 09, 2025 2:37:30 PM GMT
• The policy rule is set to trigger with "Days since CVE was first discovered in system" > 30 
• Violation did not trigger. 

Observeration: The policy did not violate even the number of days is > 30. 

CONDITIONS
^{What conditions need to exist for a user to be affected? Is it everyone? Is it only those with a specific integration? Is it specific to someone with particular database content? etc.}

• The customer is running ACS 4.8.4 in all environments, so it is affecting everyone.

ROOT CAUSE
^{What is the root cause of the bug?}

• pending

FIX
^{How was the bug fixed (this is more important if a workaround was implemented rather than an actual fix)?}

• pending