JULY 15, 2026
In 2025, 48,185 new CVEs were published. That is 132 new vulnerabilities per day. Your patch management process probably addresses somewhere between 10 and 20 percent of the backlog each month. The question is not whether you can patch everything; you cannot. The question is whether the vulnerabilities you are prioritizing are the ones attackers are actually using.
The evidence says no. FIRST’s own research on the Common Vulnerability Scoring System (CVSS) shows that only 2.3% of CVEs scoring 7.0 or above, the threshold most organizations use to define urgent remediation, were observed in actual exploitation attempts over a given month. And in Q1 2025, 28% of exploited vulnerabilities carried only medium CVSS base scores. Organizations using a CVSS-first prioritization model are systematically patching the wrong things first while leaving a quarter of the vulnerabilities attackers are actually using unaddressed.
This is not a critique of CVSS as a scoring system. CVSS does what it was designed to do: measure the theoretical technical severity of a vulnerability in isolation. The problem is that theoretical severity in isolation is not what attackers use to decide what to exploit. They use opportunity, tooling availability, target concentration, and the likelihood of success in real environments. CVSS does not measure any of those things, and using it as the primary prioritization signal produces a systematic mismatch between what your team is fixing and what your adversaries are targeting.
The good news is that better signals exist. EPSS, the CISA KEV catalog, and threat actor activity intelligence each measure dimensions of risk that CVSS cannot, and using them in combination with CVSS reduces urgent prioritization workload by up to 95% while maintaining comprehensive coverage of the vulnerabilities attackers are actually using.
| 2.3% of CVSS 7+ vulnerabilities are observed in actual exploitation attempts (FIRST research) | 28% of exploited vulnerabilities in Q1 2025 carried only medium CVSS scores | 48,185 CVEs published in 2025, a record high, 132 per day | 95% reduction in urgent prioritization workload using KEV + EPSS + CVSS combined (2025 research) |

CVSS, the Common Vulnerability Scoring System, is a standardized framework for rating the severity of security vulnerabilities on a scale from 0.0 to 10.0. It was developed by FIRST (Forum of Incident Response and Security Teams) and is currently in version 4. It is the most widely used vulnerability scoring system in the industry and the primary input to most vulnerability management programs, scanner outputs, and patch prioritization workflows.
The CVSS base score is calculated from a set of metrics that describe the vulnerability’s intrinsic characteristics: how the vulnerability is accessed (network, adjacent, local, physical), what level of privilege is required to exploit it, whether user interaction is needed, whether the impact is confined to the vulnerable component or extends beyond it, and the potential impact on confidentiality, integrity, and availability. The result is a score that reflects how damaging the vulnerability could be if it were successfully exploited under the conditions it was designed for.
That conditional clause is the source of most of CVSS’s practical limitations. The base score measures severity under theoretical conditions. It does not measure the probability that those conditions will be met in the real world, whether exploit code is publicly available, whether attackers are actively targeting the vulnerability, whether the affected component is reachable in any given environment, or whether a threat actor group relevant to your industry has incorporated it into their toolkit.
| What CVSS Measures vs. What Attackers Use to Decide CVSS measures: theoretical maximum impact if exploited under defined conditions, attack vector and complexity, privilege and interaction requirements, scope of impact. Attackers consider: is exploit code publicly available and reliable, is the affected software widely deployed and reachable, is the vendor slow to patch or the user base slow to update, does this vulnerability appear in active campaigns, what is the expected return relative to the effort required. None of the factors attackers actually use appear in the CVSS base score. The score tells you how bad it could be. It does not tell you how likely it is to happen to you. |
The most important limitation of CVSS is the one that matters most operationally: there is no reliable correlation between a high CVSS score and the probability that a vulnerability will be exploited in your environment or any environment.
FIRST’s own research is explicit on this point. Of all CVEs scored at CVSS 7.0 or higher in a given month, only 2.3% were observed in actual exploitation attempts. The other 97.7% were scored as urgent by CVSS but attracted no observable attacker interest. Conversely, vulnerabilities with CVSS scores in the medium range (4.0 to 6.9) are regularly observed in exploitation, including 28% of all exploited vulnerabilities in Q1 2025.
The implication is that a team prioritizing by CVSS score is spending approximately 97% of its urgent remediation effort on vulnerabilities that attackers are not targeting, while systematically deprioritizing a significant fraction of the vulnerabilities attackers are actively using.

Until April 2026, CVSS scores for most CVEs were provided by the National Vulnerability Database (NVD), which enriched CVE records with severity scores, affected product data, and reference links. In April 2026, NVD transitioned to a triage model in response to a 263% surge in CVE submissions between 2020 and 2025. Going forward, only an estimated 15 to 20% of incoming CVEs will receive full NVD enrichment, prioritized by KEV membership, federal government use, and critical software status under US Executive Order 14028.
Approximately 29,000 backlog CVEs were reclassified as Not Scheduled, meaning they will not receive full NVD analysis. For organizations whose vulnerability management pipeline depends on NVD CVSS scores as the primary input, this represents a structural data gap. A significant and growing fraction of published CVEs will arrive in scanner outputs with no NVD-sourced severity score at all.
This is not a temporary backlog problem. It is a permanent change in how the NVD operates, driven by a volume of CVE publication that has simply outpaced the resources available to score everything comprehensively. Programs that have not built alternative prioritization signals into their workflow are now operating on an increasingly incomplete dataset.
| What the NVD Triage Shift Means in Practice If your scanner pulls CVSS scores from NVD and uses them as the primary prioritization input, a growing share of your findings will arrive with no enrichment at all. The vulnerabilities NVD is deprioritizing are not necessarily low-risk; they are simply the ones that do not meet the new triage criteria. A CVE that does not appear in KEV and is not in critical federal software may still be actively exploited by ransomware groups targeting your sector. The operational response is to add EPSS, KEV, and threat actor intelligence as primary signals rather than supplements to CVSS. This is no longer a program maturity enhancement. For NVD-dependent programs, it is a gap fill for data that is no longer arriving. |
A CVSS base score, once assigned, does not change. A vulnerability that had no public exploit code and no observed attacker interest when it was first scored continues to carry the same score years later, even if a reliable exploit is later published, even if it is added to the CISA KEV catalog, and even if ransomware groups begin incorporating it into active campaigns.
This static nature means CVSS cannot reflect the change in a vulnerability’s real-world risk profile over time. CVE-2024-4577, a critical PHP vulnerability, had an EPSS score of approximately 94% within days of disclosure, before NVD had even completed its full analysis and assigned a CVSS score. A team relying on CVSS would have had no signal that this vulnerability was being rapidly weaponized at the moment it mattered most.
The inverse is also true. A vulnerability may carry a high CVSS score assigned at disclosure that never changes, even as the affected software version ages out of widespread use, compensating controls are widely deployed, and attacker interest moves elsewhere. The score is frozen at the moment of theoretical maximum risk, regardless of how that risk has evolved.
Research published in 2025 identified a counterintuitive finding in vulnerability management data: vulnerabilities with a high probability of exploitation (EPSS above 0.7) carried a higher average remediation time of 109 days, while vulnerabilities with a low exploitation probability were fixed in an average of 76 days. Teams are systematically patching low-risk vulnerabilities faster than high-risk ones.
This is not irrational behavior. It is the predictable outcome of using CVSS severity as the primary queue signal. Low-risk vulnerabilities that happen to score high in CVSS get fast-tracked through patch cycles. High-risk vulnerabilities that score medium in CVSS wait in the standard queue. The queue is optimized for CVSS severity, not for attacker behavior, and the result is a remediation pattern that is the inverse of what actual risk would suggest.

The CISA KEV catalog is the most operationally reliable prioritization signal available. It is a curated list of vulnerabilities for which CISA has confirmed evidence of active exploitation in the wild. As of mid-2026, the catalog contains 1,484 entries representing confirmed, real-world attacker activity rather than theoretical risk assessments.
Every vulnerability in the KEV catalog has been actively exploited. That is not a prediction or a probability. It is a documented fact. Any organization with a KEV entry in their environment should treat it as an immediate remediation priority regardless of the associated CVSS score. In 2025, approximately 24% of KEV additions were Microsoft vulnerabilities, and 19 of the 59 ransomware-flagged KEV additions targeted network security appliances specifically: Ivanti, Fortinet, Citrix, Palo Alto, and Zimbra products deployed at the perimeter.
The KEV catalog’s limitation is its retrospective nature: a vulnerability must already have been observed in exploitation before it can be added. It catches confirmed threats, not emerging ones. This is why KEV should be used as the first and highest-priority filter rather than the only filter.
| Metric | What It Confirms | Limitation |
| CVSS Base Score | Theoretical maximum severity under defined attack conditions | No exploitation probability, no real-world attacker behavior signal, static after assignment |
| CISA KEV | Active exploitation has been confirmed in the wild by CISA; the vulnerability is being used by attackers right now | Retrospective: requires confirmed exploitation before listing; does not predict emerging threats |
| EPSS | Machine learning estimate of the probability that the vulnerability will be exploited within 30 days, updated daily | Global prediction: does not account for your specific environment, compensating controls, or asset reachability |
| Threat actor activity intelligence | Specific threat groups relevant to your sector and technology stack are actively using or preparing to use this vulnerability | Requires ongoing threat intelligence monitoring; cannot be derived from scanner output alone |
EPSS is a machine learning model maintained by FIRST that estimates the probability a given CVE will be exploited in the wild within the next 30 days. EPSS v4, released in March 2025, achieves a ROC AUC of 0.838, meaning it is significantly better than chance at predicting which vulnerabilities will see real exploitation activity. The model is trained on exploitation telemetry from IDS and IPS systems, exploit code published on GitHub, dark web forum activity, proof-of-concept demonstrations, and CISA KEV additions.
EPSS outputs both a probability score between 0 and 1 and a percentile ranking against all other scored CVEs. The percentile is operationally important: an EPSS score of 0.1 (10% probability) sounds low in absolute terms, but if it places the vulnerability in the 95th percentile of all CVEs, it means this vulnerability is more likely to be exploited than 95% of all other known vulnerabilities.
The practical workflow that most mature vulnerability programs have converged on in 2026 is: triage by KEV first (binary, confirmed exploitation signal), then by EPSS percentile (probabilistic, focused on the top 1 to 5% of the distribution for zero-day-equivalent urgency), and use CVSS only as a tiebreaker within those filtered sets. This approach reduces the urgent queue from roughly 16,000 vulnerabilities (the CVSS 7+ set) to approximately 850 with actual evidence of exploitation or high exploitation probability, while maintaining comprehensive coverage of the threats attackers are using.
| EPSS in Practice: What the Numbers Look Like CVE-2024-0646 in the Linux kernel had a CVSS score of 7.0 (High) but an EPSS score of 0.04%. Exploitation requires local access and specialized conditions; it attracted essentially no attacker interest. A CVSS-first queue treats this as urgent. EPSS correctly identifies it as low probability. CVE-2024-4577, a critical PHP vulnerability, had an EPSS score of approximately 94% within days of disclosure before NVD had completed its CVSS analysis. A CVSS-first queue had no signal. EPSS flagged it as a top-1% exploitation priority immediately. CVE-2023-48795, a vulnerability with a CVSS score of 5.9 (medium), showed high EPSS probability of exploitation within 30 days at the time of publication. A team using CVSS only would have placed it in the standard remediation queue. EPSS correctly surfaced it as an elevated-priority item. |
EPSS and KEV both operate at the global, internet-scale level. They tell you what attackers across the internet are doing with a given vulnerability. Threat actor activity intelligence adds the dimension that neither provides: which threat groups are relevant to your specific sector, geographic region, and technology stack, and which vulnerabilities they are actively incorporating into their campaigns.
A vulnerability actively used by a threat actor group known to target financial services organizations in the EMEA region is a different priority for a bank in Germany than the same vulnerability is for a logistics company in Southeast Asia, even if both organizations see the same CVSS score and EPSS probability. Threat actor intelligence contextualizes the global signal to your specific threat landscape.
This signal also provides the earliest warning of emerging exploitation. Dark web forums and underground channels frequently surface discussions of vulnerability exploitation, initial access broker listings that reference specific CVEs, and ransomware group technical exchanges about new tools and techniques days or weeks before those activities appear in KEV or produce measurable EPSS movement. For organizations with access to this intelligence, it represents the forward-looking signal that both CVSS and KEV cannot provide.
The most effective vulnerability prioritization framework combines all four signals into a decision sequence that mirrors attacker decision-making rather than theoretical severity. The goal is to answer four questions about each vulnerability in your queue before deciding its remediation priority.
| Triage Layer | Question | Signal Used | Action if Yes |
| Layer 1: Confirmed exploitation | Is this vulnerability in the CISA KEV catalog? | CISA KEV | Immediate remediation regardless of CVSS score. This is an actively exploited vulnerability. |
| Layer 2: High exploitation probability | Is this vulnerability in the top 1 to 5% of EPSS percentile scores? | EPSS percentile | Zero-day equivalent urgency. Treat as KEV-adjacent and fast-track remediation. |
| Layer 3: Threat actor targeting | Is a threat actor relevant to your sector or technology stack actively using this vulnerability in campaigns? | Threat actor activity intelligence | Elevate in queue even if EPSS and KEV status do not indicate it. Sector-specific intelligence overrides global signals for your environment. |
| Layer 4: Severity and context | What is the CVSS score and is the affected asset reachable from your network perimeter or accessible with current privilege levels? | CVSS + asset context | Use as tiebreaker within filtered sets and for scheduling remediation within priority tiers, not as the primary queue driver. |
Vulnerabilities that do not meet any of the first three criteria can be addressed on a standard remediation schedule. Vulnerabilities that meet one or more criteria move to the fast-track queue regardless of their CVSS score. This is the practical implementation of what the research literature refers to as vulnerability management chaining, and the efficiency gains are not marginal: the transition from a CVSS-only queue to a chained model reduces the urgent set by up to 95% while maintaining coverage of the threats that matter.
| CVE | CVSS Score | EPSS / KEV Status | What Actually Happened | CVSS Verdict vs. Reality |
| CVE-2024-4577 (PHP) | Critical | EPSS ~94% within days; subsequently KEV listed | Rapidly weaponized; active exploitation within days of disclosure before NVD analysis was complete | CVSS would have been correct but arrived late. EPSS surfaced it immediately. |
| CVE-2024-0646 (Linux kernel) | 7.0 High | EPSS 0.04%; not in KEV | Required local access and specialized conditions; attracted essentially no attacker interest | CVSS overestimates urgency. EPSS correctly identifies as low probability. |
| CVE-2023-48795 (network protocol) | 5.9 Medium | EPSS high probability at disclosure; not immediately in KEV | Widely exploited despite medium CVSS; network protocol vulnerability with broad applicability | CVSS deprioritizes. EPSS and threat intel correctly surface as elevated risk. |
| CVE-2024-6387 (OpenSSH regreSSHion) | High (not Critical) | EPSS high; KEV listed; ransomware flagged | Remote code execution as root on an ubiquitous protocol; treated as P0 by every informed program | CVSS understates urgency due to High rather than Critical classification. KEV and EPSS correct for this. |
| CVE-2024-38812 (VMware vCenter) | 9.8 Critical | KEV listed November 2024; multiple exploitation waves | Initial patch incomplete; re-patched; continued exploitation; CISA added to KEV | CVSS correctly identifies high severity. KEV confirms active exploitation. Both signals align. |
Brandefense’s threat intelligence capabilities address the signal gap that CVSS and even EPSS cannot fill: the specific threat actor activity that contextualizes global vulnerability data to your sector, your technology stack, and your threat landscape.
| Capability | How It Improves Vulnerability Prioritization |
| Threat actor vulnerability tracking | Monitors dark web forums, underground channels, and threat actor communications for discussions of specific CVEs, new exploit tooling, and active campaign preparation relevant to your sector |
| Ransomware group technique intelligence | Tracks which CVEs are being incorporated into active ransomware campaign toolkits, providing early warning that a vulnerability is being weaponized before it appears in KEV |
| Initial access broker (IAB) intelligence | Identifies IAB listings that reference specific vulnerabilities as the entry point for the network access being sold, providing direct evidence that a CVE is being actively exploited for initial access |
| Sector-specific threat profiling | Filters global vulnerability exploitation signals through your specific sector and geographic exposure, surfacing the vulnerabilities most relevant to your threat landscape rather than the internet as a whole |
| Dark web CVE monitoring | Tracks proof-of-concept exploit code, exploitation guides, and technical discussions related to newly disclosed vulnerabilities in underground markets before those discussions translate to measurable EPSS movement |
| External attack surface context | Correlates vulnerability intelligence with your external attack surface to identify which CVEs affect assets that are actually reachable from the internet, adding the reachability context that neither CVSS nor EPSS provides |
| RELATED READING From Disclosure to Exploit: https://brandefense.io/blog/disclosure-to-exploit-speed/ : how fast vulnerabilities move from disclosure to active weaponization in 2026 The 5-Day Breakout: https://brandefense.io/blog/breakout-time-vs-dwell-time/ : the operational timeline that gives context to why vulnerability prioritization speed matters |

Take control of your digital security with an exclusive demo of our powerful threat management platform.