Audience: Vulnerability Managers, Security Operations, CISOs, DevSecOps Teams
Reading Time: Approximately 15 minutes

CVSS-based prioritisation is not a flawed tool. It is a broken decision model and the NVD's April 2026 triage announcement made that official.

132 CVEs land every day. Your team remediates 10-15% of the backlog monthly. The math doesn't work. It never will.

CVSS-based prioritisation predicts only 2.3% of actual exploitation attempts while forcing teams to address 57% of all vulnerabilities. You're burning engineering cycles on theoretical Critical bugs in isolated test environments while internet-facing Medium-severity vulnerabilities sit exposed to active campaigns.

The solution exists: EPSS + KEV + asset reachability delivers 14-18x efficiency gains while maintaining 85%+ threat coverage. The barrier isn't tooling. It's organisational courage to abandon a prioritisation framework that stopped working years ago.

48,185 vulnerabilities published in 2025. 132 new CVEs every single day.

Your team's response: chase CVSS scores, patch everything marked Critical, burn out trying to close a gap that widens faster than you can move.

The math stopped working years ago.

The numbers expose the structural impossibility:

→ Remediation capacity: 10-15% of backlog per month

→ CVE growth rate: 20.6% year-over-year (noting that 2024 saw a 38% surge; the 2025 rate, while lower, still compounds an already unmanageable baseline)

→ CVSS coverage requirement: High/Critical flags 57% of all CVEs but covers only a fraction of what attackers actually target

More threats arrive daily than you can address monthly.

You're working harder on the wrong problems.

The Problem: CVSS-Based Prioritisation Creates Systematic Misalignment

CVSS severity scores fail at their primary function: predicting exploitation.

Only 2.3% of CVSS 7+ vulnerabilities see actual exploitation attempts. Meanwhile, 28% of exploited CVEs carry only medium scores.

The metric driving your remediation decisions has near-zero correlation with attacker behavior.

The cost of this misalignment compounds daily.

Teams spend weeks patching theoretical Critical vulnerabilities in isolated development environments while internet-facing assets with Medium-severity bugs sit exposed to active exploitation campaigns.

The prioritisation model itself is the vulnerability.

Attackers operate on different timelines:

→ 32% of vulnerabilities exploited in 2025 were leveraged at or before public disclosure. Among CISA KEV additions specifically, over 28% had confirmed exploitation evidence within 24 hours of CVE publication, often before a patch existed.

→ Research consistently shows that a significant proportion of CISA KEV vulnerabilities remain unpatched more than 55 days after fixes become available, a window that confirmed threat actors actively exploit

You're fighting yesterday's threat model with last decade's prioritisation framework.

Recommended Operating Model: EPSS + KEV + Reachability Integration

The fix isn't patching faster. It's deciding smarter.

Three data sources intersect to expose real risk:

1. EPSS (Exploit Prediction Scoring System)

Machine learning-driven probability estimates for vulnerability exploitation within 30 days. At a threshold of 0.088, EPSS v3 achieves approximately 82% coverage of exploited CVEs while requiring remediation of only 7.3% of all published CVEs, compared to a CVSS High/Critical strategy that demands patching 58.1% of all CVEs for roughly the same threat coverage. The efficiency gain is not marginal. It is structural. This isn't theoretical severity; it's predictive intelligence trained on actual attacker behavior. Important caveat: EPSS functions best as a combinatorial signal. Recent research shows EPSS scores move significantly only after confirmed exploitation, meaning it performs strongest when layered with KEV, not as a standalone predictor. This is precisely why the integrated model matters. Teams that rely on EPSS alone are still reactive. The integrated model (KEV confirming exploitation, EPSS flagging probability, reachability defining your specific exposure) is the only approach that closes the gap between what the data knows and what your environment actually faces.

2. CISA KEV (Known Exploited Vulnerabilities)

Confirmed active exploitation catalog. 2025 additions: 245 new entries (total: 1,484 KEVs).

→ Network appliances: 35% of additions

→ Microsoft: 54 KEVs

→ Cisco: 28 KEVs

→ Fortinet: 22 KEVs

Critical insight: 81% of CVEs first exploited in 2025 were disclosed before 2025. Attackers favor known, proven attack paths.

3. Asset Reachability

Maps vulnerabilities on internet-facing systems versus isolated environments. Five internet-facing Medium bugs outrank fifty Critical bugs in isolated test environments. Exposure transforms theoretical risk into operational threat.

The integration delivers measurable efficiency gains.

14-18x Efficiency Improvement Through Vulnerability Management Chaining

Vulnerability Management Chaining (integrated decision tree: KEV + EPSS + CVSS) delivers 14-18x efficiency improvements according to a 2025 academic research framework (Shimizu and Hashimoto, Kagawa University, preprint) while maintaining 85%+ threat coverage.

Performance metrics:

→ 95% workload reduction: from 16,000 to 850 urgent vulnerabilities (figures based on a modelled enterprise environment in the chaining research; your baseline will vary, but the directional efficiency gain is consistent across environments)

→ 57 additional exploited CVEs identified that neither KEV nor EPSS captures individually

→ 85%+ threat coverage maintained across integrated model

This is what strategic resource allocation looks like when you operate from real threat intelligence instead of theoretical severity.

The framework works because it mirrors attacker decision-making. Threat actors don't target vulnerabilities based on CVSS scores. They target exposed assets with exploitable weaknesses that provide access to valuable systems. The integration approach models that same logic.

Implementation: Three Operational Shifts

1. KEV Above All: Prioritize KEV catalog membership above CVSS severity. Active exploitation confirmed by CISA makes remediation non-negotiable regardless of CVSS score.

2. EPSS Thresholds: Focus remediation on vulnerabilities with $EPSS \ge 0.088$, the research-validated threshold for optimal threat-to-workload coverage, derived from EPSS v3. Organizations should verify this threshold against v4 model updates introduced March 2025.

3. Exposure Weighting: Internet-facing systems with Medium EPSS scores outrank isolated systems with Critical CVSS scores.

Outcome: Thousands of vulnerabilities collapse into hundreds of actionable priorities.

Visibility Gaps and Control Failures

The infrastructure everyone depends on is structurally incomplete.

54,914 CVEs disclosed in 2024-2025 still await full NVD enrichment. While CVSS and CWE coverage exceeded 90 percent, only 57.6 percent of CVEs in 2025 included CPE identifiers: the data points that enable automated asset matching and vulnerability scanning.

Your vulnerability management workflow assumes complete, timely data. The assumption is wrong.

The data infrastructure everyone depends on just changed fundamentally. In April 2026, NIST formally moved the NVD to a triage model declaring all backlogged CVEs with a publish date before March 1, 2026 as 'Not Scheduled' for enrichment. CVE submissions grew 263% between 2020 and 2025, and NIST could not keep pace. This is not a temporary backlog. It is a structural acknowledgment that centralized CVE enrichment at scale is no longer viable. For security teams, this means automated asset-matching workflows that depend on CPE identifiers are now working from an increasingly incomplete dataset and that gap will widen, not close.

The integration approach compensates for data incompleteness through redundancy. When one signal is missing, the other two still provide decision support.

Process Failures: Traditional vulnerability management operates on assumption of complete, timely data. NVD enrichment delays create blind spots in automated workflows. Without CPE identifiers, vulnerability scanners cannot match CVEs to asset inventories. Teams operate with partial intelligence while believing they have complete visibility.

Technology Limitations: Vulnerability scanners detect presence but not exploitability. SIEM rules trigger on severity scores without exploitation context. Asset management systems track inventory but not internet exposure. Each tool provides one dimension of risk while decision-makers need three.

Organisational Weaknesses: Security teams lack authority to deprioritise Critical CVSS vulnerabilities even when risk is theoretical. Compliance frameworks reinforce CVSS-based metrics. Performance reviews measure patch velocity rather than risk reduction. The organisational structure itself enforces the broken model.

Governance Failures: Vulnerability management policies codify CVSS thresholds without exploitation probability criteria. SLA commitments demand remediation timelines based on severity scores alone. Risk acceptance processes require executive approval for Critical findings but not for internet-facing Medium vulnerabilities with active exploitation.

Workflow Integration Guidance

For SOC Teams:

Integrate EPSS and KEV data into SIEM alert logic. Escalate vulnerabilities with $EPSS \ge 0.088$ or KEV membership regardless of CVSS score. Create detection rules for exploitation attempts against internet-facing assets first. Build hunting queries that correlate vulnerability presence with asset exposure and exploitation indicators. Shift alert thresholds from severity-based to probability-based triggers.

For Vulnerability Management Teams:

Reconfigure scanning workflows to enrich CVE findings with EPSS scores and KEV status immediately after detection. Implement automated asset tagging for internet-facing versus isolated systems. Build prioritization dashboards that rank vulnerabilities by integrated risk score (KEV > $EPSS \ge 0.088$ on exposed assets > $EPSS \ge 0.088$ on internal assets > CVSS Critical on isolated systems). Update SLA definitions to reflect exploitation probability rather than severity alone.

For Security Engineering:

Deploy automated enrichment pipelines that append EPSS and KEV data to vulnerability records in real-time. Build compensating controls for high-EPSS vulnerabilities that cannot be immediately patched. Implement network segmentation to reduce asset reachability scores for critical systems. Create exception workflows that allow deprioritisation of high-CVSS, low-EPSS vulnerabilities with documented risk acceptance.

For Security Leadership:

Revise vulnerability management policies to codify EPSS + KEV + reachability criteria. Update compliance reporting to demonstrate risk reduction rather than patch velocity. Establish metrics that track percentage of exploited vulnerabilities remediated versus total vulnerabilities closed. Secure organisational authority for security teams to deprioritise Critical CVSS findings when exploitation probability is negligible. Budget for tooling that provides asset exposure visibility and automated EPSS/KEV enrichment.

Industry Context

What Changes When You Stop Chasing CVSS Scores

Resource allocation shifts from compliance theater to risk reduction.

Security teams stop burning cycles on isolated Critical vulnerabilities that will never see exploitation. Engineering capacity redirects toward exposed assets with proven attacker interest. Remediation velocity improves because you're patching 850 vulnerabilities instead of 16,000.

The psychological shift matters as much as the operational one.

Teams move from defensive posture (trying to patch everything before something breaks) to offensive intelligence (targeting specific threats with strategic precision). Burnout decreases when work aligns with impact. Morale improves when effort produces measurable risk reduction.

The broader implication: vulnerability management is transitioning from static assessment to dynamic threat intelligence. CVSS represents the old model: theoretical severity scores assigned at disclosure. EPSS + KEV + reachability represents the new model: continuous exploitation probability updated as attacker behavior evolves.

Organisations still operating on CVSS-only prioritisation are fighting with obsolete intelligence.

Further Reading

🔗 Vulnerability Management: Operational Risk & Exposure-Based Prioritization

Why read this: This article provides the comprehensive operational framework for implementing exposure-based vulnerability prioritisation at enterprise scale. While the current article demonstrates why CVSS-only models fail and presents the efficiency case for integration, this resource delivers the complete implementation methodology: covering risk modelling, asset classification, exposure mapping, and organisational workflow redesign needed to operationalise EPSS + KEV + reachability decisioning across security teams.

🔗 Why Most Patch Programs Fail: CVSS Overload, KEV Lag, and Exposure Blind Spots

Why read this: Most vulnerability programs fail not due to lack of effort, but flawed prioritization logic. This article breaks down how CVSS inflation, delayed KEV response, and lack of exposure context create systemic blind spots and what to change to align patching with real-world exploitation risk.

🔗 Operational Threat Intelligence: Practical Guide for Security Teams

Why read this: Prioritization requires context. This guide explains how to integrate threat intelligence into security operations helping teams move from reactive patching to intelligence-driven decision making.

🔗 FIRST 2026 Forecast: Record-Breaking 59,000 CVEs Signal "Strategic Shift" for Security Teams (projected)

Why read this: Vulnerability volume is accelerating beyond human-scale prioritization. This analysis explains why record CVE growth forces a shift toward EPSS, KEV, and exposure-based models and how security teams must adapt to avoid being overwhelmed by noise.

🔗 MOVEit Mass Exploitation (OFA): KEV Prioritization and Internet-Facing Asset Visibility Failure

Why read this: This analysis shows how a widely exploited vulnerability escalated into a global breach despite clear signals, KEV prioritization, and available patches: highlighting where vulnerability management and asset visibility break down under real-world attack conditions.

🔗 CVSS vs EPSS: How to Prioritise Vulnerabilities by Real Exploitation Risk

Why read this: CVSS measures theoretical severity, but EPSS predicts real-world exploitation probability. Learn why modern vulnerability management must combine both to prioritise the risks attackers actually target.

Hackerstorm Analysis

What the industry is underestimating: This isn't a tooling problem. It's a decision-making architecture problem.

Organisations have built entire security programmes on the assumption that theoretical severity predicts operational risk. The gap between those two concepts is where breaches happen.

The psychological entrenchment problem: Security teams know CVSS-based prioritisation isn't working. They see the backlog growing. They watch exploitation happen on Medium-severity vulnerabilities they deprioritised. But organisational inertia, compliance frameworks, and performance metrics all reinforce the broken model.

The path of least resistance is to keep doing what's failing, just faster.

Long-term capability gap: As CVE disclosure volume continues 20.6% year-over-year growth, the efficiency differential compounds. Teams operating on CVSS-only models will face exponentially growing backlogs while integrated-model teams maintain stable, manageable workloads focused on actual threats.

The real emerging risk: Organisational inability to distinguish signal from noise at scale. When everything is marked Critical, nothing is actually prioritised. When teams burn out chasing compliance metrics instead of reducing risk, the security programme becomes ceremonial rather than functional.

What attackers already know: They don't waste cycles on isolated high-CVSS bugs. They target exposed assets with exploitable weaknesses that provide access to valuable systems.

The question: How long will organisations continue optimising for a threat model that exists only in compliance checklists while real adversaries operate in an entirely different dimension?

The NVD triage announcement in April 2026 removed the last institutional excuse for CVSS-only prioritisation. The database that underpins CVSS enrichment has formally conceded it cannot keep up. If your vulnerability programme still runs on CVSS thresholds alone, it is now operating on a scoring system that its own infrastructure can no longer reliably populate. The framework is not just strategically broken. It is now operationally unsupported.

The bottom line: Attackers do not check your compliance logs before they deploy a payload. When you treat a theoretical bug in a sandboxed staging environment with the same urgency as an active campaign hitting an external gateway, you aren't managing risk. You are performing security theater.

"The decision tree is available. The data sources exist. The efficiency gains are measurable. What's required now is organizational courage to abandon a framework everyone knows is broken but few have been willing to replace."

About This Report

Attribution Note

This analysis is based on publicly available reporting and security research summaries. Some technical details may change as additional information becomes available. 

Author Information

Timur Mehmet | Founder & Lead Editor

Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy. Professional qualifications over the years have included CISSP, ISO27000 Auditor, ITIL and technologies such as Networking, Operating Systems, PKI, Firewalls. For more information including independent citations and credentials, visit our About page.

Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

Editorial Standards

This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:

• Fact-Checking: All statistics and claims are verified against primary sources and authoritative reports
• Source Transparency: Original research sources and citations are provided in the References section below
• No Conflicts of Interest: This analysis is independent and not sponsored by any vendor or organization
• Corrections Policy: We correct errors promptly and transparently. Report inaccuracies to This email address is being protected from spambots. You need JavaScript enabled to view it.

Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections

Learn More: About Hackerstorm.com | FAQs

Source Transparency

1. Picus Security - "Vulnerability Prioritization: Why CVSS Isn't Enough" (https://www.picussecurity.com/resource/blog/vulnerability-prioritization-why-cvss-isnt-enough)

2. Tamnoon - "Exploit Prediction Scoring System (EPSS)" (https://tamnoon.io/academy/exploit-prediction-scoring-system/)

3. arXiv - "Vulnerability Management Chaining Research" (https://arxiv.org/pdf/2506.01220)

4. CISA Known Exploited Vulnerabilities (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

5. National Vulnerability Database (NVD) - NIST (https://nvd.nist.gov/)

6. FIRST.org - EPSS Documentation and Scoring Model (https://www.first.org/epss/)