Severity scores don’t stop breaches—context does. Real-world data proves vulnerability risk depends on exploitation, exposure, and asset impact, not CVSS alone.
Only 158 out of 39,000+ vulnerabilities are actually exploited in the wild, yet most teams waste time patching based on CVSS scores alone—ignoring the Medium/Low CVEs attackers really use.
For decades, vulnerability management (VM) programs have operated on a compliance-centric model: detect a vulnerability, check its CVSS score, and patch if the score exceeds a certain threshold (typically 7.0 or 9.0).
The traditional way of managing vulnerabilities using CVSS scores is no longer practical because it does not consider the actual risk involved.
A study on over 39,000 CVEs revealed that there is a significant exploitation of medium and low level vulnerabilities by attackers, while a lot of the high and critical CVEs are left unutilized.
Looking at severity alone does not take into consideration if a vulnerability is being exploited, how many people/things are at risk, and whether the asset affected is important or not; this results in areas that can’t be seen and that make it difficult for patch teams.
By using threat intelligence (KEV, ExploitDB, EPSS), exposure in the environment and criticality of the asset, this kind of context-based vulnerability management facilitates prioritized decision-making which cuts through irrelevant data, reduces MTTR by 45-55%, and concentrates remediation efforts on exploitable, exposed vulnerabilities affecting critical assets.
The core issue is the divergence between technical severity and actual risk. Recent analysis of 39,000+ CVEs indicates that while many are labeled "critical" (CVSS 9.0+), only 158 appear in CISA's KEV catalog and 124 have public exploits in ExploitDB—meaning the vast majority pose no immediate threat to specific organizations due to environmental factors, lack of exploit availability, or inapplicability to the attack surface.
Our analysis of 39,000+ vulnerabilities disclosed in 2024, KEV, and ExploitDB data provides a powerful insight: our traditional severity-based approach (fix Critical and High first, park Medium/Low) is no longer aligned with real-world exploitation patterns. The data exposes two uncomfortable truths:
Let’s break down the insights.
The analysis shows:
This is important because KEV does not care about CVSS scores—it is purely exploitation-in-the-wild.
Attackers exploit what is exploitable, not what is “Critical.”
From the comparative analysis:
KEV contains Medium and even Low CVEs
These are the same conditions found in typical Critical RCEs.
Therefore:
A Medium severity CVE with public exploit code + network reachability is higher risk than a High severity CVE that requires local access or complex interaction.
The current approach focuses on:
But analysis proves several problems:
The data shows active exploitation patterns across all severity categories.
Example pattern from the data:
This means attackers can use these weaknesses for initial access, lateral movement, or privilege escalation.
The analysis shows 39,000+ CVEs that do not appear in KEV or ExploitDB.
So blindly focusing on all High/Critical CVEs means:
This is how critical blind spots emerge—teams patch non-exploited Criticals while internet-facing Mediums with public exploits remain unaddressed.
NVD lists 39,355 CVEs in the dataset.
If you try to patch all CVEs:
The data supports that “fix everything” is a mathematically impossible strategy.
Data clearly shows:
These conditions are exactly what attackers need.
Important:
CVSS severity ≠ exploitation likelihood.
Severity tells you impact if exploited, not whether exploitation is likely.
KEV and ExploitDB data fill that gap.
Both KEV and ExploitDB show concentration in:
Attackers go for vulnerabilities that are easy, remote, and require no privileges—regardless of severity.
This pattern is consistent across Critical, High, and Medium CVEs.
The data exposes the limitations of severity-only prioritization:
A better approach should prioritize based on:
This is essentially risk-based vulnerability management, not severity-based patching.
The data leads to an unavoidable conclusion:
To address these limitations, the industry is shifting toward decision-centric frameworks that prioritize action based on context.
RBVM represents a philosophy that prioritizes vulnerabilities based on the risk they pose to the specific organization rather than generic severity. Unlike traditional VM, which measures success by patch counts, RBVM focuses on risk reduction and resilience. It requires the integration of threat intelligence, asset criticality, and exposure analysis to filter out noise.
Developed by the Software Engineering Institute at Carnegie Mellon University, SSVC operationalizes RBVM by rejecting the "one-size-fits-all" approach. SSVC asserts that vulnerability management is a decision-making process, not a math problem. It avoids summing disparate metrics into a single number, instead using decision trees to guide stakeholders (Suppliers, Deployers, and Coordinators) toward a qualitative action: Defer, Scheduled, Out-of-Cycle, or Immediate.
Context-driven VM relies on three primary inputs to triage vulnerabilities effectively: Threat Context, Environmental Context, and Asset Context.
The most critical filter for prioritization is the state of exploitation. SSVC proposes a decision point called Exploitation, which categorizes threats as: None: No evidence of exploitation, PoC: Proof of concept exists (exploit code published but not weaponized) and Active: Reliable evidence of attacks in the wild (confirmed by threat intelligence).
A vulnerability in a software library is only a risk if the vulnerable code path is actually executed and the system is accessible to attackers.
A "critical" vulnerability on an isolated system (Small exposure) often requires a less urgent response than a moderate vulnerability on an internet-facing web server (Open exposure).
The final layer of context is the value of the asset to the organization.
Implementing context requires moving from ad-hoc decisions to structured logic.
Instead of relying on opaque algorithms, SSVC uses transparent decision trees that show exactly how prioritization decisions are made. For a "Deployer" (an organization patching systems), the tree combines the values of Exploitation, Exposure, Utility, and Human Impact to derive a priority—making the logic auditable and explainable.
The transition to context-driven VM is a journey described by the Vulnerability Management Maturity Model (VMMM). Organizations evolve from Level 1 (Reactive)—focusing on basic patching and compliance—to Level 5 (Adaptive), which utilizes real-time risk scoring, predictive analytics, and automated reachability analysis. Pilot studies of organizations moving to higher maturity levels demonstrated significant efficiency gains, including a 40% reduction in average time-to-remediate and a 35% decrease in the overall backlog of vulnerabilities.
CVSS measures theoretical impact if a vulnerability is exploited, not whether it will be exploited. It ignores exploit availability, attacker behavior, asset exposure, and business impact—leading to misaligned priorities.
Yes. KEV and ExploitDB data show Medium and even Low CVEs are actively exploited, especially when they are network-accessible, require low privileges, and need no user interaction.
It’s an approach that prioritizes vulnerabilities using real-world context—threat intelligence, exposure, attack paths, and asset importance—rather than static severity scores.
SSVC avoids reducing risk to a single number. Instead, it uses decision trees to guide stakeholders toward actions like Immediate, Out-of-Cycle, Scheduled, or Defer based on context.
Attack path analysis determines whether a vulnerability is actually reachable in your environment. This alone can reduce vulnerability noise by up to 90%.
No. It ensures Critical vulnerabilities are addressed when they are exploitable, exposed, and relevant, rather than patched blindly.
The way organizations manage vulnerabilities is changing, and static severity scores are no longer enough. Real-world data shows that only a small subset of so-called “critical” vulnerabilities are actually exploited or even reachable in most environments, making the traditional approach increasingly ineffective.
This reality forces a rethink. By using decision-centric frameworks like SSVC and applying attack path analysis, security teams can cut through the noise—often eliminating up to 95% of findings that pose no real risk.
This shift doesn’t mean ignoring high-severity issues. Instead, it allows teams to focus their limited engineering time where it truly matters: on vulnerabilities tied to active threats, exposed systems, and business-critical assets. When vulnerability management is driven by context rather than static scores, it stops being a patching chore and becomes a practical way to strengthen long-term resilience.
Security posture assessment evaluates your organization's overall cybersecurity strength, identifying vulnerabilities and providing a roadmap to enhance your defense against evolving threats.
A major source code leak exposes how routine age-verification selfies for popular apps are feeding a massive government surveillance and reporting machine.
A severe vulnerability in popular Grandstream desk phones gives attackers root access to listen to calls and pivot into corporate networks—highlighting a major blind spot for small businesses.