Key Takeaways
- CVSS measures how severe a vulnerability could theoretically be. It does not measure the actual risk that vulnerability poses to your specific environment and business.
- Only about 2.3% of vulnerabilities rated CVSS 7 or higher are observed in exploitation attempts in a given month. Prioritizing by score alone misdirects most of your remediation effort.
- In Q1 2025, 28% of actively exploited vulnerabilities had only medium CVSS scores. Skipping medium-rated findings because they do not hit your severity threshold is a real gap.
- Real risk prioritization requires combining CVSS with KEV status, EPSS probability, asset criticality, and network reachability. Score alone cannot give you any of that.
- With 48,185 CVEs published in 2025 and a median exploit time under five days, the organizations that work from risk context are responding to the right threats. The ones chasing scores are mostly patching problems nobody is trying to exploit.
Stop Patching by Score. Start Patching by Risk.
Your scanner just returned 300 critical vulnerabilities. You have time and resources to fix maybe 20 this week. The CVSS score tells you which ones look the worst on paper. It does not tell you which ones will actually hurt your business if left open.
That gap is where most vulnerability programs fall apart.
What CVSS Was Built to Do and What It Was Never Designed to Do
CVSS Measures Severity, Not Risk
CVSS stands for Common Vulnerability Scoring System. It assigns a number from 0 to 10 based on how bad a vulnerability could theoretically be, covering things like how easy it is to exploit, whether it needs special access, and how much damage it could cause. It was designed as a shared language for describing severity, not as a tool for deciding what to fix first.
NIST makes this plain in its own documentation: CVSS is not a measure of risk. That is not a technicality. It is a fundamental design limit that most security teams work around daily without realizing it.
The Base Score Assumes the Worst Possible Environment
Every CVSS Base score is calculated assuming a worst-case scenario. It assumes your vulnerable system is reachable, unprotected, and sitting in the most exposed position possible. That assumption is almost never true in practice. A vulnerability rated 9.8 on a server with no internet access, inside a network segment nobody touches, carries completely different risk than a 6.5 on a public-facing login page.
CVSS measures technical severity, not business risk. A high-scoring vulnerability, such as one rated 9.8, may exist on an isolated, air-gapped server or within a software library that is never loaded into memory, making the flaw inert.
The Same CVE Gets Different Scores From Different Sources
Here is a problem that does not get talked about enough. Studies have found that more than 40% of CVEs receive different scores when re-evaluated by the same person just nine months later. On top of that, different vendors routinely score the same flaw in completely different ways. One organization may rate a vulnerability as remotely exploitable and Critical. Another reviews the same flaw and calls it locally exploitable and Medium. Both are using CVSS. Both are reaching different conclusions about the same threat.
When you build your entire remediation queue on scores that disagree, you are working from a foundation that was shaky to begin with.
Where the Gap Between Severity and Business Risk Creates Real Problems
Most High-Scoring Vulnerabilities Will Never Be Exploited
This is the number that should change how your team operates. Research from FIRST, the organization that maintains EPSS, found that of all CVEs scored at CVSS 7 or higher, which is the threshold most organizations use to define high and critical vulnerabilities requiring urgent attention, only 2.3% were actually observed in exploitation attempts over a given month.
Put simply: if your team is chasing every high and critical CVSS score, roughly 97% of that work is on vulnerabilities no attacker is touching right now. That is not a small inefficiency. That is the majority of your remediation effort pointed in the wrong direction.
Medium Scores Are Not Safe to Skip
Security teams following a CVSS-first model usually park medium severity findings and focus on high and critical. The data says that is a mistake. In Q1 2025, 28% of exploited vulnerabilities carried only medium CVSS base scores.
Attackers do not check your severity thresholds before choosing what to exploit. They pick what works. A medium-scored vulnerability with a public exploit and network reachability is more dangerous in the real world than a critical one that requires physical access to trigger.
The Volume Problem Makes Score-Only Prioritization Unworkable
In 2025, 48,185 CVEs were published. Microsoft’s October 2025 Patch Tuesday alone addressed 172 vulnerabilities including six zero-days. At 131 new CVEs disclosed every day, a team that tries to patch everything rated high or critical is building a backlog that compounds faster than it can be cleared.
Teams that rely on CVSS scores alone are working from delayed, incomplete risk signals. Risk-based prioritization that factors in exploitability, exposure, and asset criticality is the baseline requirement for 2026.
What a Real Risk Score Needs to Include
Asset Criticality and Business Context
Ask yourself: what does this asset do, who depends on it, and what breaks if it gets compromised? A vulnerability on a payment processing database affects revenue, customer trust, and regulatory compliance. The same vulnerability on a test environment that nobody uses affects almost nothing. CVSS scores both identically. Your remediation priority should not.
The business context around an asset is what converts a severity number into a decision. Without it, you are sorting a pile of problems without knowing which ones actually matter to your organization.
Exploitability in the Wild, Not Just in Theory
Two data sources fill the gap CVSS leaves open. CISA’s Known Exploited Vulnerabilities list (KEV) tracks vulnerabilities attackers are actively using in real attacks right now. EPSS (Exploit Prediction Scoring System) estimates the probability of exploitation in the next 30 days. Neither of these cares about your CVSS score. KEV has confirmed Medium CVEs that belong at the top of your queue before most Critical ones.
Research published in 2025 analyzing 28,000 or more CVEs found that combining KEV and EPSS alongside CVSS could reduce the urgent prioritization workload by approximately 95%, from roughly 16,000 vulnerabilities that meet the CVSS 7 or higher threshold down to approximately 850 that have actual evidence of exploitation or high exploitation probability. That is not a small improvement. That is a complete change in how your team spends its time.
Exposure and Reachability
Reachability is one of the most important factors in real risk, and it is not part of the CVSS Base score at all. A vulnerability only matters if an attacker can actually get to it. Network-facing systems with no authentication required are completely different from locally exploitable flaws sitting behind multiple layers of access control.
The median time to exploit a vulnerability is now under five days. If a vulnerability is on an internet-exposed asset and it has a working public exploit, the clock is already running before most teams have even triaged it.
How to Get From CVE to Business Risk in One View
Connect Vulnerability Data to the Asset Behind It
A CVE number by itself tells you almost nothing. You need to know which asset it lives on, what that asset does, who owns it, what data it touches, and what compliance obligations apply to it. That chain of context is what turns a scanner finding into a business decision. Without it, every vulnerability looks roughly the same, and prioritization becomes guesswork.
Layer Exploit Intelligence on Top of Severity
Once you have the asset context, you layer in the intelligence: Is this CVE on the KEV list? What is its EPSS score? Is there a working public exploit? Has it been used in attacks in your industry? These signals narrow the field dramatically. Most of your queue disappears. What stays is a short list of vulnerabilities that are both reachable and genuinely likely to be used against you.
Apply Compliance Timelines to Drive Remediation Accountability
Risk without deadlines is still just a list. Tying remediation to compliance SLAs, such as PCI DSS patching windows or ISO 27001 requirements, forces accountability and prevents high-risk findings from sitting in the queue for months because nobody made them someone’s priority. That is how a vulnerability program stops being reactive.
How Secure.com Helps You Prioritize by Risk, Not Just by Score
Most vulnerability tools give you a longer list. Secure.com’s Risk & Governance Teammate gives you a shorter, smarter one based on what actually threatens your business.
- Combines CVSS, KEV, and EPSS to surface the vulnerabilities that are being actively exploited right now
- Links each finding to the asset behind it, including its owner, criticality, and business function
- Sets compliance-driven remediation SLAs based on frameworks like PCI DSS, ISO 27001, and HIPAA
- Automates patching for lower-risk findings and routes critical asset decisions for human review
- Tracks remediation progress and flags SLA breaches before they become audit problems
Conclusion
CVSS is a useful input. It is not a prioritization plan. The organizations treating it as one are spending most of their security budget patching vulnerabilities that no attacker is targeting, while the ones with real exploits stay open because they scored a 6.5 instead of a 9.8.
Getting from CVE to actual business risk takes a few more data points: which asset is this on, is it reachable, is anyone exploiting it right now, and what breaks if it gets hit. Those questions are answerable. They just require more than a score.
That is what Secure.com’s Infrastructure Security Teammate was built to do. Book a demo and see how it connects CVE data to asset context, exploit intelligence, and compliance requirements so your team can act on what actually matters.
FAQs
What is the difference between CVSS severity and vulnerability risk?
CVSS severity measures the technical potential of a vulnerability in a worst-case scenario. Risk is about the actual likelihood and business impact of that vulnerability being exploited in your specific environment, given your assets, your exposure, and the controls you already have in place.
Why do the same CVEs get different CVSS scores from different vendors?
Vendors assess vulnerabilities based on their own deployment context and interpretation of attack conditions. The same flaw can be rated Critical by one organization and Medium by another depending on whether they consider it remotely exploitable or locally exploitable. When scores disagree on something as basic as the attack vector, the whole foundation of a score-only prioritization model becomes unreliable.
What is EPSS and how is it different from CVSS?
EPSS stands for Exploit Prediction Scoring System. It estimates the probability that a specific vulnerability will be exploited in the next 30 days based on real-world threat intelligence. CVSS measures how bad the damage could theoretically be. EPSS measures how likely it is that someone will actually try. Used together, they give a much clearer picture of where to spend remediation time.
What is the CISA KEV list and why does it matter?
The CISA Known Exploited Vulnerabilities list tracks vulnerabilities that are confirmed to be actively used in real attacks. KEV does not care about CVSS scores. A medium severity CVE on KEV should move to the top of your queue before most critical ones that have never been exploited in the wild.
How many new CVEs were published in 2025?
48,185 CVEs were published in 2025, with 131 new ones disclosed every day on average. Manual triage based on severity scores is not a workable model at that volume. Organizations that are keeping pace are doing it with risk-based prioritization, not longer spreadsheets.
