The CVSS Trap: Stop Chasing Scores And Start Managing Risk

Every security team knows the feeling. They start patching everything tagged Critical or High before the next leadership check-in. They do a mad dash, close the tickets, and breath a sigh of relief.

Then, two weeks later, a Medium-severity vulnerability on an internet-facing asset gets exploited. Nobody prioritized it. The CVSS score didn't demand it.

This is the CVSS trap — and it's costing organizations more than they realize.

When defenders rely on CVSS alone, they risk investing precious time and resources patching issues that may pose little actual
threat ... — Caroline Wong

CVSS Was Never Meant to Do This

The Common Vulnerability Scoring System was designed as a standardized way to communicate the characteristics and severity of software vulnerabilities. It was built for consistency, not context. A 9.8 CVSS score tells you a vulnerability is theoretically severe. It tells you nothing about whether that vulnerability is being actively exploited in the wild, whether the affected asset is internet-facing, what compensating controls you already have in place, or how critical that system is to your business operations.

As Caroline Wong writes in The AI Cybersecurity Handbook: "When defenders rely on CVSS alone, they risk investing precious time and resources patching issues that may pose little actual threat — while missing the ones that are actively being weaponized. This approach creates a false sense of security and contributes to alert fatigue, burnout, and poor return on remediation efforts."

Burnout and poor ROI aren't side effects of bad vulnerability management — they're symptoms of it. When the process is broken, the people running it pay the price first.

The Numbers Make the Case

The data tells a story that CVSS scores alone never could. According to Expert Insights, more than 40,000 new CVEs were published in 2024 — yet only 768 were confirmed as exploited in the wild, roughly 2% of the total. Organizations are burning cycles triaging tens of thousands of vulnerabilities while attackers are actively weaponizing a fraction of them.

The threat window is also shrinking fast. Zafran Security's research, citing Mandiant, found that the median time from vulnerability disclosure to active exploitation dropped to less than one day in 2024 — down from five days just a year earlier. Defenders have less time to act than ever, which makes prioritizing the right vulnerabilities even more critical.

And here's the data point that should give every security team pause: also per Zafran, 28% of vulnerabilities exploited in Q1 2025 carried only "Medium" base CVSS scores. Not Critical. Not High. Medium — the ones that routinely get pushed down the queue because the number didn't signal urgency. That's not a prioritization strategy. That's a blind spot.

What CVSS Doesn't Know About Your Environment

CVSS scores are calculated in a vacuum. They don't know your network topology, your business context, or your threat landscape. Here's what gets left out:

• Exploitability in the wild. A Critical CVE with no known exploit code in circulation is categorically different from a Medium CVE already in the CISA Known Exploited Vulnerabilities catalog. CVSS doesn't distinguish between the two.
• Asset exposure. A low CVSS authentication bypass bug on an externally accessible single sign-on gateway may be exponentially riskier than a high CVSS overflow deep inside an isolated research network. Same score. Very different priority.
• Business criticality. A vulnerability affecting your ERP or customer data environment should move faster than one affecting a dev sandbox — regardless of what the number says.
• Compensating controls. If a firewall, network segmentation, or MFA is already reducing your exposure, that changes the calculus. CVSS doesn't account for any of it.

The Better Framework

Mature vulnerability management programs don't throw out CVSS — they contextualize it. The formula that actually works looks something like this:

CVSS + real-world exploitability + asset criticality + environmental exposure = actual priority

Two tools close the gap CVSS leaves open. EPSS — the Exploit Prediction Scoring System — provides a daily estimate of the probability that a vulnerability will be exploited in the wild within the next 30 days, using machine learning to identify patterns across threat intelligence sources including CISA KEV and Exploit-DB. Think of it as the "is anyone actually coming for this?" layer that CVSS never provided.

CISA's KEV catalog lists vulnerabilities with confirmed evidence of active exploitation in real-world attacks — if a CVE is on the KEV list, it needs immediate attention regardless of its CVSS score. Pairing KEV confirmation, EPSS probability, and your own asset criticality data gives you a prioritization engine grounded in actual risk — not theoretical severity.

That formula gets you closer — but it's still incomplete without the operational layer underneath it. Asset inventory tells you what you're protecting. Reachability tells you whether an attacker can actually get there. Control validation tells you whether your defenses would hold. Service criticality tells you what the business can and can't afford to lose. Without those four inputs, you're still guessing.

This is the foundation of what Gartner calls Continuous Threat Exposure Management — or CTEM. Rather than treating vulnerability management as a periodic scan-and-patch exercise, CTEM treats exposure reduction as an ongoing, business-aligned program. It asks not just "what's vulnerable?" but "what's exploitable, what's exposed, and what actually matters to this organization right now?" For teams serious about moving beyond score-based prioritization, CTEM is where the conversation needs to go.

The Leadership Problem

Here's the harder conversation. A lot of CVSS-driven remediation isn't just a process failure — it's a communication failure. I've sat across the table from senior leaders who didn't fully understand what a CVSS score actually measured — only that "Critical" and "High" meant something was wrong and they wanted it fixed. That pressure flows downstream fast. Nuance collapses, and teams end up optimizing for closing tickets rather than reducing risk.

This isn't a knock on leadership — it's a systems problem. CVSS scores were never designed to be executive-facing metrics, and yet that's exactly how they get used. A number between 0 and 10 becomes a proxy for urgency, and suddenly the remediation queue is being driven by a metric that was built for technical standardization, not business risk communication.

Fixing this requires IT and security leaders to educate up. That means translating risk in business terms — not just sharing a score, but explaining what exploitability, exposure, and asset criticality actually mean for the organization. That's a harder conversation, but it's the right one. The goal isn't a clean dashboard. The goal is a defensible environment.

Intelligence > Velocity

The volume of new CVEs published annually is insurmountable. No team patches everything. The orgs that win at vulnerability management aren't the ones moving fastest — they're the ones triaging smartest.

Risk reduction is the mission with patch velocity as a metric. When you let CVSS scores run your remediation queue, you're optimizing for the metric and hoping the mission takes care of itself ... It won't.

---

Further Reading

Vulnerability management is a deep discipline — and the conversation doesn't stop here. The resources below shaped the thinking behind this article and are worth your time.

• The AI Cybersecurity Handbook — Caroline Wong, 2026 | The book quoted in this article. A practical and forward-looking guide to cybersecurity strategy in the age of AI, written by one of the industry's most respected voices.
• Vulnerability Prioritization: Why CVSS Scores Alone Aren't Enough — Expert Insights, 2026 | Solid operational framing on risk-based patching, with real data on the gap between CVSS severity and actual exploitation rates.
• CVSS vs EPSS: Smarter Vulnerability Risk Prioritization — Nigel Douglas, Cloudsmith, 2025 | A detailed comparison of CVSS and EPSS with real-world CVE examples, including a look at EPSS v4 and how combining both systems with the CISA KEV catalog builds a stronger prioritization strategy.
• Prioritizing Vulnerabilities: Best Practices for Risk-Based Patching — Zafran, 2025 | A blueprint for building a modern vulnerability prioritization program that blends CVSS, EPSS, KEV, and asset context into a composite risk model.
• EPSS Model Overview — FIRST, ongoing | The home of the Exploit Prediction Scoring System. Start here to understand how EPSS works, how to read its scores, and how to integrate it into your prioritization workflow.
• EPSS vs. CVSS: What's the Best Approach to Vulnerability Prioritization? — The Hacker News, 2024 | A clear, practical breakdown of how CVSS and EPSS compare and why combining them produces better outcomes than either system alone.
• CISA Known Exploited Vulnerabilities Catalog — CISA, ongoing | The authoritative list of vulnerabilities confirmed as actively exploited in the wild. If a CVE is here, it's not theoretical — patch it now.
• Continuous Threat Exposure Management (CTEM) Explained — CrowdStrike, 2025 | A practical breakdown of the CTEM framework, its five-stage implementation strategy, and how it shifts organizations from reactive vulnerability management to continuous, business-aligned exposure reduction.