A vulnerability scan of a typical SME network delivers dozens, often hundreds of results. Each finding has a CVSS score, and the instinctive reaction is clear: fix the 9.8s and 10.0s first. But is that really the right strategy? Not necessarily. CVSS alone tells only part of the story — and sometimes the less important part.
CVSS: What It Measures and What It Does Not
The Common Vulnerability Scoring System (CVSS) is the de facto standard for rating vulnerabilities. The current version, CVSS 4.0, rates a vulnerability based on several metrics:
- Attack Vector: How close must the attacker be? (Network, adjacent, local, physical)
- Attack Complexity: How difficult is exploitation?
- Privileges Required: Does the attacker already need credentials?
- User Interaction: Does a user need to actively do something?
- Impact: What damage does exploitation cause? (Confidentiality, integrity, availability)
CVSS therefore answers the question: “How bad could it be if this vulnerability is exploited?” That is undoubtedly important. But a critical dimension is missing: How likely is it that it will actually be exploited?
The Problem with CVSS as the Sole Prioritisation Criterion
Consider a concrete example. The National Vulnerability Database (NVD) currently contains over 64’000 CVEs with a CVSS score of 7.0 or higher — rated as “high” or “critical”. If every vulnerability with CVSS 9.0+ must be fixed immediately, SMEs face an impossible task.
On top of that, there is a statistical problem: only a small fraction of all known vulnerabilities are ever actively exploited. Various studies put the figure at between 2 and 5 percent. This means: 95 to 98 percent of all CVEs remain theoretical risks that are never attacked in the wild.
At the same time, there are vulnerabilities with a “moderate” CVSS score of 6.0 or 7.0 that are massively exploited by threat actors — because they are easily automatable, affect widely used software, or because reliable exploits are publicly available.
Those who prioritise exclusively by CVSS invest time and resources in vulnerabilities that nobody attacks, while actually exploited vulnerabilities with lower scores remain untreated.
EPSS: The Probability of Exploitation
The Exploit Prediction Scoring System (EPSS) is a comparatively new model, developed by FIRST (Forum of Incident Response and Security Teams), that fills exactly the gap CVSS leaves behind. EPSS answers the question: “How likely is it that this vulnerability will be actively exploited in the next 30 days?”
EPSS uses machine learning models that analyse a variety of factors:
- Availability of exploit code (e.g., on GitHub, Exploit-DB, Metasploit)
- Activity in underground forums and dark web marketplaces
- Characteristics of the vulnerability (attack vector, complexity)
- Prevalence of the affected software
- Historical exploit patterns of similar vulnerabilities
- Current threat intelligence
The result is a percentage between 0 and 1 (or 0% and 100%). An EPSS value of 0.95 means: there is a 95 percent probability that this vulnerability will be exploited by attackers in the next 30 days. A value of 0.001 means: the probability is 0.1 percent.
EPSS in Practice
The distribution of EPSS values is revealing: the vast majority of all CVEs have an EPSS value below 0.1 (10%). Only a small proportion reaches values above 0.5 (50%). This distribution confirms what security researchers have known for years: most vulnerabilities are never exploited.
It becomes interesting when you look at CVSS and EPSS together:
- High CVSS, low EPSS: Theoretically dangerous but practically unlikely. Example: a complex vulnerability in a rarely used function of niche software. CVSS rates the theoretical impact high, but attackers have no incentive to develop an exploit.
- Low CVSS, high EPSS: Theoretically less critical but highly relevant in practice. Example: a cross-site scripting vulnerability (CVSS ~6.0) in a widely used WordPress plugin, for which an automated exploit exists.
- High CVSS, high EPSS: The most urgent cases. Theoretically critical AND actively exploited. These vulnerabilities require immediate action.
- Low CVSS, low EPSS: Lowest priority. Theoretically less critical and not exploited in practice.
CISA KEV: Confirmed, Actively Exploited Vulnerabilities
While EPSS provides a forecast, the Known Exploited Vulnerabilities (KEV) catalogue from the US Cybersecurity and Infrastructure Security Agency (CISA) provides facts: it lists vulnerabilities that are demonstrably being actively exploited by attackers.
The KEV catalogue currently contains over 1’100 vulnerabilities and is regularly updated. For each listed vulnerability, CISA assigns a binding remediation deadline — mandatory for US government agencies, but also a clear reference point for the private sector.
The inclusion criteria are strict:
- The vulnerability must have a CVE identifier
- There must be credible evidence of active exploitation
- A clear remediation action (patch or workaround) must exist
When a vulnerability is listed in the KEV catalogue, the question is no longer “whether” but “how quickly” it must be fixed. The urgency is at its maximum.
The Combination Makes the Difference
Viewed individually, each system has its strengths and weaknesses:
- CVSS assesses the theoretical impact but not the likelihood of exploitation
- EPSS predicts the likelihood of exploitation but not the impact
- KEV confirms active exploitation but only covers a fraction of all vulnerabilities
Only the combination of all three sources produces an intelligent prioritisation that accounts for both impact and real-world threat.
A Practical Prioritisation Model
Based on the combination of CVSS, EPSS, and KEV, a four-tier prioritisation model can be derived:
Priority 1 — Immediate (within 24-48 hours):
- Listed in the CISA KEV catalogue (regardless of CVSS or EPSS)
- CVSS 9.0+ AND EPSS > 0.5
Priority 2 — Urgent (within 7 days):
- CVSS 7.0+ AND EPSS > 0.3
- CVSS 9.0+ AND EPSS > 0.1
Priority 3 — Planned (within 30 days):
- CVSS 7.0+ AND EPSS < 0.3
- CVSS 4.0-6.9 AND EPSS > 0.1
Priority 4 — Next cycle (within 90 days):
- CVSS < 7.0 AND EPSS < 0.1
- Informational findings
This model reduces the workload considerably: instead of having to treat 200 “critical” vulnerabilities simultaneously, the IT team focuses on the 15 to 20 vulnerabilities that actually pose the greatest risk.
Practical Examples
Example 1: High Priority Despite Moderate CVSS
CVE-2023-22515 (Atlassian Confluence) — CVSS 9.8, EPSS 0.97, listed in the KEV catalogue. Here, all indicators align: severe vulnerability, almost certainly exploited, confirmed actively attacked. Priority 1, immediate action required.
Example 2: High CVSS but Low Real-World Threat
Some vulnerabilities receive a CVSS score of 9.0 or higher but have an EPSS value below 0.01. Typical for: vulnerabilities in rarely used software, vulnerabilities requiring very specific preconditions, or vulnerabilities for which no exploit code exists. These can be treated as Priority 3 — important but not urgent.
Example 3: Moderate CVSS but Actively Exploited
Vulnerabilities in widely used CMS plugins (WordPress, Joomla) often have CVSS values between 6.0 and 7.5 but are massively attacked through automation because exploit kits are available. EPSS values above 0.5 with “only” a moderate CVSS signal: this finding deserves more attention than the CVSS score would suggest.
MITRE ATT&CK: Understanding the Context
An additional dimension for prioritisation is provided by the MITRE ATT&CK framework. It maps vulnerabilities and attack techniques into a matrix that covers the entire attack lifecycle — from initial compromise to data exfiltration.
ATT&CK helps answer questions such as:
- Is this vulnerability used for initial access, or does the attacker already need a presence in the network?
- Which threat actor groups are known to employ this technique?
- What further steps typically follow after exploitation?
If a vulnerability is classified as a technique for “Initial Access” and is used by known ransomware groups, the priority rises regardless of the CVSS score.
Implementation in SME Day-to-Day Operations
The theory sounds convincing — but how does an SME with limited resources practically implement this combined prioritisation?
Manually, it is hardly feasible. CVSS scores appear in the scan report, but EPSS values must be queried separately via the FIRST API, and the KEV catalogue is yet another data source. Manually cross-referencing these three sources for 200 findings is not realistic.
The solution lies in the platform. Modern vulnerability management platforms integrate CVSS, EPSS, and KEV automatically and display a combined risk assessment for each finding. Instead of consulting three different sources, the IT team sees at a glance which vulnerabilities actually have priority.
Conclusion
CVSS alone is not a sufficient prioritisation criterion. It assesses the theoretical worst case but says nothing about the real-world threat landscape. EPSS adds the likelihood of exploitation, CISA KEV provides confirmed attack data. Only the combination of all three sources enables a prioritisation that deploys limited resources where they achieve the greatest risk reduction.
ExposIQ integrates CVSS, EPSS, and the CISA KEV catalogue directly into the scan results. Each finding is automatically evaluated against all three sources, supplemented by MITRE ATT&CK mapping. This allows you to see at a glance which vulnerabilities are theoretically critical — and which are actually being attacked. Add to that 35+ scan engines, 64’000+ CVEs, 11’700+ Nuclei templates, and 112 exploit validation modules. Hosted in Switzerland, nDSG-compliant, from CHF 99 per month. Learn more at exposiq.ch.
