A CVSS score is the security industry’s most familiar number. It is also one of the most misused. The Common Vulnerability Scoring System measures the theoretical severity of a vulnerability, the maximum impact an attacker could achieve given the technical characteristics of the flaw. It does not measure how likely that exploitation is to actually occur. Treating CVSS as a real-world risk score, which most organisations still do, produces a patching backlog dominated by impressive-looking 9.x scores while the actually-exploited vulnerabilities get triaged behind them.
The fix is not to abandon CVSS but to combine it with the data sources that fill in what CVSS cannot tell you.
What CVSS actually measures
CVSS, currently at version 4.0 (released October 2023, replacing v3.1), is maintained by FIRST.org and documented at first.org/cvss. The base score combines:
Attack vector, network, adjacent network, local, physical.
Attack complexity, low or high.
Privileges required, none, low, high.
User interaction, required or not.
Scope, does compromise of this component affect other components.
Impact on confidentiality, integrity, and availability, none, low, high (each).
The base score is computed deterministically from these inputs. Most organisations stop there. The full CVSS specification also includes Temporal metrics (exploit availability, remediation level, report confidence) and Environmental metrics (specific to your deployment), neither of which is widely populated.
The structural problem with using base score for prioritisation: a vulnerability scored 9.8 because it is a network-reachable unauthenticated remote code execution will get the same score whether anyone is exploiting it (Log4Shell, CVE-2021-44228) or no one is (a typical CVSS-9.8 SSRF in an obscure router model).
What EPSS adds
The Exploit Prediction Scoring System, also maintained by FIRST.org and described at first.org/epss, publishes a daily probability for every CVE indicating the likelihood of observed exploitation in the wild within the next 30 days. EPSS is built from a regression model trained on:
Public exploit code availability (Exploit-DB, Metasploit, GitHub).
Vendor advisories and tags.
Network-level exploitation telemetry (honeypot data, IDS hits aggregated across providers).
Vulnerability metadata (vendor, software, age).
The output is a probability between 0 and 1 and a percentile. EPSS percentile, specifically, is the more useful number, it tells you how this vulnerability ranks against all others.
The EPSS team publishes their methodology in academic papers and an open Cyentia Institute report; the raw data is freely downloadable. The model has measurable predictive value: vulnerabilities with EPSS percentiles above 90 are exploited at orders of magnitude higher rates than those below 50.
What KEV adds
The CISA Known Exploited Vulnerabilities catalogue at cisa.gov/known-exploited-vulnerabilities-catalog is the industry’s authoritative list of vulnerabilities under active exploitation. Inclusion criteria are explicit: a CVE is added when CISA has reliable evidence of in-the-wild exploitation, an assigned CVE ID, and clear remediation guidance.
The KEV is operationally simple. If a CVE is on the KEV, somebody is using it now. As of mid-2026 the catalogue contains roughly 1,200 entries, growing by a handful per week.
For US federal agencies, BOD 22-01 mandates remediation of KEV entries within 14 days of inclusion. For everyone else, the KEV provides the same value: an authoritative answer to "is this vulnerability actually being used?"
Putting it together
A useful prioritisation function combines all three:
Tier 1 (immediate, 24–72 hours): on KEV, internet-facing, or no compensating control.
Tier 2 (urgent, within 7 days): on KEV, internal; or EPSS percentile ≥95 with reachable exploit path; or CVSS-9.x with active proof-of-concept code.
Tier 3 (planned, within 30 days): EPSS percentile ≥80; or vendor-rated critical with confirmed reachability.
Tier 4 (cyclical, quarterly): everything else, processed through normal patch cadence.
The Cyentia Institute’s "Prioritization to Prediction" series of reports, published with Kenna Security and FIRST, demonstrate that this layered approach reduces patch workload by roughly 80 percent while improving exploitation-prevention coverage. Reports available at cyentia.com/library/.
What this looks like in practice
A worked example, using vulnerabilities from 2024:
CVE-2024-3400 (PAN-OS GlobalProtect command injection): CVSS 10.0; EPSS percentile 99+; KEV listed within days. Tier 1: this should have been patched within 72 hours of disclosure. Mass exploitation by state-aligned and criminal actors began before public disclosure.
CVE-2024-21762 (FortiOS SSL VPN out-of-bounds write): CVSS 9.6; EPSS percentile 99; KEV listed. Tier 1: same.
CVE-2024-3094 (XZ Utils backdoor): CVSS 10.0 (when scored); EPSS variable; not on KEV (because the backdoor was caught before mass exploitation). Treatment: Tier 1 because of catastrophic impact, even though EPSS and KEV did not indicate active exploitation.
CVE-2024-23222 (Apple WebKit type confusion): CVSS 8.8; EPSS percentile 95+; KEV listed (Apple confirmed active exploitation). Tier 2: high priority but not internet-facing in most enterprise contexts; assess reach.
A random CVSS-9.8 in a mid-tier vendor’s appliance with no known exploits, no PoC, and not on KEV: Tier 3 or Tier 4 depending on reachability. Many organisations would treat this as Tier 1 because the CVSS is high; the data does not support that.
The limitations of every score
CVSS does not know your environment. A vulnerability that is critical against an internet-facing system is irrelevant against an air-gapped one.
EPSS predicts the future imperfectly and lags emerging exploitation by days when a new technique appears.
KEV requires confirmation, which means it is always behind early exploitation. The rule of thumb: if a vulnerability is on KEV, you are already late.
Vendor advisories are not always honest about severity. Vendors have commercial reasons to under-rate flaws in their own products.
The aggregate signal, CVSS plus EPSS plus KEV plus your own asset reachability and compensating controls, is what produces a defensible prioritisation. The single-score approach is what produces a patching backlog that never moves and breaches that originate from yesterday’s CVE.
Tooling
The data is free. Most modern vulnerability-management tools (Tenable, Qualys, Rapid7, Wiz, Nucleus, Vulcan Cyber) ingest CVSS, EPSS, and KEV automatically. The open-source Vulncheck and the OSV.dev project also expose all three. There is no good reason to be making prioritisation decisions on CVSS alone in 2026.
The change is operational, not technical. Treating prioritisation as a function of multiple signals, not a single number, is the discipline that separates effective patch management from patch theatre.