Stop Patching Solely by Severity. Start Patching by Exploitation.

Posted on by

If your patch SLAs are still solely driven by CVSS base score, i.e., Critical in 7 days, High in 30, Medium “when we get to it”; you are optimizing for the wrong variable. The math stopped working a while ago, 2025 made it obvious, and 2026 is making it painful.

Roughly 48,000 CVEs were published in 2025, up about 20% from ~40,000 in 2024. So far in 2026, there are over 15,000 (as of mid-May), and we may well see well over the number from 2025 by the end of the year. Around 39% of those were rated Critical or High in 2025, and about 45% of 2026 CVEs are.

Worse, severity is a poor predictor of what is actually attacked. Only ~2% of published CVEs are ever exploited in the wild (768 of ~40k in 2024). CISA’s KEV catalog covers ~0.5% of all CVEs. So a severity-only program spends most of its effort on vulnerabilities no attacker will ever touch, while the handful that matter sit somewhere in the queue ranked by a number that doesn’t correlate with exploitation.

“Medium” is not safe

In the past, we defaulted to “patch all the criticals ASAP,” then work down as the triage model. The assumption baked into severity-based SLAs is that low-scored vulns are low-risk. Attackers know you think this, and they’re using it.

28% of vulnerabilities exploited in Q1 2025 carried a Medium CVSS base score. Deprioritizing Medium by policy means deprioritizing more than a quarter of real-world exploitation by policy.

Chaining makes individual scores meaningless. The ArcaneDoor campaign chained CVE-2025-20333 (Cisco ASA, CVSS 9.9) with CVE-2025-20362, a lower-severity unauthenticated access-control bypass. The “medium” issue was the front door; the “critical” bug is what’s behind it. Score either one in isolation, and you miss the kill chain.

Multi-exploit packages are now standard. Threat-recon data from 2025 found campaigns bundling 10+ CVEs, with at least one using 35 in a single operation – attackers spray across the attack surface rather than betting on one flaw. A vuln’s CVSS score tells you nothing about whether it’s a useful link in someone’s chain.

CWE-862 (Missing Authorization) jumped 62% year-over-year to 5.2% of all 2025 CVEs — the kind of access-control bug that scores Medium and chains beautifully. The likely driver is the next point.

LLMs changed the cost curve on both sides

The disclosure surge isn’t purely better security. A large share of new issues are arising from AI-assisted research. AI-generated application code is also shipping permission and authorization bugs at scale, which is part of why authz weaknesses are climbing.

On the offensive side, the asymmetry is the problem. Generative models are being used to automate vulnerability analysis, generate working exploits, and chain multiple low-severity flaws into high-impact attacks at a speed manual research never matched. Mandiant’s 2025 data put average time-to-exploit at *negative one day* (exploitation observed before a public patch) with 56% of vulns weaponized within the first month. Meanwhile 50% of critical KEV vulnerabilities sat unpatched 55 days after a fix shipped. The exploit-development cost dropped; your remediation cost didn’t.

When attackers can cheaply weaponize and chain Mediums, a severity floor in your SLA is a list of things you’ve promised not to fix quickly.

Supply chain attacks don’t have a CVSS score at all

This is the part severity-based programs have no answer for. The 2025 npm campaigns such as s1ngularity/Nx in August, Shai-Hulud in September (500+ then 1,150+ packages), Shai-Hulud 2.0 in November/December (25,000+ compromised repos), Mini Shai-Hulud in May 2026 spanning npm *and* PyPI, not to mention the recent even larger surge of supply-chain issues, were not vulnerabilities in your code. They were trusted dependencies that turned malicious: worm-like payloads that harvested tokens via post/pre-install scripts and republished themselves through the victim’s own credentials and CI/CD pipelines.

There is no CVE to rank, no CVSS score to gate on, no patch in the traditional sense. A program built around “wait for a high-severity CVE, then patch” is structurally blind to this entire attack class. What detects it is exploitation/IOC signal and dependency provenance such as SBOMs, pinned versions, build-pipeline secret hygiene, registry monitoring, not severity scoring.

As an aside here, GitHub (the maintainer of NPM) has taken notice of this and developed a roadmap to help protect against future supply chain attacks.

What KEV-based prioritization actually means

KEV is binary: a CVE is either confirmed exploited in the wild or it isn’t. That’s the signal you want at the top of the queue. The case for it isn’t theoretical, as 60% of 2025 ransomware incidents exploited a CVE that was already in KEV at the time of the attack (Decryption Digest). These were knowable, listed, and remediable before the breach.

But KEV is a floor, not a ceiling. It only covers what CISA has verified; thousands of exploited CVEs never make it in, especially in niche products. An updated model layers signals:

1. KEV membership → drop everything. Treat it as its own severity field in your scanner (Tenable, Qualys, Rapid7 all support KEV as a native filter; OpenVAS/Greenbone + the KEV JSON feed for everyone else). Federal BOD 22-01 timelines (14 days internet-facing, 60 otherwise) are a reasonable baseline even if you’re not obligated.

2. EPSS ≥ ~0.7 → urgent, even when CVSS looks mundane. This catches imminent-but-not-yet-confirmed exploitation and a lot of the dangerous Mediums.

3. Asset context as a multiplier. Same CVE, different risk: internet-facing, identity/auth-related, security tooling, remote-access infrastructure, and widely-deployed business software weight far higher than a segmented internal box.

4. Supply chain as a parallel track. Dependency provenance, SBOM diffing, lockfile pinning, and CI/CD secret scanning – governed by exploitation/IOC intelligence, not CVSS, because there’s no score to use.

CVSS still has a role as one input for the long tail of unexploited vulnerabilities, where nothing better differentiates them. It just shouldn’t be the variable your SLA clock runs on.

The shift

Severity-based patching answers “how bad could this be in the worst case?” Exploitation-based patching answers “what are attackers using right now?” In a year with 48,000 CVEs, AI-accelerated exploit chains built on Mediums, and supply chain compromises with no CVE at all, only the second question scales — and only the second question matches how you’re actually being attacked.

Your first action item here is to cross-reference your vuln scanner output against the KEV feed this week. The CVEs that have been quietly sitting in your “Medium, later” bucket while showing up on KEV are the ones worth finding first.

MicroSolved, Inc.
Website: https://microsolved.com
Email: info@microsolved.com
Phone: +1.614.351.1237

* AI tools were used as a research assistant for this content, but human moderation and writing are also included.