CVSS Is Yesterday's News. Say Hello to KEV & EPSS.

You've been there. Your latest vulnerability scan just finished, and you're staring at a dashboard showing 3,000 "critical" findings. Your Tenable or ServiceNow instance is screaming red alerts at you. That sinking feeling sets in – "When you've got 3000 'urgent' findings, where do you even start?"

If this sounds familiar, you're not alone. The truth is, modern vulnerability management has a serious problem: too much noise, not enough signal.

The Problem with CVSS: All Severity, No Context

For years, the Common Vulnerability Scoring System (CVSS) has been the de facto standard for rating vulnerabilities. On a scale from 0-10, it attempts to quantify how severe a vulnerability is:

CVSS Score	Qualitative Rating
0.0	None
0.1 – 3.9	Low
4.0 – 6.9	Medium
7.0 – 8.9	High
9.0 – 10.0	Critical

But as many security professionals have painfully discovered, CVSS has fundamental limitations that make it increasingly problematic in today's threat landscape:

1. It measures potential impact, not actual risk. As one seasoned practitioner put it, "CVSS base is not a risk score, it's impact. That's why we don't use it without more context."
2. It's static and doesn't evolve. Once assigned, a CVSS score rarely changes, even as the threat landscape shifts dramatically.
3. It's often subjective and inconsistent. Remember when the curl team rated their own vulnerability as low risk, only to have CISA initially slap a 9.5 CVSS score on it? This kind of inconsistency erodes trust in the system.
4. It creates alert fatigue. When everything is "critical," nothing is critical. The result? Real threats hide in plain sight while teams waste resources on vulnerabilities that may never be exploited.

As one frustrated security engineer noted, "a 'critical' vuln that's not reachable is way less important than a 'medium' one that's actively being hit by traffic." This disconnect between CVSS severity and real-world risk is the core problem that modern approaches aim to solve.

Enter the Dynamic Duo: KEV and EPSS

While CVSS isn't going away, two newer frameworks are rapidly changing how forward-thinking security teams prioritize vulnerabilities:

CISA's Known Exploited Vulnerabilities (KEV) Catalog

The KEV catalog is refreshingly straightforward: it's a curated list of CVEs that are actively being exploited in the wild. No hypotheticals, no potential impact scores – just real-world intelligence about what attackers are actually using right now.

Each KEV entry includes:

• CVE ID
• Product name
• Vulnerability description
• Required remediation action
• Due date (for federal agencies, but a strong guideline for everyone)

Why is this so powerful? Because it answers the single most important question in vulnerability management: "Is this vulnerability currently being used by attackers?" If a CVE is on the KEV list, it moves to the top of your priority list – period.

For smaller organizations or those without mature vulnerability management practices, the KEV list is what one practitioner called "a rock solid resource" for prioritization guidance.

Exploit Prediction Scoring System (EPSS)

While the KEV catalog tells you what's being exploited now, EPSS looks into the future. Developed by the Forum of Incident Response and Security Teams (FIRST), EPSS uses machine learning to predict the likelihood that a vulnerability will be exploited within the next 30 days.

EPSS provides a probability score from 0 to 1 (or 0% to 100%). Unlike CVSS, which remains largely static, EPSS scores update daily based on new data about how threats are evolving in the real world.

What makes EPSS so effective is its data-driven approach:

1. It ingests massive amounts of data from diverse sources, including exploit databases, threat intelligence feeds, government catalogs (including the KEV), and observations from security tools.
2. It applies sophisticated machine learning models to identify patterns and predict which vulnerabilities attackers are likely to target next.
3. It's dynamic, constantly learning and updating as the threat landscape changes.

The Proof Is in the Pudding: CVSS vs. KEV/EPSS in Action

Let's look at some real-world examples that show why relying solely on CVSS can lead to misallocated resources:

CVE-2021-44228 (Log4j)

• CVSS: 10.0 (Critical)
• EPSS: 0.974 (97.4% likelihood of exploitation)
• KEV Status: Included
• Verdict: All systems agree - this Remote Code Execution (RCE) vulnerability demands immediate attention.

CVE-2023-48795 (OpenSSH Terrapin Attack)

• CVSS: 5.9 (Medium)
• EPSS: 0.95 (95% likelihood of exploitation)
• KEV Status: Included
• Verdict: CVSS says "medium" while EPSS and KEV scream "fix this now!" A CVSS-only approach would have missed this critical threat.

CVE-2024-3094 (XZ Utils Backdoor)

• CVSS: 10.0 (Critical)
• EPSS: 0.30 (30% likelihood of exploitation)
• KEV Status: Not included (at time of writing)
• Verdict: While potentially severe, the exploitation risk is lower than other vulnerabilities. This helps teams prioritize their immediate focus.

These examples highlight why modern vulnerability management needs to move beyond CVSS. As one security engineer noted, "The problem isn't finding bugs anymore, it's figuring out which ones actually matter vs which ones are just noise."

A Practical Framework: Beyond CVSS

So how do you actually implement this knowledge? Here's a practical framework for integrating KEV and EPSS into your vulnerability management workflow:

Step 1: Check the KEV First (The "Must-Patch" List)

Is the vulnerability on CISA's KEV catalog? If yes, this is your highest priority, regardless of any other score. These vulnerabilities are being actively exploited right now and pose an immediate threat.

You can access the KEV catalog in various formats:

• Web View: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• CSV Format: https://us-cert.cisa.gov/kev.csv
• JSON Format: https://us-cert.cisa.gov/kev.json

Many modern scanning tools, including Tenable and other vulnerability scanners, now integrate KEV data directly into their reporting.

Step 2: Consult EPSS Second (The "Likely-to-be-Exploited" List)

If a vulnerability isn't on the KEV yet, check its EPSS score. This tells you the probability that it will be exploited in the wild within the next 30 days:

• High EPSS Score (>0.75 or 75%): These vulnerabilities should be your next priority after KEV items. There's a high probability they'll be exploited soon.
• Moderate EPSS Score (0.3-0.75): Monitor these closely and patch based on your organization's risk tolerance and resource availability.
• Low EPSS Score (<0.3): These can generally be addressed during regular maintenance cycles unless they affect critical assets.

Pro Tip: Don't just look at the EPSS score once. Track it over time. A sudden jump in the score is a strong indicator that the threat landscape for that vulnerability is changing, and it requires immediate attention.

Step 3: Use CVSS for Context, Not as a Driver

CVSS still has value, but as context rather than a driver. It helps you understand the potential impact if a vulnerability were exploited. A high CVSS score on a vulnerability with a very low EPSS score can likely be deprioritized in favor of KEV and high-EPSS items.

This approach is especially valuable in CI/CD environments, where prioritizing what to fix before deployment can prevent bottlenecks while maintaining security.

Overcoming Alert Fatigue: A New Paradigm

The shift to KEV and EPSS represents a fundamental change in vulnerability management philosophy. Instead of trying to patch everything (an impossible task), you focus on what matters most based on real-world exploitation data.

This approach addresses the core complaint many security teams have: "The alert fatigue is real, and I'm tired of the vulnerability management treadmill."

By focusing first on KEV vulnerabilities (those actively being exploited) and then on high-EPSS vulnerabilities (those likely to be exploited soon), you can:

1. Dramatically reduce noise by focusing on vulnerabilities that pose actual risk
2. Allocate resources more effectively based on real-world exploitation data
3. Communicate risk more clearly to stakeholders and management
4. Improve security posture by addressing the vulnerabilities attackers actually use

The Future is Contextual

While KEV and EPSS represent a significant improvement over CVSS alone, the future of vulnerability management will be even more contextual. We're already seeing the emergence of cloud-specific frameworks that account for dynamic attack surfaces and asset criticality.

The key takeaway is that effective vulnerability management isn't about patching everything with a high CVSS score. It's about using intelligence from multiple sources to focus your efforts where they'll have the greatest impact.

As one security practitioner wisely noted, "You cannot patch everything, so you should be working to refine how you prioritize vulnerabilities to remediate the ones that can truly harm your organization."

By embracing KEV and EPSS alongside traditional metrics like CVSS, you can move from reactive patching to proactive defense, focusing your limited resources on the vulnerabilities that matter most in the real world.

So the next time your scanning tool bombards you with thousands of "critical" findings, remember: CVSS is yesterday's news. Say hello to KEV and EPSS – your new allies in the fight against alert fatigue and the key to a more effective vulnerability management program.

Frequently Asked Questions (FAQ)

What is the main problem with using only CVSS for vulnerability management?

The main problem with relying solely on CVSS is that it measures potential severity, not actual, real-world risk. This leads to "alert fatigue," where security teams are overwhelmed by thousands of "critical" vulnerabilities that may never be exploited, causing real threats to be lost in the noise.

How do KEV and EPSS improve upon CVSS?

KEV and EPSS improve upon CVSS by providing crucial, real-world context. CISA's KEV (Known Exploited Vulnerabilities) catalog tells you which vulnerabilities are being actively exploited right now, while EPSS (Exploit Prediction Scoring System) predicts the likelihood of a vulnerability being exploited in the near future. They shift the focus from a vulnerability's theoretical potential to its actual or probable threat level.

What is the recommended framework for prioritizing vulnerabilities?

The most effective framework is to prioritize in three steps:

1. KEV First: Remediate all vulnerabilities on CISA's KEV catalog immediately. These are proven threats.
2. EPSS Second: Address vulnerabilities with a high EPSS score (e.g., above 75%), as they are likely to be exploited soon.
3. CVSS for Context: Use the CVSS score to understand the potential impact of the remaining vulnerabilities and inform patching schedules during regular maintenance cycles.

Should my organization stop using CVSS completely?

No, you shouldn't stop using CVSS entirely. Instead, its role should evolve. Use it as a secondary data point for context after prioritizing with KEV and EPSS. The CVSS score is still useful for understanding the potential impact (e.g., remote code execution, data exposure) of a vulnerability if it were to be exploited, which helps in comprehensive risk assessment.

Does a low CVSS score mean a vulnerability is not a threat?

Absolutely not. A low or medium CVSS score does not guarantee a vulnerability is low-risk. Many vulnerabilities with medium CVSS scores have been added to the KEV catalog because they are actively exploited. The OpenSSH Terrapin Attack (CVSS 5.9), for example, was a widely exploited vulnerability that a CVSS-only approach would have deprioritized.

Where can I access KEV and EPSS data?

Both resources are publicly available. The CISA KEV catalog can be accessed directly from the CISA website in various formats (HTML, CSV, JSON). EPSS scores are available from FIRST.org via a public API. Furthermore, many modern vulnerability management platforms and security scanners now integrate both KEV and EPSS data directly into their reporting dashboards.