CVSS Is Not Enough: Use EPSS and CISA KEV to Prioritize What Actually Matters

The Patching Lie Most Security Teams Tell Themselves

Every Tuesday, thousands of security teams download Patch Tuesday results, sort by CVSS score, and start patching everything above 9.0. The logic sounds reasonable: high severity equals high risk, so patch the worst first.

Here is the problem: CVSS measures severity, not danger. A CVSS 9.8 vulnerability sitting on a protocol no attacker is targeting today poses far less real-world risk than a CVSS 5.5 vulnerability currently being weaponized in ransomware campaigns. Patching by CVSS alone is a compliance exercise masquerading as risk management.

Two free, public data sources completely change the calculus: the Exploit Prediction Scoring System (EPSS) from FIRST.org, and the CISA Known Exploited Vulnerabilities (KEV) catalog. Together, they tell you not just how bad a vulnerability is theoretically, but whether attackers are actually exploiting it right now.

---

What CVSS Actually Measures (And What It Does Not)

CVSS (Common Vulnerability Scoring System) measures the intrinsic characteristics of a vulnerability: attack vector, complexity, privileges required, user interaction needed, scope, and impact on confidentiality, integrity, and availability. A CVSS score is a snapshot of a vulnerability in isolation, scored against an idealized worst-case scenario.

What CVSS does not measure:

• Whether any exploit exists in the wild
• Whether attackers are actively using it
• Whether your specific technology stack is targeted
• Whether the vulnerability has been publicly weaponized

The NVD publishes approximately 25,000 to 30,000 CVEs per year. More than 70% carry a CVSS score of 7.0 or higher. If your team tried to patch everything above 7.0 within 30 days, you would be in a permanent state of failure.

---

EPSS: Probability of Exploitation in the Next 30 Days

EPSS was developed by FIRST (Forum of Incident Response and Security Teams) and the Cyentia Institute. It uses machine learning trained on real-world exploitation data to produce a single probability score: the likelihood that a given CVE will be exploited in the wild within the next 30 days.

Scores range from 0.00 to 1.00. The model ingests threat intelligence feeds, proof-of-concept availability, social media activity, dark web references, and historical exploitation patterns for thousands of CVEs daily.

Key insight from the EPSS research: only about 3 to 5 percent of published CVEs ever see exploitation in the wild. EPSS identifies that 3 to 5 percent with high precision.

Reading an EPSS Score

EPSS also reports a percentile rank. A CVE in the 99th percentile is more likely to be exploited than 99% of all scored CVEs. This context matters more than the raw score for many prioritization decisions.

The FIRST API is Free

You can query EPSS scores for any CVE via the FIRST public API:

GET https://api.first.org/data/v1/epss?cve=CVE-2024-3400

Response:
{
  "cve": "CVE-2024-3400",
  "epss": "0.95732",
  "percentile": "0.99721"
}

Up to 100 CVEs can be queried per request. Scores update daily.

---

CISA KEV: The Authoritative List of Actively Exploited CVEs

The CISA Known Exploited Vulnerabilities (KEV) catalog was established in November 2021 under Binding Operational Directive (BOD) 22-01. CISA adds a CVE to the catalog only when there is confirmed evidence of active exploitation in the wild.

As of mid-2026, the catalog contains over 1,484 entries and grew by approximately 245 entries in 2025 alone. Every entry includes the CVE ID, vendor and product name, a brief description, required remediation action, a due date for federal agencies, and whether known ransomware campaigns are using the vulnerability.

Why KEV Trumps CVSS

The KEV catalog routinely contains CVEs with CVSS scores below 7.0. These are not low-risk vulnerabilities: they are vulnerabilities that attackers have found so useful that CISA considers them urgent threats. A CVSS 5.3 vulnerability listed in KEV and flagged for ransomware use is more dangerous than a CVSS 9.9 vulnerability that has never been exploited.

Federal agencies are required to remediate KEV-listed vulnerabilities within two weeks of listing. Private organizations should treat this as a strong signal to do the same.

The Ransomware Flag

Each KEV entry carries a "Known Ransomware Campaign Use" field. When this is marked "Known," it means ransomware groups are actively using the vulnerability to compromise organizations. These entries warrant the fastest possible response regardless of CVSS score.

---

The Three-Signal Decision Matrix

Combining all three signals gives you a defensible, risk-based prioritization framework:

---

Real Examples: Where CVSS Gets It Wrong

CVE-2023-34362 (MOVEit SQL Injection): CVSS 9.8, EPSS 97%, KEV Listed

This is the CVE that enabled the Cl0p ransomware group to compromise hundreds of organizations in 2023. CVSS 9.8 would have flagged this correctly. But the CVSS score was published weeks before the exploitation wave hit. EPSS scores began spiking to 90%+ as soon as proof-of-concept code appeared online, days before widespread exploitation. Teams monitoring EPSS had an early warning signal CVSS could not provide.

CVE-2024-3400 (Palo Alto PAN-OS): CVSS 10.0, EPSS 96%, KEV Listed

A maximum CVSS score with corresponding EPSS and KEV confirmation. Every signal aligns: patch immediately. This is the easy case. The lesson is that when all three signals converge at high values, you are looking at a genuine emergency.

The Hidden Danger: High CVSS, Low EPSS

The NVD regularly publishes CVEs scoring 9.8 or higher in niche software with no active exploitation. These CVEs have no public exploits, affect products with minimal market share, and have never appeared in threat intelligence feeds. EPSS scores for these often sit below 0.5%.

A security team that patches these before a CVE-2023-34362 equivalent is making a dangerous tradeoff. CVSS-based prioritization creates a false sense of completeness while real threats slip through.

---

Practical Implementation for Cloud and Security Teams

Step 1: Enrich Your Scan Output

Most vulnerability scanners (Qualys, Tenable, Rapid7) export CVE IDs alongside CVSS scores. After export, enrich each CVE with EPSS scores via the FIRST API and KEV status via the CISA JSON feed. Both are free, require no authentication, and return results in under two seconds for batches of 100 CVEs.

Step 2: Apply the Decision Matrix

Sort your enriched list by priority tier. KEV-listed items always appear first regardless of CVSS score. Within each tier, sort by EPSS score descending.

Step 3: Communicate SLAs to Asset Owners

Security teams that attach CVSS scores to remediation requests often get slow responses. Security teams that say "this is in the CISA KEV list, ransomware groups are actively exploiting it, and you have 48 hours" get fast action. The KEV and EPSS context converts abstract severity into concrete urgency that non-technical stakeholders can understand.

Step 4: Track KEV Additions as a Threat Hunting Trigger

When CISA adds a new CVE to the KEV catalog, run a threat hunt for signs of prior exploitation in your environment. The KEV listing means exploitation is confirmed in the wild globally: it does not mean your organization has not already been targeted via that vector.

---

Azure and AWS Context

For Azure environments, pay particular attention to KEV entries affecting Exchange Server (historically the most KEV-listed Microsoft product), Azure App Service vulnerabilities involving ASP.NET and IIS, and Windows components frequently targeted by ransomware groups.

For AWS environments, monitor KEV entries involving the Log4j CVE family (CVE-2021-44228 and related), Apache HTTP Server vulnerabilities, and VPN appliances from Cisco, Palo Alto, and Fortinet. The Log4j family remains actively exploited in 2026 despite being years old: it is the clearest example of EPSS and KEV providing signal long after the initial CVSS-driven remediation wave.

---

Frequently Asked Questions

Is EPSS a replacement for CVSS?

No. They measure different things. CVSS measures intrinsic severity: the blast radius if exploitation occurs. EPSS measures exploitation probability: whether exploitation is likely. Use both in parallel.

How often does EPSS update?

Daily. Scores can shift significantly overnight when a proof-of-concept is published or when a CVE appears in threat intelligence feeds. For high-priority CVEs, check EPSS scores daily during the first two weeks after publication.

Does CISA KEV apply to private organizations?

BOD 22-01 is legally binding only for US federal civilian agencies. However, the KEV catalog is the most reliable public signal of confirmed active exploitation available. Treating KEV-listed CVEs as urgent regardless of regulatory requirement is sound risk management.

What if a CVE has no EPSS or KEV data?

Use CVSS as the fallback. Very new CVEs may not yet have enough exploitation data for EPSS to score confidently, and CISA takes time to verify exploitation before adding to KEV. Monitor EPSS scores daily for the first two weeks after publication of any critical CVE.

Can I automate this workflow?

Yes. Use the free CVE Prioritization tool at protego.me for manual lookups: paste in any list of CVEs and get an instant priority verdict combining CVSS, EPSS, and KEV status. For automated workflows, integrate the FIRST EPSS API and CISA KEV JSON feed directly into your SIEM or vulnerability management platform. The Protego vulnerability scanner also surfaces EPSS scores alongside detected stack CVEs in Deep Scan mode.

---

Conclusion

CVSS was designed to describe the severity of a vulnerability in isolation. It was never designed to answer the question every security team actually faces: which of these 847 high-severity CVEs should we patch first given two engineers and a change freeze next week?

EPSS and the CISA KEV catalog answer that question with real-world exploitation data. EPSS tells you the probability. KEV tells you it is already happening. Used together, they compress your urgent list from hundreds of CVEs to the handful that represent active threats against your organization type.

Patch the right CVEs first. Use the decision matrix above, and use protego.me's free CVE Prioritization tool to combine all three signals in one lookup.