Application Management and Patching
Beyond CVSS: Smarter Vulnerability Prioritization with Exploit Data
When you patch only 10 % of open vulnerabilities each month, choosing the right 10 % is everything (Cyentia and Kenna Security).
Why CVE Data Still Matters
At the time of this writing, the funding issue threatening the MITRE CVE program was narrowly avoided. That’s fortunate; without current CVE data, much of what follows would be difficult—if not impossible—to write.
This topic is particularly relevant to me because I have been extensively working with vulnerabilities and finding effective methods for prioritizing remediation and patching. As a Senior Security Engineer in a software company, I face challenges related to vulnerabilities. These include issues within operating systems and software, our products, and production environments. In addition, our own products are tightly connected to third-party patching.
CVSS: A Starting Point, Not the Finish Line
Because I’m involved in so many processes, prioritization is a constant challenge. Even seasoned security professionals often prioritize remediation solely by a vulnerability’s CVSS (Common Vulnerability Scoring System) rating.
| Severity | Severity Score Range |
| Low | 0.1-3.9 |
| Medium | 4.0-6.9 |
| High | 7.0-8.9 |
| Critical | 9.0-10.0 |
In practice, CVSS uses four rating levels—Low through Critical. Most vulnerability scanners and databases include CVSS data by default.
Severity vs. Likelihood: Understanding Risk
Common Vulnerability Scoring System is a good method to address the severity component of vulnerabilities. CVSS also supports temporal and environmental metrics, but few organizations use them. If we only know the potential impact but don’t also have a solid estimation for likelihood, it is difficult to see the big picture. Risk is typically calculated as impact x likelihood. Without likelihood, we’d focus on low‑probability events like meteors or volcanic eruptions simply because their impact is huge. This same logic applies to vulnerability management too.
Prioritizing vulnerability remediation efforts only based on CVSS rating is far from optimal. Doing so ensures you patch high‑impact vulnerabilities quickly. But what about lower‑rated flaws that are already being exploited—or soon will be?
The Forum of Incident Response and Security Teams (FIRST) has studied this issue in depth. Their findings show that relying only on CVSS wastes significant effort. Realistically, you can’t patch every vulnerability in the ideal time window. Research by Cyentia and Kenna Security (now part of Cisco) found that, on average, organizations patch only 10–15 % of the open vulnerabilities each month. This means that prioritization is crucial.
Spotting Active Exploits in the Wild
The strongest signal is evidence that a vulnerability is already being exploited. If attackers exploit it elsewhere, they can exploit it in your environment as well. There are many free and commercial sources for exploitation information. One of them is CISA’s (Cybersecurity and Infrastructure Security Agency) Known Exploited Vulnerabilities (KEV) Catalog. KEV lists actively exploited CVEs and recommended mitigations.
Microsoft Defender Vulnerability Management is another, detailing exploitation characteristics and stages. More specifically, it maintains vulnerability exploitation maturity with three different attributes:
- Public exploit exists
- Exploit is verified to work
- Exploit is part of an exploit kit
Each attribute tells a story. First, it notes whether public exploitation has been reported. Second, it verifies whether the exploit actually works in the wild. This means that there are verified reports of vulnerability being exploited in the wild. Finally, it tracks whether the exploit is packaged into a kit, making it easier to weaponize. This increases the probability of exploitation because it is much easier to access it.
Predicting Exploits Before They Happen
Only a fraction of all published vulnerabilities will be exploited. That leaves many CVEs without a clear exploitation signal. There are some attempts to help with the exploitation likelihood estimation. Microsoft launched their Exploitability Index back in 2008. Microsoft Exploitability Index has four levels:
- Exploitation detected
- Exploitation more likely
- Exploitation less likely
- Exploitation unlikely
This is a great addition to CVSS. It augments the risk calculation for vulnerability, including a factor for the likelihood aspect. You’ll find the ratings in Microsoft Security Response Center (MSRC) advisories. You can view a specific vulnerability (CVE-2023-21535) and its exploitability assessment here https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21535. Unfortunately, the exploitation index only includes specific Microsoft products.
EPSS: Adding Probability to the Equation
Lucky for us, this is where FIRST (Forum of Incident Response and Security Teams) steps in. They released the first public scores of The Exploit Prediction Scoring System (EPSS) on January 7th, 2021. This is how FIRST explains EPSS:
“EPSS is a measure of threat – it estimates the probability that a vulnerability will experience exploitation activity in the wild. It accomplishes this entirely by data-driven, empirical analysis. Because EPSS produces a probability, it can scale to estimate the probability that at least one out of a larger set of vulnerabilities may be exploited.”
What is EPSS, and what is it not? FIRST. 2025.
Each EPSS score is tied to a CVE and offers a daily estimate of the chance that the vulnerability will be exploited in the next 30 days. Adding EPSS data to your vulnerability set greatly improves patch‑prioritization. With this information you can form a better estimation of total risk for each vulnerability. You can pull EPSS scores directly from FIRST’s API or via tools like Microsoft Defender Vulnerability Management. FIRST’s free API works via browser or programmatically. Here’s an example: https://api.first.org/data/v1/epss?cve=CVE-2021-40438.
Beyond CVSS: A Practical Playbook for Leaner Patch Cycles
If you can access all the necessary vulnerability data including CVSS rating, exploitation information, and EPSS score, it will drastically help you with prioritizing your remediation efforts. Still, no single scoring system fits every organization. Consolidating the data into an easy‑to‑read format can also be a challenge.
I haven’t found a free tool that enriches vulnerabilities with both likelihood and exploit data. From the commercial side, I am familiar with Microsoft Defender for Endpoint, which includes exploit information and EPSS score. Combined with real‑time inventory, that data streamlines prioritization. However, Microsoft stops short of recommending which patches to deploy first. It provides the pieces; you decide how to use them in your patch management process. And that is completely understandable. Each organization must own its patch management process.
I recommend starting the remediation work with vulnerabilities already exploited in the wild. If you need to prioritize among these, start with vulnerability with the highest CVSS. After these are remediated, you can move to vulnerabilities with the highest EPSS score. This simple approach should give you an advantage in the patching against real threats. After all, it is a game of patching the right vulnerabilities within the right time window.
How Recast Software Closes the Vulnerability Loop
Recast Software helps close the vulnerability loop. Application Manager automates third‑party patching in Intune and ConfigMgr, turning the high‑risk CVEs you’ve just prioritized into patches applied within hours, not weeks. Application Workspace carries that protection to the edge: by decoupling applications from devices and linking access to user identity, it lets employees work anywhere while IT retains full control and visibility. Together, these solutions translate patching prioritization into fast action—shrinking support queues, hardening security, and delivering measurable ROI at a lower total cost.
