TL;DR: CVE triage breaks down when teams rely on CVSS alone, because severity scores do not show whether a flaw is actively exploited or trending toward exploitation. Senserva’s analysis argues for combining CISA KEV, EPSS, exposure age, and fleet scope so remediation can be defended to both auditors and operators.
At a glance
What this is: This is an analysis of why CVSS-only vulnerability management fails and how KEV and EPSS change remediation prioritisation.
Why it matters: It matters because identity and security teams need a defensible way to decide what to patch first across Windows fleets, privileged systems, and managed environments.
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Senserva's analysis of KEV, EPSS, and Microsoft CVE prioritisation
Context
CVSS is a severity metric, not a remediation strategy. A high score tells you a vulnerability could be dangerous, but it does not tell you whether it is being exploited, how quickly attackers are moving toward it, or whether your own fleet exposure makes it urgent today. For Microsoft-heavy environments and managed service operations, that distinction is the difference between backlog noise and defensible prioritisation.
The identity governance connection is practical rather than abstract. Patch posture, privileged access, and configuration drift shape how far a vulnerable system can be reached and how badly it can be used once exposed. Once exploitation signals are layered against asset criticality, the programme shifts from list management to risk-based control of machine identity and endpoint exposure.
Key questions
Q: How should teams prioritise vulnerabilities when CVSS scores are not enough?
A: Teams should rank vulnerabilities using KEV status, EPSS probability, affected asset count, and privilege exposure instead of relying on CVSS alone. CVSS is useful for severity context, but it does not show what attackers are using right now. The practical goal is to fix the flaws most likely to create real operational harm first.
Q: Why do KEV and EPSS improve remediation decisions?
A: KEV shows confirmed exploitation, while EPSS estimates short-term likelihood of exploitation. Together they reduce guesswork and help teams distinguish live threats from theoretical ones. That makes patching more defensible to auditors and more useful to operators because it aligns work with attacker behaviour, not just scorecards.
Q: What do security teams get wrong about patch severity?
A: They often assume a high severity score means a vulnerability should be fixed first. In reality, a lower-scoring flaw already in KEV may be far more urgent than a Critical that is not being exploited. Prioritisation should reflect exploit activity, exposure breadth, and business-critical placement.
Q: Who is accountable when a known exploited vulnerability stays open?
A: Accountability usually sits with the security owner for prioritisation, the operations team for remediation, and the business owner for risk acceptance if the issue remains open. Frameworks such as NIST CSF support this shared model by making remediation governance part of resilience, not just patching.
Technical breakdown
Why CVSS alone cannot rank remediation
CVSS describes impact and exploitability in the abstract, but it is not designed to answer operational questions such as whether a vulnerability is already in active attack chains. In practice, teams inherit hundreds of findings with identical or near-identical scores but very different real-world urgency. That is why severity without context produces patch fatigue. A defensible programme needs more than score. It needs exploit telemetry, asset context, and a way to distinguish theoretical risk from live exploitation.
Practical implication: stop using CVSS as the final ordering rule for remediation queues.
How KEV and EPSS change the triage model
CISA KEV identifies vulnerabilities confirmed to be exploited in the wild, while EPSS estimates the likelihood of exploitation over the next 30 days. Together they turn vulnerability management from static classification into time-sensitive decision support. KEV tells you what is already weaponised. EPSS tells you what is likely to become weaponised soon. When those signals are combined with patch age and affected asset count, the result is a prioritisation model that reflects operational reality instead of score alone.
Practical implication: build triage rules that promote KEV-listed vulnerabilities and high-EPSS findings above raw CVSS severity.
Why fleet exposure and configuration posture matter
A vulnerability on one well-contained endpoint is not the same as the same flaw across a broadly deployed, poorly hardened environment. Exposure count, configuration drift, logging quality, and privileged access all affect blast radius. This is where vulnerability management intersects identity governance, because a missing patch on a high-privilege system can become an access path, not just a defect. The right question is not only what is vulnerable, but what is vulnerable and reachable with meaningful privilege.
Practical implication: weight remediation by privileged exposure, device hardening, and spread across the fleet.
Threat narrative
Attacker objective: The attacker wants to convert a known software flaw into real operational access before defenders can prioritise and patch it.
- Entry begins when an attacker targets a vulnerability that appears in a scan but is also confirmed in the CISA KEV catalog, turning a generic defect into a live intrusion path.
- Escalation follows when the exploit lands on a device with meaningful reach, broad deployment, or weak hardening, allowing the attacker to move from a single flaw to wider operational impact.
- Impact occurs when the exploited system is used to deploy ransomware, steal data, or establish persistence before the organisation has treated the finding as urgent enough to fix.
Breaches seen in the wild
- ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
CVSS-only patch programs create a false sense of priority. A score tells teams where a flaw sits on a severity scale, but not whether it is already in active use or whether the organisation is exposed in a way that matters. That gap is why vulnerability queues often look rational on paper and fail operationally in the field. Practitioners should treat severity as input, not decision.
KEV and EPSS together define the practical meaning of urgency. KEV identifies what attackers are already using, while EPSS estimates what is likely to be used next. That combination is stronger than either signal alone because it separates known exploitation from emerging probability. The programme implication is straightforward: triage should be driven by live exploitation evidence and near-term likelihood, not by a score that is blind to attacker behaviour.
Identity context changes vulnerability impact more than many teams admit. A flaw on a privileged endpoint, management server, or system with broad operational reach is not equivalent to the same flaw on a low-value workstation. This is especially true where service accounts, admin tooling, or remote management paths are present. The right discipline is to rank vulnerabilities by how much authenticated reach they create, not only by how severe they look in isolation.
Exposure age is a governance signal, not just an operations metric. When a critical flaw sits unremediated for days or weeks after public confirmation, the issue is no longer technical discovery alone. It becomes a control failure in prioritisation, assignment, and closure. That matters for board reporting, audit defence, and incident readiness because the organisation is choosing delay over risk reduction. Security leaders should measure how long known-exploited issues remain open, not just how many exist.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which leaves many remediation programmes blind to the identities most likely to carry privilege.
- 52 NHI Breaches Analysis shows how exposed credentials and delayed revocation repeatedly turn small gaps into large incidents, which is the same urgency logic that KEV and EPSS are meant to surface.
What this signals
Known-exploited vulnerability prioritisation is becoming a governance issue, not just a patching discipline. When a team can explain why one CVE moves ahead of another using KEV, EPSS, and exposure age, it is no longer arguing from intuition. That is the difference between a reactive queue and a defensible remediation programme. For identity-heavy environments, the same logic should be applied to privileged systems and service accounts that expand blast radius.
Exposure age is the metric boards and auditors will increasingly ask for. A vulnerability is not only a technical defect once it has stayed open after public exploitation is known. It becomes evidence of control latency. Teams that cannot show how quickly they close KEV and high-EPSS items will struggle to prove resilience under NIST CSF and similar governance expectations.
For practitioners
- Promote KEV-listed flaws automatically Move any KEV-listed CVE to the top of the remediation queue, even if the CVSS score is lower than other open findings. Use this rule consistently so operations, security, and audit all see the same priority logic.
- Add EPSS thresholds to patch triage Use a daily EPSS threshold to separate findings that are likely to be exploited soon from those that can wait for the next planned maintenance cycle. Keep the threshold documented so it can be explained in change review.
- Weight patch urgency by privileged exposure Give higher priority to vulnerabilities on systems with admin reach, remote management access, or broad fleet deployment. A flaw on a privileged host deserves faster treatment than the same flaw on a low-impact endpoint.
- Track exposure age against remediation SLA Measure how long KEV and high-EPSS vulnerabilities remain open after discovery, then compare that duration with your internal SLA and exception process. Long dwell time usually exposes a governance problem, not a tool problem.
Key takeaways
- CVSS is a severity indicator, but it is not enough to decide what to patch first.
- KEV and EPSS give vulnerability teams the missing exploitation context needed to defend prioritisation decisions.
- The strongest remediation programmes rank live exploitation, exposure breadth, and privilege together instead of treating every Critical as equal.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.RA-5 | Threat intelligence and exploit signals inform remediation prioritisation. |
| NIST CSF 2.0 | PR.IP-12 | Patch management depends on prioritised remediation and tracked closure. |
| NIST Zero Trust (SP 800-207) | PR.AC-5 | Privileged exposure turns patch gaps into access risk within zero-trust designs. |
Use exploit telemetry to rank remediation so known-exploited flaws move ahead of abstract severity.
Key terms
- Known Exploited Vulnerabilities catalog: A maintained list of vulnerabilities confirmed to be exploited in the wild. It gives security teams a practical signal that a flaw has moved beyond theoretical risk and should be treated as an active remediation priority.
- Exploit Prediction Scoring System: A daily-updated score that estimates the likelihood a vulnerability will be exploited in the near term. It does not replace severity scoring, but it adds probability context that helps teams order work before exploitation becomes widespread.
- Remediation prioritisation: The process of deciding which vulnerabilities to fix first based on exploitation evidence, exposure, and business impact. Good prioritisation turns a long vulnerability list into a defensible workflow that can stand up to audit and operational scrutiny.
- Exposure age: The amount of time a known vulnerability or misconfiguration remains unaddressed after discovery. Longer exposure age usually means higher organisational risk because attackers have more time to identify, weaponise, and use the weakness before it is closed.
What's in the full article
Senserva's full analysis covers the operational detail this post intentionally leaves for the source:
- Microsoft CVE lookup and patch tracker workflow details for free use without sign-up
- How enriched CVE records combine KEV, EPSS, MSRC, and Defender Vulnerability Management data
- Defendable ranking logic for Microsoft environments with both exposure and patch context
- The local MCP query experience for asking plain-language remediation questions
👉 The full Senserva post covers ranking logic, Microsoft data sources, and the MCP query workflow.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org