TL;DR: CVSS-first patch queues can send teams toward low-risk work while exploited vulnerabilities remain buried in the middle of the list, according to Senserva’s analysis of posture data, KEV, EPSS, SSVC, MSRC, and public exploit evidence. The operational shift is to rank by exploitation evidence first, then predicted exploitation and exploit availability, because that is what changes outcomes.
At a glance
What this is: This analysis argues that vulnerability management should combine patch posture with live exploitation evidence, not rely on CVSS alone.
Why it matters: For IAM-adjacent and broader security programmes, the lesson is that prioritisation logic must reflect real attack activity, because delayed remediation increases the window in which exposed assets, credentials, and workloads can be abused.
By the numbers:
- VulnCheck counted 768 CVEs first exploited during 2024, around 2 percent of that year's publications
👉 Read Senserva's analysis of exploitation-led patch prioritisation and patch intelligence
Context
Vulnerability management fails when teams treat every finding as equally urgent. Patch volume grows faster than maintenance windows, so the real governance problem is deciding which exposures actually deserve immediate operational attention. In identity-heavy environments, that question also affects service accounts, tokens, and other secrets because exploitation often turns on what an attacker can reach first, not on headline severity.
This article focuses on how to combine posture data with exploitation intelligence so prioritisation reflects attack reality. That approach matters for IAM and NHI programmes because exposed credentials and vulnerable services often sit in the same blast radius, and a patch queue that ignores identity dependencies can leave the most useful attack paths open.
Key questions
Q: What should security teams do when vulnerability exploitation becomes the main breach entry point?
A: They should treat remediation speed as an access-control priority, not only an infrastructure metric. The practical response is to inventory internet-facing systems, rank them by exploitability, and shorten the time between disclosure, validation, and patching. Where patching cannot happen quickly, teams need compensating controls that reduce exposure until the asset is fixed.
Q: Why do high CVSS scores often fail to reflect real patch priority?
A: Because CVSS estimates theoretical severity, not whether attackers are actively using the flaw or whether exploit code is already public. A low or medium score can still matter more than a high score if it is on KEV, has an active exploitation signal, or has commoditised proof-of-concept tooling. Prioritisation should follow attacker behaviour, not score alone.
Q: How do security teams know if exploitation-based prioritisation is working?
A: Look for a shorter must-fix list, fewer exposed KEV items, faster closure of actively exploited CVEs, and clearer ownership for the devices or applications that stay open longest. Good prioritisation reduces the number of exceptions that survive month to month. If the queue still grows without changing which items get fixed first, the model is not working.
Q: Who is accountable when a known exploited Office vulnerability remains unpatched?
A: Accountability sits with the owners of endpoint patching, email security, and privileged workstation governance, because the exposure spans all three. When a CVE is in KEV and patches are available, delayed remediation becomes a governance failure as well as a technical one. CISA deadlines and internal patch SLAs should be aligned to that reality.
Technical breakdown
Why CVSS alone misorders patch queues
CVSS is a severity model, not a live risk model. It scores a vulnerability under standardized assumptions about impact and exploitability, but it does not answer whether a working exploit exists, whether attackers are using it, or whether the vulnerable asset is actually deployed in your environment. That is why high scores can crowd the top of a list while lower-scored flaws drive ransomware or intrusion activity. In practice, patch teams need a ranking layer that incorporates observed exploitation, exploit availability, and environment coverage. Without that, a queue can look mathematically consistent while still being operationally wrong.
Practical implication: Use CVSS as a descriptor, not the final prioritisation rule.
How posture data and threat intelligence fit together
Posture data tells you what is exposed. Threat intelligence tells you which exposures matter now. On managed Windows fleets, Defender for Endpoint exposes missing KBs and CVEs per device, Intune shows device inventory and installed software, and update policy data shows whether remediation controls are actually assigned. Those sources become materially stronger when enriched with KEV, EPSS, MSRC exploitability, SSVC status, and public exploit evidence. The pattern is simple: inventory without intelligence is blind to urgency, and intelligence without inventory is blind to scope. The value comes from joining both into one ranking pipeline.
Practical implication: Build one prioritisation workflow that combines exposure, exploitability, and remediation scope.
Why exploitation evidence beats raw severity for remediation order
Exploitation evidence compresses uncertainty. KEV confirms in-the-wild use, EPSS estimates near-term likelihood, SSVC adds exploitation and impact context, and public proof-of-concept code shows when attack effort has been commoditised. Each signal narrows the list from thousands of CVEs to a short operational queue. That ordering matters because patch windows are finite and some exposures recur every month. In identity-linked estates, the same logic applies to systems that protect secrets, tokens, and access paths: the question is not how bad a flaw could be in theory, but whether attackers can already use it to widen access.
Practical implication: Prioritise confirmed exploitation, then predicted exploitation, then exploit availability.
Threat narrative
Attacker objective: To convert known software exposure into reliable access before defenders can prioritise and close the weakness.
- Entry occurs when attackers target a vulnerability that is already exposed in the managed environment and can be reached before remediation.
- Escalation follows when a confirmed or commoditised exploit turns the vulnerability into a repeatable path into systems, data, or adjacent access controls.
- Impact occurs when the organisation spends scarce patching time on low-value findings while the exploited item remains open long enough for intrusion, ransomware, or data theft.
NHI Mgmt Group analysis
Exploitation-led prioritisation is now the only defensible patch governance model. CVSS remains useful, but it is too abstract to drive response order in a live enterprise. When the same month produces thousands of missing updates, only exploitation evidence separates theoretical exposure from active attack surface. Practitioners should treat the ranking method itself as a control decision, not a reporting preference.
Secret exposure windows are a parallel vulnerability queue, not a separate problem. The article’s patch-first logic intersects directly with NHI governance because exposed tokens, API keys, and service credentials often become the first step after software exploitation. That means vulnerability management, secrets management, and access governance need a shared prioritisation view. The practitioner conclusion is that a vulnerability queue that ignores secrets and service identity is incomplete.
Posture visibility is only valuable when remediation ownership is explicit. Inventory can tell you what is missing, but it cannot force an update ring, an Autopatch profile, or an exception owner to behave correctly. In governance terms, this is an accountability problem as much as a detection problem. Teams should expect recurring gaps until policy assignment, exception handling, and asset ownership are part of the same control plane.
Exploit intelligence should reshape board reporting, not just analyst triage. The useful question is no longer how many CVEs exist, but how many exploitable ones remain in the environment and how quickly the organisation can shrink that set. That is a better metric for risk acceptance, because it ties security work to attacker behaviour rather than to abstract counts. The practitioner implication is to report exploited exposure as a distinct governance measure.
What this signals
Exploitation-led ranking will increasingly become the default expectation for vulnerability governance. Teams that still report raw CVE counts without an exploitation lens will struggle to explain why their remediation effort does not reduce risk. For identity and access programmes, the same principle now applies to secrets and service credentials, where the real question is which exposures can be turned into access fastest.
The practical signal for practitioners is that patching, secrets handling, and ownership metadata need to converge in one reporting model. That is especially true where credentials and vulnerable services intersect, because the attacker only needs one reliable path. A queue that looks complete on paper but does not account for exposure age, exploitability, and owner assignment will keep repeating the same failure.
For practitioners
- Rank by exploitation evidence first Build your patch queue so KEV membership, active SSVC status, and vendor exploitability data outrank raw CVSS, then use CVSS only as a secondary tie-breaker. This keeps the day-one list short and defensible.
- Join posture and intelligence feeds Combine Defender missing-KB data, Intune installed-software inventory, and update-policy assignments with KEV, EPSS, and public exploit evidence in one pipeline. Separate exposure detection from remediation ranking so neither feed becomes a bottleneck.
- Treat exposed secrets as priority findings Fold leaked credentials, API keys, and certificates into the same remediation workflow as vulnerable software, because attackers often use them to bypass patch-based controls entirely. Coordinate with identity and platform owners before the exposure window widens.
- Audit policy assignment, not just device counts Check whether update rings, update profiles, and Autopatch deployments are actually assigned to the devices you think they cover. A clean-looking policy object with no assignment is a governance failure, not a healthy control.
Key takeaways
- Exploitation evidence, not severity alone, is the strongest predictor of what should be patched first.
- The data shows a small fraction of CVEs drive most urgent remediation decisions, so queue design matters more than raw volume.
- Teams that unify posture, exploit intelligence, and ownership can shrink risk faster than teams that sort by CVSS alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0040 , Impact | The article prioritises exploited CVEs and attack-driven remediation order. |
| NIST CSF 2.0 | DE.CM-8 | Continuous monitoring supports exploitation-led exposure visibility. |
| NIST SP 800-53 Rev 5 | RA-5 | Vulnerability scanning and prioritisation are central to the article's control model. |
| CIS Controls v8 | CIS-7 , Continuous Vulnerability Management | The post is fundamentally about vulnerability prioritisation and remediation cadence. |
| NIST AI RMF | MAP | The article uses threat evidence to map real-world risk rather than abstract severity. |
Use MAP to connect exposure data, exploitability signals, and business context before remediation decisions.
Key terms
- Exploitation-led prioritisation: A remediation approach that ranks vulnerabilities by evidence of active use, exploit availability, and exposure in the environment rather than by severity score alone. It aligns patch effort to attacker behaviour, which makes limited maintenance windows more effective.
- Known Exploited Vulnerabilities catalog: A curated list of CVEs with confirmed in-the-wild exploitation. It is valuable because it shifts a vulnerability from theoretical risk into an operationally proven threat, giving defenders a defensible signal for urgent remediation.
- Patch posture: The current state of missing updates, software exposure, and policy coverage across managed devices. It shows what is unpatched and where, but it does not by itself tell you which findings matter most to attackers.
- Exploitability signal: Any indicator that a vulnerability is likely to be used soon or is already being used, such as exploitability ratings, proof-of-concept code, or catalog membership. These signals help convert a long vulnerability list into a shorter response queue.
What's in the full article
Senserva's full analysis covers the operational detail this post intentionally leaves for the source:
- The per-source enrichment workflow for MSRC, KEV, EPSS, SSVC, CIRCL, and VulnCheck.
- The edition-aware end-of-life handling rules for Windows and third-party product support timelines.
- The implementation notes for building a cached ranking pipeline with rate-limit handling and fail-open behaviour.
- The monthly Patch Tuesday tracker logic that turns exploit signals into a short remediation shortlist.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect identity controls to the wider security programme they already run.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org