TL;DR: CISA’s BOD 26-04 shifts vulnerability prioritization away from CVSS-only scoring toward exploit likelihood, internet exposure, known in-the-wild activity, automation potential, and impact, reflecting the growing gap between disclosed vulnerabilities and what attackers actually target, according to Proofpoint. Severity is no longer a sufficient control signal when exploit windows compress quickly and remediation capacity remains finite.
NHIMG editorial — based on content published by Proofpoint: CISA BOD 26-04 and the shift to risk-based vulnerability management
Questions worth separating out
Q: What breaks when vulnerability management is based only on CVSS scores?
A: CVSS-only prioritisation breaks when several lower-scoring flaws can be combined into a complete exploit path.
Q: Why do exploited systems create more identity risk than patching teams usually expect?
A: Exploited systems often hold credentials, privileged accounts, or trust relationships that are more valuable than the original flaw.
Q: How do security teams know if exploitation-based prioritisation is working?
A: Look for a shorter must-fix list, fewer exposed KEV items, faster closure of actively exploited CVEs, and clearer ownership for the devices or applications that stay open longest.
Practitioner guidance
- Rebuild patch triage around exploitability Rank vulnerabilities by internet exposure, evidence of exploitation in the wild, and automation potential before using CVSS as a secondary tie-breaker.
- Link vulnerability queues to IAM and PAM controls When a vulnerable asset can expose accounts, tokens, or administrative paths, require access restriction or step-up controls before patch completion.
- Use compensating controls during patch windows Apply segmentation, filtering, and temporary hardening to reduce exposure while updates move through distributed environments.
What's in the full article
Proofpoint's full blog covers the operational detail this post intentionally leaves for the source:
- How Active Exploits Protection correlates observed attacker behaviour with vulnerability priority decisions across email and network traffic.
- The article's explanation of how first-mile visibility helps teams reduce exposure during patching windows before payload execution.
- The operational framing behind CISA BOD 26-04 and why exploit intelligence changes security operations triage.
- Proofpoint's examples of how teams can distinguish urgent exposures from lower-priority scanner findings.
👉 Read Proofpoint's analysis of CISA BOD 26-04 and risk-based vulnerability management →
Risk-based vulnerability management: what changes for security teams?
Explore further
Risk-based remediation is now an identity governance issue, not just a vulnerability management issue. Once an exploit turns into credential theft, session compromise, or privilege escalation, the relevant control surface is no longer only patching. It becomes the interaction between exposure management, authentication, and privilege boundaries. That is why security leaders should treat exploit intelligence as input to IAM and PAM decisions, not as a separate operations feed.
A question worth separating out:
Q: Who is accountable when a known exploited Office vulnerability remains unpatched?
A: Accountability sits with the owners of endpoint patching, email security, and privileged workstation governance, because the exposure spans all three. When a CVE is in KEV and patches are available, delayed remediation becomes a governance failure as well as a technical one. CISA deadlines and internal patch SLAs should be aligned to that reality.
👉 Read our full editorial: Risk-based vulnerability management now outranks severity scores