TL;DR: CVE triage breaks down when teams rely on CVSS alone, because severity scores do not show whether a flaw is actively exploited or trending toward exploitation. Senserva’s analysis argues for combining CISA KEV, EPSS, exposure age, and fleet scope so remediation can be defended to both auditors and operators.
NHIMG editorial — based on content published by Senserva: prioritising CVEs with KEV, EPSS, and Microsoft patch data
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should teams prioritise vulnerabilities when CVSS scores are not enough?
A: Teams should rank vulnerabilities using KEV status, EPSS probability, affected asset count, and privilege exposure instead of relying on CVSS alone.
Q: Why do KEV and EPSS improve remediation decisions?
A: KEV shows confirmed exploitation, while EPSS estimates short-term likelihood of exploitation.
Q: What do security teams get wrong about patch severity?
A: They often assume a high severity score means a vulnerability should be fixed first.
Practitioner guidance
- Promote KEV-listed flaws automatically Move any KEV-listed CVE to the top of the remediation queue, even if the CVSS score is lower than other open findings.
- Add EPSS thresholds to patch triage Use a daily EPSS threshold to separate findings that are likely to be exploited soon from those that can wait for the next planned maintenance cycle.
- Weight patch urgency by privileged exposure Give higher priority to vulnerabilities on systems with admin reach, remote management access, or broad fleet deployment.
What's in the full article
Senserva's full analysis covers the operational detail this post intentionally leaves for the source:
- Microsoft CVE lookup and patch tracker workflow details for free use without sign-up
- How enriched CVE records combine KEV, EPSS, MSRC, and Defender Vulnerability Management data
- Defendable ranking logic for Microsoft environments with both exposure and patch context
- The local MCP query experience for asking plain-language remediation questions
👉 Read Senserva's analysis of KEV, EPSS, and Microsoft CVE prioritisation →
CVE prioritization and KEV signals: what should teams fix first?
Explore further
CVSS-only patch programs create a false sense of priority. A score tells teams where a flaw sits on a severity scale, but not whether it is already in active use or whether the organisation is exposed in a way that matters. That gap is why vulnerability queues often look rational on paper and fail operationally in the field. Practitioners should treat severity as input, not decision.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which leaves many remediation programmes blind to the identities most likely to carry privilege.
A question worth separating out:
Q: Who is accountable when a known exploited vulnerability stays open?
A: Accountability usually sits with the security owner for prioritisation, the operations team for remediation, and the business owner for risk acceptance if the issue remains open. Frameworks such as NIST CSF support this shared model by making remediation governance part of resilience, not just patching.
👉 Read our full editorial: CVE prioritization needs KEV and EPSS, not CVSS alone