External Publication
Visit Post

Why CVSS Alone Doesn't Tell You What to Patch First

DEV Community [Unofficial] July 1, 2026
Source

Your Nessus scan just finished. You have 5,000 findings. CVSS says 200 of them are Critical.

Where do you actually start?

If your answer is "sort by CVSS score and work from the top" — you are making the same mistake most security teams make. And it is costing you hours every week while leaving your most dangerous vulnerabilities unpatched.

The problem with CVSS

CVSS (Common Vulnerability Scoring System) measures the theoretical severity of a vulnerability. It answers the question: how bad could this be in the worst case?

It does not answer: is anyone actually exploiting this right now?

A CVSS 9.8 vulnerability on an isolated internal test server with no internet access is less urgent than a CVSS 7.0 vulnerability on your public-facing web server that attackers are actively exploiting today.

CVSS cannot tell you which one to fix first. It was never designed to.

What CISA KEV actually means

The Cybersecurity and Infrastructure Security Agency maintains a catalog called the Known Exploited Vulnerabilities (KEV) list.

This is not a theoretical list. Every CVE on this list has been confirmed as actively exploited in the wild. Real attackers. Real infrastructure. Right now.

As of today the KEV catalog contains over 1,100 CVEs — out of more than 250,000 total CVEs ever published.

That means less than 0.5% of all known vulnerabilities are confirmed to be actively exploited.

If your Nessus scan returns 4,847 findings and 19 of them match the KEV catalog — those 19 are your actual priority. Not the 200 that CVSS calls Critical.

What EPSS predicts

FIRST (Forum of Incident Response and Security Teams) publishes the Exploit Prediction Scoring System (EPSS).

EPSS uses machine learning trained on real-world exploitation data to estimate the probability that a CVE will be exploited in the next 30 days.

A CVE with an EPSS score of 0.94 has a 94% probability of being exploited in the next 30 days. A CVE with EPSS 0.001 has a 0.1% probability.

This is far more actionable than CVSS severity.

A real example — Log4Shell

CVE-2021-44228 (Log4Shell) has:

  • CVSS: 10.0 (maximum)
  • KEV: Yes — confirmed exploited
  • EPSS: 0.975 — 97.5% exploitation probability

CVE-2021-45046 (a related Log4j variant) has:

  • CVSS: 9.0
  • KEV: Yes
  • EPSS: 0.960

Both would appear near the top of a CVSS-sorted list. So far so good.

But consider this common scenario: a CVSS 9.8 vulnerability in an obscure library with no public exploit code, no KEV entry, and an EPSS of 0.002.

On a CVSS-sorted list it sits above Log4Shell variants. In reality it should be deprioritized until the known exploited vulnerabilities are patched.

CVSS cannot make this distinction. KEV and EPSS can.

The composite approach

The most effective vulnerability prioritization combines all three signals:

Signal Weight What it tells you
CISA KEV 40% Actively exploited right now
FIRST EPSS 35% Exploitation probability next 30 days
CVSS 15% Severity context
Scanner rating 10% Additional context

Any finding confirmed in the KEV catalog should score a minimum of 75/100 regardless of other factors. KEV means patch immediately — no further analysis needed.

What this looks like in practice

When you apply composite scoring to a real Nessus scan, the output looks very different from a CVSS sort:

#  Score   Priority      Host            CVE              Finding
1  100.0   CRITICAL NOW  192.168.1.10   CVE-2021-44228   Log4Shell ★KEV
2  100.0   CRITICAL NOW  192.168.1.25   CVE-2023-34362   MOVEit SQLi ★KEV
3  99.8    CRITICAL NOW  192.168.1.15   CVE-2020-1472    Zerologon ★KEV
4  99.7    CRITICAL NOW  192.168.1.11   CVE-2021-26084   Confluence RCE ★KEV
5  11.5    LOW           192.168.1.10   N/A              SSH Weak Ciphers

The SSH weak ciphers finding would appear near the top of a CVSS sort. With composite scoring it correctly sits at the bottom — it has no KEV match, low EPSS, and no real-world exploitation in this context.

The time cost of manual triage

Most security teams spend hours per scan cycle doing this manually:

  1. Export Nessus CSV
  2. Open in Excel
  3. Sort by CVSS
  4. Manually check KEV catalog
  5. Manually check EPSS scores
  6. Build remediation priority list
  7. Repeat next week

This is a solved problem. The data is public. The methodology is documented. The only missing piece was a tool that does it automatically — locally, privately, without uploading your scan data.

VulnPilot

We built VulnPilot to solve exactly this problem.

pip install vulnpilot
vulnpilot update-feeds
vulnpilot analyze scan.csv

It downloads the latest KEV and EPSS feeds, cross-references your Nessus scan locally, applies composite scoring, and outputs a prioritized remediation list in seconds.

Everything runs on your machine. Your scan data never leaves your environment. No account required. No cloud upload.

Free and open source: github.com/PatchVex/vulnpilot

Website: patchvex.com

Built by PatchVex — privacy-first security tools for DevSecOps and Security teams.

Discussion in the ATmosphere

Loading comments...