Why CVSS Alone Doesn't Tell You What to Patch First
Your Nessus scan just finished. You have 5,000 findings. CVSS says 200 of them are Critical.
Where do you actually start?
If your answer is "sort by CVSS score and work from the top" — you are making the same mistake most security teams make. And it is costing you hours every week while leaving your most dangerous vulnerabilities unpatched.
The problem with CVSS
CVSS (Common Vulnerability Scoring System) measures the theoretical severity of a vulnerability. It answers the question: how bad could this be in the worst case?
It does not answer: is anyone actually exploiting this right now?
A CVSS 9.8 vulnerability on an isolated internal test server with no internet access is less urgent than a CVSS 7.0 vulnerability on your public-facing web server that attackers are actively exploiting today.
CVSS cannot tell you which one to fix first. It was never designed to.
What CISA KEV actually means
The Cybersecurity and Infrastructure Security Agency maintains a catalog called the Known Exploited Vulnerabilities (KEV) list.
This is not a theoretical list. Every CVE on this list has been confirmed as actively exploited in the wild. Real attackers. Real infrastructure. Right now.
As of today the KEV catalog contains over 1,100 CVEs — out of more than 250,000 total CVEs ever published.
That means less than 0.5% of all known vulnerabilities are confirmed to be actively exploited.
If your Nessus scan returns 4,847 findings and 19 of them match the KEV catalog — those 19 are your actual priority. Not the 200 that CVSS calls Critical.
What EPSS predicts
FIRST (Forum of Incident Response and Security Teams) publishes the Exploit Prediction Scoring System (EPSS).
EPSS uses machine learning trained on real-world exploitation data to estimate the probability that a CVE will be exploited in the next 30 days.
A CVE with an EPSS score of 0.94 has a 94% probability of being exploited in the next 30 days. A CVE with EPSS 0.001 has a 0.1% probability.
This is far more actionable than CVSS severity.
A real example — Log4Shell
CVE-2021-44228 (Log4Shell) has:
- CVSS: 10.0 (maximum)
- KEV: Yes — confirmed exploited
- EPSS: 0.975 — 97.5% exploitation probability
CVE-2021-45046 (a related Log4j variant) has:
- CVSS: 9.0
- KEV: Yes
- EPSS: 0.960
Both would appear near the top of a CVSS-sorted list. So far so good.
But consider this common scenario: a CVSS 9.8 vulnerability in an obscure library with no public exploit code, no KEV entry, and an EPSS of 0.002.
On a CVSS-sorted list it sits above Log4Shell variants. In reality it should be deprioritized until the known exploited vulnerabilities are patched.
CVSS cannot make this distinction. KEV and EPSS can.
The composite approach
The most effective vulnerability prioritization combines all three signals:
| Signal | Weight | What it tells you |
|---|---|---|
| CISA KEV | 40% | Actively exploited right now |
| FIRST EPSS | 35% | Exploitation probability next 30 days |
| CVSS | 15% | Severity context |
| Scanner rating | 10% | Additional context |
Any finding confirmed in the KEV catalog should score a minimum of 75/100 regardless of other factors. KEV means patch immediately — no further analysis needed.
What this looks like in practice
When you apply composite scoring to a real Nessus scan, the output looks very different from a CVSS sort:
# Score Priority Host CVE Finding
1 100.0 CRITICAL NOW 192.168.1.10 CVE-2021-44228 Log4Shell ★KEV
2 100.0 CRITICAL NOW 192.168.1.25 CVE-2023-34362 MOVEit SQLi ★KEV
3 99.8 CRITICAL NOW 192.168.1.15 CVE-2020-1472 Zerologon ★KEV
4 99.7 CRITICAL NOW 192.168.1.11 CVE-2021-26084 Confluence RCE ★KEV
5 11.5 LOW 192.168.1.10 N/A SSH Weak Ciphers
The SSH weak ciphers finding would appear near the top of a CVSS sort. With composite scoring it correctly sits at the bottom — it has no KEV match, low EPSS, and no real-world exploitation in this context.
The time cost of manual triage
Most security teams spend hours per scan cycle doing this manually:
- Export Nessus CSV
- Open in Excel
- Sort by CVSS
- Manually check KEV catalog
- Manually check EPSS scores
- Build remediation priority list
- Repeat next week
This is a solved problem. The data is public. The methodology is documented. The only missing piece was a tool that does it automatically — locally, privately, without uploading your scan data.
VulnPilot
We built VulnPilot to solve exactly this problem.
pip install vulnpilot
vulnpilot update-feeds
vulnpilot analyze scan.csv
It downloads the latest KEV and EPSS feeds, cross-references your Nessus scan locally, applies composite scoring, and outputs a prioritized remediation list in seconds.
Everything runs on your machine. Your scan data never leaves your environment. No account required. No cloud upload.
Free and open source: github.com/PatchVex/vulnpilot
Website: patchvex.com
Built by PatchVex — privacy-first security tools for DevSecOps and Security teams.
Discussion in the ATmosphere