CVSS Score vs. Real-World Exploitability: Why a 9.8 Is Not Always Your Biggest Risk

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVSS scores measure theoretical maximum severity, not the probability of exploitation in your environment or whether an attacker is using this vulnerability right now. A CVSS 9.8 with no public exploit code and no active exploitation evidence is lower priority than a CVSS 6.5 that appears in the CISA Known Exploited Vulnerabilities catalog and is being used in active ransomware campaigns against your sector.
The gap between CVSS score and real-world exploitation is significant. Over 186,000 CVEs exist in the NVD. Only 7% ever have public proof-of-concept exploit code published. A much smaller fraction are actively used in attacks. Patching by CVSS score alone means spending the bulk of your patch cycle on vulnerabilities that will never be exploited in the wild, while vulnerabilities being actively weaponized wait behind them.
This guide explains what CVSS measures and what it intentionally ignores, introduces EPSS (Exploit Prediction Scoring System) as the complementary probability signal, and shows how to combine CVSS, EPSS, and CISA KEV into a three-signal prioritization formula. Two worked examples using real CVE comparisons show exactly when a lower-CVSS vulnerability outranks a higher one.
What CVSS Measures and What It Intentionally Ignores
CVSS (Common Vulnerability Scoring System) rates the intrinsic severity of a vulnerability based on its technical characteristics. The base score evaluates six factors: attack vector (how the vulnerability is reached), attack complexity (difficulty of exploitation), privileges required, user interaction required, scope (whether the exploit crosses system boundaries), and the impact on confidentiality, integrity, and availability.
CVSS deliberately ignores three things that matter enormously for practical risk:
Threat context. CVSS base scores do not account for whether a vulnerability is actively being exploited, whether exploit code exists, or whether it has been incorporated into commodity attack tooling like Metasploit. A zero-day under active mass exploitation and a theoretical vulnerability with no known exploitation receive identical base scores if their technical characteristics match.
Environmental context. CVSS base scores do not know whether the vulnerable component is internet-facing or air-gapped, whether you run the vulnerable version, or whether compensating controls are in place. Environmental Score modifiers exist in the framework but are rarely calculated because they require per-asset assessment that most organizations cannot perform at scale.
Exploit availability. A CVSS 9.8 vulnerability may require a highly specific exploit chain that no public tooling implements. Another at CVSS 6.5 may be trivially exploitable with a one-line command any attacker can run. CVSS base scores treat both identically.
This is not a flaw in CVSS, it is an intentional design constraint. CVSS is designed to be a reproducible, vendor-neutral severity score that changes only when the vulnerability's technical properties change. Use the CVSS v4.0 Calculator to understand score composition, then add EPSS and KEV to translate severity into exploitation risk.
EPSS: The Exploitation Probability Signal CVSS Does Not Provide
EPSS (Exploit Prediction Scoring System) is a machine learning model from FIRST.org that predicts the probability a CVE will be exploited in the next 30 days. It is expressed as a score from 0 to 1: a score of 0.9 means a 90% probability of exploitation attempts in the next 30 days based on current threat data.
EPSS is trained on exploitation telemetry from threat intelligence feeds, honeypot data, and observed exploitation events. It updates daily. A CVE scored low-probability six months ago can jump overnight if exploit code is published or a threat actor begins actively using it in campaigns.
EPSS and CVSS answer different questions. CVSS answers: how severe is this vulnerability if exploited? EPSS answers: how likely is this vulnerability to be exploited in the next 30 days? Both signals are required for a complete prioritization picture.
EPSS data is free via API at api.first.org/data/v1/epss?cve=CVE-YYYY-XXXXX. You can also look up individual scores at first.org/epss. Practical thresholds: scores above 0.1 (10%) warrant attention, above 0.5 indicate active exploitation tooling or ongoing campaigns, above 0.7 indicate mass exploitation in progress.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
CISA KEV: The Highest-Confidence Exploitation Signal
CISA KEV is not a probability, it is a confirmed fact. A CVE in the KEV catalog has been verified as actively exploited in real attacks. It is the highest-confidence exploitation signal available for free.
KEV entries are 3.9 times more likely to be exploited against a given organization than CVSS-equivalent CVEs not in KEV. If a CVE is in KEV and affects software you run, it belongs at the top of your patch queue regardless of CVSS score.
The combination of EPSS and KEV catches two different exploitation scenarios. KEV catches confirmed exploitation that CISA has verified. EPSS catches rising exploitation probability for CVEs not yet in KEV, particularly useful in the 15-day median window between CVE publication and first active exploitation for vulnerabilities that eventually make it into KEV. An EPSS spike on a recently disclosed CVE is often the earliest signal that KEV addition is imminent.
For a complete KEV-based triage framework including the four-tier priority queue and sprint capacity overflow protocols, see the CISA KEV Triage Guide.
The Three-Signal Prioritization Formula
Combine three signals to produce a patch priority tier for each CVE in your scan results:
Signal 1: CISA KEV status. Is this CVE in CISA KEV? If yes and the affected asset exists in your environment, it is automatically Tier 1, patch within 14 days.
Signal 2: EPSS score. If not in KEV, check EPSS. Score above 0.5: Tier 1. Score between 0.1 and 0.5: Tier 2 (patch within 30 days). Score below 0.1: proceed to CVSS evaluation.
Signal 3: CVSS with environmental context. For CVEs with low EPSS and no KEV membership, CVSS becomes relevant as a severity filter. Apply CVSS only after confirming the CVE affects software you actually run. A CVSS 9.8 affecting software not in your environment requires zero action.
Output tiers:
- Tier 1 (14 days): In KEV, or EPSS above 0.5, and asset is in environment
- Tier 2 (30 days): EPSS 0.1 to 0.5, or CVSS 9.0+ on internet-facing assets
- Tier 3 (90 days): EPSS below 0.1, CVSS 7.0 to 8.9, not internet-facing
- Defer: CVE does not affect software in your environment, or CVSS below 7.0 with no exploitation evidence
Check CISA KEV status first
KEV membership is the highest-confidence exploitation signal. Any KEV entry affecting your environment goes straight to Tier 1 regardless of CVSS score.
Look up EPSS score at first.org/epss
EPSS above 0.5 means active tooling or campaigns. Above 0.1 warrants Tier 2 attention. Below 0.1 moves the CVE to CVSS-based evaluation.
Apply CVSS last as a severity tiebreaker
CVSS is the tiebreaker for low-probability CVEs with no confirmed exploitation. Filter first by whether your environment actually runs the affected software version.
Two Worked Examples
Example A: CVSS 9.8 with no exploitation vs. CVSS 6.5 in active KEV campaign
A newly disclosed authentication bypass in a web framework scores CVSS 9.8. It was disclosed 3 days ago. EPSS score: 0.04 (4% exploitation probability in 30 days). Not in CISA KEV.
A command injection vulnerability in a widely deployed VPN product scores CVSS 6.5. It was added to CISA KEV last week. EPSS score: 0.71 (71% exploitation probability in 30 days). It is being cited in active ransomware campaign advisories targeting your sector this month.
Sorted by CVSS: the 9.8 patches first. Using the three-signal formula: the 6.5 in KEV with EPSS 0.71 patches first. An attacker is actively exploiting the second vulnerability in real infrastructure right now. The first carries a 4% probability of being weaponized in the next 30 days.
Example B: Log4Shell vs. Zerologon in December 2021
Log4Shell (CVE-2021-44228) disclosed in December 2021: CVSS 10.0, explosive coverage, zero days of active exploitation at initial disclosure.
Zerologon (CVE-2020-1472) in December 2021: CVSS 10.0, already in CISA KEV since September 2020, 15 months of confirmed active exploitation by that point, used by multiple nation-state and ransomware actors.
Both needed immediate attention. But any team that had not patched Zerologon by December 2021 had a 15-month-confirmed actively exploited domain controller vulnerability that KEV membership signaled since day one. Log4Shell was equally severe but emerging. Zerologon was severe and proven.
Use the Patch Priority Tool to score CVEs against all three signals without manual lookup for each entry.
The bottom line
CVSS measures severity under ideal exploitation conditions, not the probability that an attacker is targeting your organization this sprint. The three-signal formula changes patch decisions: check CISA KEV first (confirmed exploitation), then EPSS score (active exploitation probability in the next 30 days), then CVSS with environmental context as a tiebreaker for CVEs with no exploitation evidence. A CVSS 6.5 in KEV with an EPSS of 0.65 outranks a CVSS 9.8 with an EPSS of 0.02 every time.
Frequently asked questions
What does CVSS actually measure?
CVSS (Common Vulnerability Scoring System) measures the theoretical maximum severity of a vulnerability based on six technical characteristics: attack vector, attack complexity, privileges required, user interaction required, scope, and impact on confidentiality, integrity, and availability. It does not account for whether the vulnerability is actively being exploited, whether exploit code exists, or whether compensating controls are in place in your environment. CVSS is a reproducible severity score, not an exploitation likelihood or business risk score.
What is EPSS and how is it different from CVSS?
EPSS (Exploit Prediction Scoring System) is a machine learning model from FIRST.org that predicts the probability a CVE will be exploited in the next 30 days, scored from 0 to 1. CVSS answers 'how severe is this vulnerability if exploited?' EPSS answers 'how likely is this vulnerability to be exploited in the next 30 days?' Both signals are needed for effective patch prioritization. EPSS scores update daily and are freely available at first.org/epss and via the FIRST API.
Why doesn't a CVSS 9.8 mean I should patch it first?
CVSS 9.8 means the vulnerability is theoretically capable of catastrophic impact under ideal exploitation conditions. It does not mean anyone is actively exploiting it. Over 186,000 CVEs exist in the NVD and only 7% ever have public exploit code published. A CVSS 9.8 with an EPSS score of 0.01 has a 1% probability of exploitation in the next 30 days. A CVSS 6.5 in CISA KEV with EPSS 0.7 is being actively exploited in real infrastructure right now. Sequence by confirmed exploitation first.
How do I combine CVSS, EPSS, and CISA KEV for patch prioritization?
Apply three signals in order: First, check CISA KEV, if the CVE is listed and affects your environment, it is Tier 1 regardless of CVSS. Second, check EPSS at first.org/epss, above 0.5 is Tier 1, between 0.1 and 0.5 is Tier 2 (patch within 30 days). Third, use CVSS as the tiebreaker for low-EPSS CVEs not in KEV, but only after confirming your environment runs the affected software. The Patch Priority Tool at decryptiondigest.com/patch-priority applies this logic interactively.
How do I get EPSS scores for CVEs?
EPSS scores are freely available at first.org/epss, enter any CVE ID to get the current probability score and historical trend. The FIRST API at api.first.org/data/v1/epss?cve=CVE-YYYY-XXXXX returns JSON with the current score and percentile ranking. Bulk lookups via comma-separated CVE IDs are supported. Tenable, Qualys, and Rapid7 also display EPSS scores natively in scan results as of 2025.
What EPSS score threshold should I use for prioritization?
Three practical thresholds: above 0.5 (50%) indicates active exploitation tooling, ongoing campaigns, or mass exploitation in progress, treat as equivalent to CISA KEV for prioritization purposes. Between 0.1 and 0.5 (10% to 50%) indicates emerging exploitation activity or published proof-of-concept code in active use, patch within 30 days. Below 0.1 (under 10%) means low exploitation probability, use CVSS severity and environmental context as primary signals for these CVEs.
What free tools support this three-signal prioritization framework?
Three free tools cover the full framework: the CISA KEV catalog JSON feed at cisa.gov for KEV status, the FIRST EPSS API at first.org/epss for exploitation probability scores, and the Decryption Digest Patch Priority Tool at decryptiondigest.com/patch-priority for an interactive SSVC-based decision tree that combines exploitation status, technical impact, exposure, and mission criticality into a single priority verdict. For CVSS score composition analysis, the CVSS v4.0 Calculator is at decryptiondigest.com/cvss-calculator.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
