Relying on CVSS alone is risky for vulnerability management

A vulnerability management strategy that relies solely on CVSS for vulnerability prioritization is proving to be insufficient at best, according to Rezilion.

In fact, relying solely on a CVSS severity score to assess the risk of individual vulnerabilities was shown to be equivalent to randomly selecting vulnerabilities for remediation.

Additional context is required in order to allow for a more scalable and effective prioritization strategy. This context should stem from internal sources — aka the target environment (asset criticality, mitigating controls, reachability) — as well from the external sources, which will allow for better assessment of the likelihood and feasibility of exploitation.

Earlier this year, Rezilion identified the glaring issue of millions of systems being exposed to Known Exploited Vulnerabilities (KEVs) despite available patches in a report on the CISA KEV catalog.

Throughout the new research, Rezilion’s vulnerability researchers unveiled more than 30 actively exploited vulnerabilities with a high EPSS score that were not listed in the CISA KEV catalog, highlighting the coverage gap within the CISA KEV catalog.

The key to effective vulnerability management

The report establishes that the likelihood of exploitation is empirically higher for vulnerabilities that received a high EPSS score than those with low EPSS scores.

“These findings accentuate the need for considering more than just one metric for effective vulnerability management,” said Yotam Perkal, Director of Vulnerability Research with Rezilion.

“Our research shows that the interplay of CVSS, CISA’s KEV, and EPSS offers the most comprehensive approach to managing vulnerabilities. Ignoring any of these components can lead to gaps in an organization’s security posture. The right blend of these tools allows for accurate prioritization, ensuring the most dangerous vulnerabilities are addressed promptly,” added Perkal.

The conventional method of prioritizing vulnerabilities often falls short. A holistic approach, including CVSS, CISA’s KEV, and EPSS, paired with runtime validation to determine the exploitability of detected vulnerabilities in the contexts in which they appear, offers the best defense.

Organizations have a limited patching capacity

The KEV catalog alone is insufficient due to the delay in adding newly discovered vulnerabilities. Vulnerabilities with a high EPSS score are more likely to be exploited, emphasizing the importance of this information in prioritization.

Most organizations have a limited patching capacity affected by the tooling, processes, and skills at their disposal. The challenge is to direct that limited patching capacity, toward vulnerabilities that matter most in terms of risk reduction. Hence, the task of sifting the signal through the noise is becoming increasingly more important.

A patching strategy that considers CVSS, internal environment context (such as reachability analysis, asset criticality, and provenance), and additional threat intelligence sources such as CISA KEV combined with EPSS, can assist organizations in making informed, risk-based vulnerability management decisions and improve the overall security posture of their organization.