CVSS + EPSS + KEV: Why You Need All Three to Effectively Manage Vulnerabilities

Security and development teams know that managing vulnerabilities is complex and challenging. The ultimate aim of a vulnerability management program is to minimize the organization’s overall risk exposure by identifying, prioritizing, and resolving vulnerabilities that impact its assets and environment.

Attackers frequently exploit known vulnerabilities to gain access to the organization. Yet as the number of discovered vulnerabilities continues to rise, security teams face resource limitations and noise from various vulnerability scanning tools.

The Common Vulnerability Scoring System (CVSS) is a widely-used prioritization strategy, but solely relying on it has proven insufficient. A more effective approach requires additional context from both internal sources, such as asset criticality and mitigating controls, and external sources to assess the likelihood and feasibility of exploitation.

Earlier this year, Rezilion released research that examined the value of another source of vulnerability information; the CISA KEV catalogue.  Yet even with the information available in this resource, the report finds millions of systems are exposed to Known Exploited Vulnerabilities (KEVs) despite available patches. Now in a new report released this month, Rezilion researchers uncover that knowing the KEV catalog, while helpful, is also insufficient information for holistic vulnerability management because newly discovered vulnerabilities are not quickly added to the database.

Throughout this new research, available for download now, Rezilion’s vulnerability researchers unveiled more than 30 actively exploited vulnerabilities with a high EPSS (Exploit Prediction Scoring System) score that were not listed in the CISA KEV catalog, highlighting the coverage gap within the CISA KEV catalog. The report establishes that the likelihood of exploitation is empirically higher for vulnerabilities that received a high EPSS score than those with low EPSS scores. It also reveals that teams which lean solely on CVSS for patching prioritization are missing key pieces of information for effective vulnerability management.

Download the new report today to learn why:

• The conventional method of prioritizing vulnerabilities often falls short. A holistic approach, including CVSS, CISA’s KEV, and EPSS, paired with runtime validation to determine the exploitability of detected vulnerabilities in the contexts in which they appear, offers the best defense.
• The KEV catalog alone is insufficient due to the delay in adding newly discovered vulnerabilities.
• Vulnerabilities with a high EPSS score are more likely to be exploited, emphasizing the importance of this information in prioritization.

The report serves as an important reminder that organizations must look to more than just one metric for effective vulnerability management. Layers of information, provided through CVSS, CISA’s KEV, and EPSS, offer critical information that security teams need to stay on top of emerging vulnerabilities.