Vulnerability prioritization by exploitability

Order vulnerability remediation by likelihood of exploitation, not by raw CVSS severity. CVSS measures theoretical impact; it does not tell you whether anyone is exploiting the flaw or whether your code even reaches the vulnerable path. Combine the CISA KEV catalog, EPSS, and reachability analysis to fix the few things that matter before the many that do not.

Signals, in priority order

You MUST evaluate each finding against these signals and remediate in this order:

  1. CISA KEV (Known Exploited Vulnerabilities) catalog — Treat any CVE present in the catalog as top priority. Inclusion requires reliable evidence of active in-the-wild exploitation, a CVE ID, and remediation guidance. The catalog is the authoritative "fix now" list and grew sharply through 2025. You MUST fix KEV-listed CVEs that are reachable in your codebase ahead of all non-KEV findings.
  2. EPSS (Exploit Prediction Scoring System) probability — A daily-updated 0.0–1.0 estimate (with a percentile) of the chance a CVE is exploited in the next 30 days. You SHOULD prioritize high-EPSS CVEs after KEV. FIRST's guidance points to the top decile (roughly EPSS ≥ 0.1) as a practical cutoff; you MAY raise the bar (e.g. ≥ 0.5) under resource constraints. Record both the raw score and the percentile.
  3. Reachability — You SHOULD use reachability/call-graph analysis (SCA tooling or manual tracing) to confirm the vulnerable function is actually invoked. Deprioritize transitive dependency CVEs whose vulnerable code path is never reached. You MUST NOT treat "unreachable" as "ignored" — record the rationale and recheck when the dependency or call sites change.
  4. CVSS severity — You MAY use CVSS as a tie-breaker among findings that are otherwise equal on the signals above. You MUST NOT order the backlog by CVSS alone.

Decision rule

  • KEV-listed AND reachable -> remediate immediately.
  • High EPSS (top decile) AND reachable -> remediate next.
  • Not reachable -> deprioritize with a documented note; re-evaluate on dependency or code change.
  • Neither KEV, high EPSS, nor reachable -> lowest priority; batch into routine dependency updates.

You SHOULD automate this scoring in CI so the gate is deterministic rather than re-derived per review.

EPSS v4 note

EPSS v4 (released 2025-03-17) widened observed exploitation coverage versus v3. Pin the model version you score against and re-baseline thresholds when the model changes, because percentile-to-score mapping shifts between versions. FORECAST: treat any vendor-published exploitation statistics as point-in-time, not durable fact.

Supply-chain context (OWASP Top 10 2025)

OWASP Top 10 2025 elevates supply-chain risk: A03:2025 Software Supply Chain Failures expands the former "Vulnerable and Outdated Components" category to cover build systems, distribution, and dependency compromise. You SHOULD weight findings in build/distribution tooling and direct dependencies accordingly, and pair this guideline with dependency-security and supply-chain-integrity practices. Note the OWASP 2025 list and its rankings are recent; pin to the published 2025 revision when citing it.

Anti-patterns

  • Sorting the remediation queue purely by CVSS "Critical/High."
  • Fixing every transitive CVE regardless of reachability, burning effort on dead code paths.
  • Ignoring a low-CVSS CVE that is on the KEV catalog.
  • Hard-coding an EPSS threshold without recording the model version it was tuned against.
version
1.0.0
tags
security, vulnerabilities, risk
author
Mike Fullerton
modified
2026-06-09
references
first.org/epsscisa.gov/known-exploited-vulnerabilities-catalog

Change History

Version Date Author Summary
1.0.0 2026-06-09 Mike Fullerton Initial creation