Download Now!
Customer Portal
Support

Innoculator

Beyond CVSS: How Attackers Really Exploit CVEs and What That Means for Patch Prioritisation

Beyond CVSS

In 2025 we’ve seen organisations face a paradox: record-shattering numbers of new vulnerabilities, but only a handful ever lead to real-world breaches. As exploited CVEs mount and patch management struggles to keep up, is it time to rethink what, and how, we patch?

The Rising Tide: More CVEs, More Complexity

Between 2023 and 2025, the number of publicly disclosed vulnerabilities (CVEs) soared by 38%, topping 40,000 a year1 3. This deluge highlights the expanding attack surface and the immense challenge facing security teams. But while CVE counts grow, the percentage of “critical” (CVSS 9.0+) ratings has trended down, with most new vulnerabilities falling into the medium category—and only a minority are ever exploited at scale3 6.

Yet despite all the noise, the reality is that a predictable set of vulnerabilities are repeatedly, and sometimes swiftly weaponised by attackers.

What Do Attackers Really Go After?

Recent studies and government reporting show that exploited CVEs cluster around familiar patterns and products.

CVE Technology Attack Vector CVSS 3.x CISA KEV? Notable Campaigns/Uses
CVE-2017-11882 MS Office EqnEd User/file 7.8 Yes Phishing, commodity malware
CVE-2021-44228 Apache Log4j2 Network (RCE) 10.0 Yes Ransomware, crypto-miners, botnets
CVE-2023-34362 Progress MOVEit Network (RCE) 9.8 Yes Mass data theft, ransomware
CVE-2017-0144 Windows SMB Network (Worm) 8.8 Yes WannaCry ransomware, NotPetya
CVE-2021-26855 MS Exchange Network (SSRF) 9.1 Yes ProxyLogon mass compromise

Phishing-Ready Bugs Stay Popular

Even five-year-old Office vulnerabilities (such as EqnEd, WordPad, and RTF flaws, e.g., CVE-2017-11882 and CVE-2017-0199) are perennially favoured for phishing. Attackers package malicious documents with these exploits, enabling them to bypass some defences and compromise endpoints via user interaction. These “old” bugs remain in the wild long after initial disclosure because:

  • They affect widely deployed, hard-to-upgrade software.
  • User interaction (such as opening an email attachment) offers a persistent avenue for compromise.
  • Criminal kits and nation-state attackers alike prefer proven, reliable exploit chains.

Key observations:

  • Network Attack Vectors Dominate Headlines: Critical bugs in internet-facing servers and services (like Log4j, Exchange, MOVEit, SMB) routinely drive ransomware and mass-compromise events.
  • Phishing-Ready Bugs Stay Popular: Many Office vulnerabilities never really die, they persist on endpoints, and are routinely exploited for phishing and targeted attacks, regardless of age.
  • Chained Exploits Maximise Impact: ProxyLogon is a classic case: threat actors combine several “high” and “critical” bugs to break into Exchange, often skipping right past endpoint defences.

Chained Vulnerabilities and Real-World Attack Paths

Complex multi-CVE exploit chains are now commonplace. Take the Microsoft Exchange “ProxyLogon” series (CVE-2021-26855, -26857, -26858, -27065): threat actors rapidly combined SSRF, insecure deserialization, and file write vulnerabilities to take over email infrastructure worldwide 8. These chains often link multiple “high” and “critical” CVEs, undermining simple patch-by-severity approaches.

Likewise, MOVEit and Citrix NetScaler exploits have shown how new zero-days join old, unpatched bugs, hitting organisations in waves8.

The CISA KEV List—And Its Limitations

The CISA Known Exploited Vulnerabilities (KEV) catalog is now an industry gold standard: if a CVE is on this list, it means threat actors are actively exploiting it somewhere, right now2.

But there’s a catch:

  • KEV additions lag behind attacker activity. Many vulnerabilities are abused in the wild long before they appear on official lists5 6.
  • At the start of 2025, as many as 26% of newly-disclosed exploited vulnerabilities were still under analysis or missing from national databases, leaving defenders flying blind5 6.
  • Zero-day exploitation windows keep shrinking: The time from public disclosure to mass attacks is now often measured in hours, not weeks5 6.

Because of this, using KEV should be the baseline, not the ceiling. Rapid threat intelligence, vendor advisories, and monitoring exploit feeds are essential for catching emerging threats before “official” confirmation5 7.

Patching SLAs: Why Traditional Models Can Fail

Most enterprises base patching SLAs on CVSS scores, assigning strict timelines to “critical” or “high” flaws and much looser deadlines for medium/low ones. But the realities outlined above demand a smarter approach:

  • Attackers focus where patching lags, not just on the highest scores. Many major high-profile attacks started with “high,” not “critical” vulnerabilities, especially when combined in chains or against exposed infrastructure.
  • Speed overwhelms policy: Patch policies measured in weeks or months cannot compete with 24-hour attacker timelines5 6 7.
  • Legacy and vendor risk: Third-party and supply chain risk means your patching discipline is only as strong as your weakest vendor1 3.

Towards a Modern Patch Prioritisation Strategy

What does all of this mean for defenders in 2025?

  • Combine severity with exploitability: Use CISA KEV as your urgent patch list, but also watch for emerging intelligence on in-the-wild exploitation, even before CVEs are officially listed8.
  • Prioritise internet-facing and business-critical assets: Network edge, VPNs, email, and user-facing software require fastest attention5 7.
  • Respond to chains, not just single bugs: Patch related vulnerabilities together, and take a holistic view of attacker routes8.
  • Accept some patch “debt” but manage risk wisely: With tens of thousands of new CVEs yearly, focus on what attackers are actually using, not just what parsing software says is “critical”3 6.
  • Demand more from your vendors and partners: Supply chain and third-party breaches are rising; your security depends on theirs1 7.

Conclusion: Don’t Wait for the “Official” List, Patch Like an Attacker

The data is clear: attackers don’t wait for your patching cycle, or for “critical” bugs to hit the headlines. They exploit what’s available, what’s exposed, and what’s easy and if you’re only following CVSS, or waiting for KEV updates, you’ll often be behind5 7 8.

Modern defence means moving beyond just prioritising and patching. Where traditional patching may be delayed, due to business complexity, legacy systems, vendor slowness, or operational constraints, organisations should embrace virtual patching and compensating controls:

  • Virtual patching: Technology like Innoculator can block exploitation of vulnerabilities even before a vendor patch is available or practical to deploy.
  • Rapid controls: Temporary mitigations, configuration changes, or forced multi-factor authentication can dramatically reduce risk during the critical window between disclosure and patch release.

In summary:
Building a layered, proactive patch management and defence strategy combining real-world intelligence, modern controls, and practical response puts defenders back on the front foot, closing gaps before attackers can exploit them.