In vulnerability management, severity ratings quietly shape behaviour. High and Critical CVEs trigger alerts, emergency patch windows, and executive attention. Low and Medium CVEs, by contrast, tend to sink into the backlog—scheduled, deferred, or ignored entirely.
That complacency is increasingly misplaced.
Attackers do not share our prioritisation logic.
Severity Scores Are Not Risk Scores
CVSS (Common Vulnerability Scoring System) measures technical impact under ideal conditions. It does not measure:
- Whether the vulnerability is reachable in your environment
- Whether it can be chained with others
- Whether active exploitation exists
- Whether attackers find it useful
A “Low” CVE with authentication requirements may be trivial in isolation, yet devastating when combined with credential reuse, misconfigurations, or poor network segmentation.
Attackers think in graphs, not lists.
Chaining: The Attacker’s Superpower
Modern breaches rarely rely on a single vulnerability. They unfold as sequences:
-
Initial foothold Often via phishing, exposed services, or an old Medium-severity bug with public exploit code.
-
Privilege escalation Frequently a local vulnerability scored as Low or Medium because “local access is required.”
-
Lateral movement Enabled by misconfigurations, weak service accounts, or outdated protocols.
-
Impact Data exfiltration, ransomware deployment, or persistence mechanisms.
Individually, none of these CVEs look alarming. Together, they are catastrophic.
Severity scoring does not model this reality well.
Exploitation Follows Opportunity, Not Labels
Threat actors optimise for:
- Reliability over elegance
- Availability over novelty
- Noise reduction over maximum damage
This is why attackers often prefer older, well-understood vulnerabilities with stable exploit chains rather than flashy zero-days.
A Medium CVE with:
- Public proof-of-concept code
- Predictable behaviour
- High deployment prevalence
…is often more attractive than a newer Critical vulnerability with mitigations already in place.
Patch Backlogs Become Attack Surfaces
Deferred vulnerabilities accumulate. Over time, environments drift into a state where:
- Security assumptions no longer hold
- Defensive tooling is misaligned with reality
- Attack paths multiply quietly
From an attacker’s perspective, this backlog is not technical debt—it is latent access.
The longer a vulnerability exists unpatched, the more likely it becomes weaponised, documented, and automated.
What Smarter Prioritisation Looks Like
Effective vulnerability management shifts focus from severity to exposure.
Key signals to elevate any CVE—regardless of score:
- Internet-facing services
- Privileged context (SYSTEM, root, domain accounts)
- Exploit availability or chatter
- High asset value
- Weak compensating controls
A Low CVE on a domain controller is never “low.” A Medium CVE on an edge device deserves attention.
Rethinking the CVE Mindset
CVEs are raw data, not decisions.
They describe possibility, not probability. They explain impact, not intent.
Treating CVSS as a sorting mechanism rather than an input to analysis is how organisations end up breached “by something insignificant.”
Attackers exploit what we overlook.
cvedatabase.com exists to surface vulnerabilities early, track exploitation trends, and provide context—not just scores. Because in cybersecurity, what looks boring is often what breaks you.