89

Should KEV outrank CVSS in vulnerability triage?. Compare severity-only triage with exploitation-led triage using KEV, EPSS, vendor remediation status, and asset exposure as the core decision inputs. Include a table separating confirmed exploitation, probability of exploitation, remediation action, and when to remove unpatchable assets from networks.

Should KEV outrank CVSS in vulnerability triage?

Yes. The attached CISA and EPSS sources support an exploitation-led triage model: confirmed exploitation in CISA KEV should outrank severity-only CVSS scoring, while EPSS is used as a probability signal when active exploitation is not already evidenced.[1][2][3]

The practical takeaway is that CVSS should inform context, but not drive priority by itself when there is evidence of exploitation, clear mitigation guidance, or high asset exposure.[4][5]

How the triage inputs differ

CISA KEV is explicitly built around vulnerabilities with evidence of active exploitation, and CISA says those items should be prioritized for rapid remediation.[6] EPSS, by contrast, estimates the likelihood of exploitation in the next 30 days and is most useful when you do not already have evidence of active exploitation.[7]

Decision inputWhat it meansHow it should affect triage
Confirmed exploitation[8]Evidence that the vulnerability is being exploited in the wildTop priority, ahead of severity-only CVSS
Probability of exploitation[9]EPSS estimate of likely exploitation in the next 30 daysUse when exploitation is not already confirmed; raise priority as probability increases
Vendor remediation status[10][11]Whether there is clear mitigation or vendor guidanceFaster action when a clear remediation path exists; if not, escalate containment or removal
Asset exposure[12][13]Whether the vulnerable asset is publicly exposed or internet-facingIncrease urgency, especially for publicly exposed assets

Action guide: confirmed exploitation vs probability vs exposure

SituationRecommended actionWhen to remove or isolate from network
Confirmed exploitationRemediate immediately using required CISA/vendor guidance[14][15]If patching or mitigation cannot be completed in time, remove the asset from the network or isolate it[16][17][18]
High EPSS but no confirmed exploitationPrioritize ahead of lower-probability issues, especially if the asset is exposed[19][20]Use removal or isolation when the asset cannot be updated fast enough and exposure is material[21][22]
Vendor has clear mitigation guidanceApply mitigations, vendor instructions, and CISA-required actions[23][24][25]Consider isolation as a temporary control if mitigation is incomplete[26][27]
Unpatchable assetDecommission, remove the vulnerable product, segment, isolate, or otherwise discontinue use[28][29][30][31]Remove from the network or isolate it when no timely update or mitigation is available[32][33]

Bottom line

For triage, KEV should outrank CVSS because it captures known exploitation, which is the strongest signal in the provided sources.[34][35] Use EPSS to rank unconfirmed cases by likelihood, then adjust for vendor remediation status and asset exposure. If an asset cannot be patched or mitigated quickly, CISA guidance supports removal from the network or isolation rather than leaving it exposed.[36][37][38][39]