Every vulnerability gets a score. Most of them are noise.
If you're a CISO, you've lived this, your scanner spits out 12,000 vulnerabilities at the start of the quarter. Your team has bandwidth to remediate maybe 200. So you sort by CVSS. You patch everything rated Critical. You brief the board. You go home feeling like you did the right thing.
Then you get breached through a CVE that was rated Medium.
This isn't a hypothetical. It happens constantly and it happens because most security teams are optimizing for the wrong signal. The three scoring systems your tools use CVSS, EPSS, and KEV measure completely different things. Using only one of them is like navigating a city using only altitude data.
Here's what each score actually tells you, what it doesn't, and how to combine them into a remediation strategy that holds up to scrutiny.
CVSS: The score everyone uses, and what it actually measures
CVSS the Common Vulnerability Scoring System was built to answer one question, how bad could this be? It evaluates characteristics of the vulnerability itself, attack vector, complexity, privileges required, impact on confidentiality, integrity, and availability. The output is a number between 0 and 10, and most organizations map that number to a priority queue.
The problem is what CVSS doesn't measure whether anyone is actually trying to exploit it.
A CVSS 9.8 vulnerability in software that isn't deployed anywhere in your environment, with no public exploit code, and no threat actor interest is not a crisis. A CVSS 5.5 vulnerability in your edge infrastructure with a working exploit circulating in criminal forums that's a fire.
CVSS tells you the damage radius of the weapon. It doesn't tell you if anyone has the weapon or is pointing it at you.
EPSS: Probability over severity
EPSS the Exploit Prediction Scoring System takes a fundamentally different approach. Maintained by FIRST, it uses machine learning trained on real-world threat intelligence to estimate the probability that a given CVE will be exploited in the next 30 days.
The output is a percentage. A CVE with an EPSS score of 0.94 has a 94% predicted probability of active exploitation in the near term. A CVE at 0.002 has roughly a 0.2% chance.
The signal EPSS provides that CVSS cannot, real-world adversary interest. EPSS factors in whether exploit code exists, whether it's being discussed in threat actor communities, whether related vulnerabilities have seen exploitation, and dozens of other signals that reflect actual attacker behavior.
Here's the uncomfortable truth about CVSS vs EPSS that every vulnerability program should reckon with,
The gap between "theoretically severe" and "actively being exploited" is massive. EPSS gets you much closer to the latter.
KEV: The smallest list that should matter most
CISA's Known Exploited Vulnerabilities catalog is the most unambiguous signal in vulnerability management. It's a curated list of CVEs that have been confirmed as actively exploited in the wild. No probability models. No theoretical attack scenarios. These are vulnerabilities where real attackers have used real exploit code against real targets.
As of mid-2024, the KEV catalog contains roughly 1,100 entries out of more than 200,000 published CVEs. That's approximately 0.5% of all known vulnerabilities.
KEV carries a mandatory remediation timeline for federal agencies under BOD 22-01. For everyone else, it's a strong signal that should trigger immediate triage regardless of your existing backlog. If something is in KEV, it's not a question of whether exploitation happens, it's a question of whether your org is on the target list.
The limitation of KEV is its binary nature and its inherent lag. Something has to be exploited and observed before it appears. It's not predictive. Used alone, you'll always be reacting rather than anticipating.
The right framework: stack the signals
None of these scores is wrong. They measure different dimensions of risk, and the organizations that use them most effectively use all three in a specific hierarchy.
The decision logic is straightforward, KEV is binary and overrides everything. If it's on the list, you patch it this week, not this quarter. EPSS then acts as a filter on the remaining population: high EPSS vulnerabilities jump the queue regardless of their CVSS score, because the market signal is that attackers find them attractive. CVSS becomes the scheduling mechanism for the long tail it tells you which low-urgency vulnerabilities to get to first when you have bandwidth.
This framework dramatically shrinks the "urgent" pile. Instead of treating 26% of your CVE inventory as high priority, you're probably looking at 2–5%. That's a number a team can actually work with.
What this means for your program
The board doesn't care about CVSS scores. They care about breach risk and operational disruption. The vocabulary of vulnerability management needs to shift from "we patched all the Criticals" to "we have zero KEV exposure and our high-EPSS surface is managed."
That framing is more honest about risk and more defensible after an incident.
Practically, this means your vulnerability management tooling needs to be pulling all three signals and surfacing them together, not making you cross-reference three separate data sources manually. This is exactly what vRx by Vicarius is built for, it ingests CVSS, EPSS, and KEV signals in a unified view, so your team spends time remediating instead of correlating spreadsheets.
The answer to "which score matters?" is, all three, in the right order, for the right decision.
Stop chasing every Critical. Start chasing the ones that matter.
Want to see how your current vulnerability backlog looks when filtered through KEV and EPSS? vRx gives you that view out of the box request a demo at vicarius.io.
