Module 21 of 25 · Practice & Strategy

Vulnerability management

28 min read 4 outcomes Interactive risk matrix + drag challenge 5 standards cited

By the end of this module you will be able to:

  • Calculate a CVSS 4.0 Base Score and explain the Threat and Environmental metric groups
  • Use EPSS scores alongside CVSS to produce a risk-based prioritisation decision
  • Apply the CISA KEV catalogue to identify actively exploited vulnerabilities requiring immediate action
  • Design a patch management programme with defined SLAs per severity tier

Equifax data breach, March to July 2017

Equifax 2017: patch available, alert sent, 147 million records exfiltrated

In March 2017, the Apache Software Foundation released a patch for CVE-2017-5638, a critical remote code execution vulnerability in the Apache Struts web framework. Equifax, one of the three largest consumer credit bureaux in the United States, was running a vulnerable version of Struts in its online dispute portal. The patch was available. Equifax's vulnerability scanning tool had identified the vulnerability. The alert had been sent. The patch was not applied.

In May 2017, attackers exploited CVE-2017-5638 to gain access to Equifax's network and spent 76 days exfiltrating the personal data of 147 million US citizens, including Social Security numbers, dates of birth, and home addresses. The CVE carried a CVSS v3 Base Score of 10.0: network-exploitable, no authentication required, no user interaction, high impact on confidentiality, integrity, and availability. Equifax paid $700 million in settlements and fines.

The breach was not a discovery failure; it was a prioritisation and escalation failure. Discovery occurred; the process that should have converted a CRITICAL alert into a mandatory remediation timeline with accountability did not exist.

CVSS 4.0: scoring vulnerability severity

CVSS (Common Vulnerability Scoring System) v4.0, published by FIRST in November 2023, provides a framework for communicating the characteristics and severity of software vulnerabilities. Scores range from 0.0 to 10.0; NVD qualitative labels: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0).

CVSS 4.0 defines four metric groups:

  • Base metrics (intrinsic characteristics): Attack Vector (Network/Adjacent/Local/Physical), Attack Complexity (Low/High), Privileges Required (None/Low/High), User Interaction (None/Passive/Active), and Confidentiality/Integrity/Availability impact on both the vulnerable system and subsequent systems.
  • Threat metrics (replaces Temporal in v3.1): Exploit Maturity (Attacked/Proof-of-Concept/Unreported/Not Defined). A vulnerability with confirmed active exploitation (Attacked) scores higher than one with only theoretical exploitability.
  • Environmental metrics: allow organisations to adjust scores based on deployment context. A vulnerability in an internet-facing system storing PII scores higher than the same vulnerability in an air-gapped internal tool.
  • Supplemental metrics (informational, do not affect score): Automatable, Recovery, Value Density, Vulnerability Response Effort, Provider Urgency.

CVE-2017-5638 (Equifax) received a CVSS v3 Base Score of 10.0: Privileges Required None, User Interaction None, Attack Vector Network, Attack Complexity Low, and High impact across all three CIA dimensions. Combined with an internet-facing affected system storing PII for millions of consumers, both the Base and Environmental scores were maximum.

With an understanding of cvss 4.0: scoring vulnerability severity in place, the discussion can now turn to epss and cisa kev: prioritisation beyond cvss, which builds directly on these foundations.

EPSS and CISA KEV: prioritisation beyond CVSS

EPSS (Exploit Prediction Scoring System) v3, maintained by FIRST (2023), is a machine learning model that estimates the probability a specific CVE will be exploited in the wild within the next 30 days. It uses over 1,400 features: CVE characteristics, CVSS scores, public exploit availability, social media discussion, and dark web activity. EPSS scores range from 0% to 100%.

CVSS measures severity; EPSS measures likelihood. They are complements, not substitutes. FIRST research found that only approximately 5% of CVEs with a public exploit are actually exploited within 30 days. CVSS Critical CVEs without public exploits have a median EPSS score of approximately 0.3%. CVEs with confirmed exploitation typically score above 50%. Combining them produces a four-quadrant prioritisation:

  • CVSS Critical/High + EPSS above 10%: emergency queue, immediate patch.
  • CVSS Critical/High + EPSS below 10%: standard SLA remediation.
  • CVSS Medium/Low + EPSS above 10%: expedited review; active exploitation warrants escalation.
  • CVSS Medium/Low + EPSS below 10%: defer or risk-accept with documented owner sign-off.

The CISA KEV (Known Exploited Vulnerabilities) catalogue, introduced November 2021, lists CVEs with confirmed evidence-based active exploitation. KEV entries carry mandatory remediation deadlines for US federal agencies under CISA BOD 22-01 (typically two weeks for internet-facing systems). Commercial organisations adopt the same deadlines as best-practice SLAs. Log4Shell (CVE-2021-44228) was added to the KEV catalogue on 10 December 2021 with a six-day federal remediation deadline, the fastest CISA had set at the time.

Prioritising CVEs with CVSS, EPSS, and KEV

Four quadrants of severity by likelihood with the CISA KEV override that promotes any listed CVE to emergency.

CVSS by EPSS prioritisation matrix with CISA KEV override A two by two LTDS matrix combining CVSS severity on the vertical axis with EPSS exploitation likelihood on the horizontal axis. Top-right (emphasised in red-soft) is EMERGENCY: high severity and high likelihood, patch within 48 hours, wake the on-call. Top-left is STANDARD SLA: high severity but low likelihood, patch within 14 days with documented owner. Bottom-right is ESCALATE: lower severity but high likelihood, re-triage because active exploitation can warrant promotion. Bottom-left is DEFER OR ACCEPT: lower severity and low likelihood, schedule, batch with releases, or risk-accept with documented owner sign-off. Below the matrix, a full-width red-soft override banner explains that any CISA KEV entry promotes the CVE to EMERGENCY regardless of CVSS or EPSS, with BOD 22-01 setting 48-hour to 14-day federal deadlines. CVSS × EPSS PRIORITISATION · CISA KEV OVERRIDES ALL FOUR QUADRANTS EMERGENCY High severity + High likelihood Patch within 48h. Wake the on-call. STANDARD SLA High severity + Low likelihood Patch within 14 days. Document owner. ESCALATE Lower severity + High likelihood Re-triage. Active exploitation can warrant promotion. DEFER OR ACCEPT Lower severity + Low likelihood Schedule, batch with releases, or risk-accept. CVSS SEVERITY HIGH LOWER EPSS EXPLOITATION LIKELIHOOD (30 DAYS) LOW (under 10%) HIGH (10% or above) OVERRIDE: CISA KEV CATALOGUE Any KEV entry promotes the CVE to EMERGENCY regardless of CVSS or EPSS. BOD 22-01 sets 48h to 14d federal deadlines built by ransfordsnotes.com

Severity and likelihood are independent. Critical CVEs without active exploitation often outrank a Medium one that attackers are scanning today. A KEV listing overrides everything. Source: FIRST CVSS/EPSS, CISA BOD 22-01.

With an understanding of epss and cisa kev: prioritisation beyond cvss in place, the discussion can now turn to vulnerability lifecycle and patch management slas, which builds directly on these foundations.

Vulnerability management programs must include policies, procedures, and resources to detect, assess, track, and remediate vulnerabilities in a timely manner. The program should prioritize vulnerabilities based on their potential impact to the organization.

NIST SP 800-40r4, Section 2: Vulnerability Management Fundamentals

All federal civilian executive branch agencies must remediate every vulnerability listed in the Known Exploited Vulnerabilities catalogue by the due date specified for that vulnerability. The catalogue reflects vulnerabilities that have been actively used by adversaries in real-world attacks.

CISA Binding Operational Directive (BOD) 22-01, November 2021: Reducing the Significant Risk of Known Exploited Vulnerabilities

Vulnerability lifecycle and patch management SLAs

A vulnerability management programme covers the full lifecycle from discovery to verified closure across six phases:

  1. Discovery: authenticated network scans (Tenable, Qualys, Rapid7), SBOM-driven CVE matching, SAST findings, and continuous monitoring.
  2. Triage: apply CVSS/EPSS/KEV scoring; confirm the finding is not a false positive; identify the asset owner and exposure surface.
  3. Prioritisation: assign a severity tier and SLA using the risk-based matrix.
  4. Remediation: patch, mitigate (WAF rule, configuration change), or accept risk with documented sign-off from a named owner.
  5. Verification: re-scan after remediation using authenticated scanning to confirm the finding is genuinely closed.
  6. Post-closure: update SBOM and asset inventory; track mean time to remediate (MTTR) by severity tier against defined SLAs.

Recommended patch management SLAs: Critical with KEV entry or EPSS above 50%: 48 hours for internet-facing systems, 7 days for internal; Critical without active exploitation: 14 days; High: 30 days; Medium: 90 days; Low: 180 days or risk-accept. All deferred patches beyond their SLA require documented risk acceptance signed by a named owner with an expiry date.

Vulnerability lifecycle as a closed loop

Six phases from discovery to post-closure with feedback into discovery and tiered SLAs.

Vulnerability lifecycle as a closed six-phase loop with SLA tiers Six sequential LTDS cards across the top showing the vulnerability lifecycle phases with arrows between each: 01 Discovery (authenticated scans, SBOM CVE match), 02 Triage (confirm finding, identify owner), 03 Prioritise (CVSS by EPSS by KEV scoring), 04 Remediate (patch, mitigate, or accept), 05 Verify (re-scan to confirm closure), 06 Post-closure (update SBOM, MTTR metrics). A red dashed feedback arc loops from phase 6 back to phase 1 labelled FEEDBACK: POST-CLOSURE DATA UPDATES DISCOVERY INPUTS. Below, a two-column SLA tier table titled PATCH SLA TIERS: NIST SP 800-40r4 BASELINE lists Critical with KEV or EPSS at or above 50 percent at 48 hours internet-facing and 7 days internal (emphasised in red-soft), Critical without active exploitation at 14 days, High at 30 days, Medium at 90 days, and Low at 180 days or documented risk-accept. VULNERABILITY LIFECYCLE · SIX PHASES · CLOSED LOOP · TIERED SLA 01 Discovery Authenticated scans, SBOM CVE match. 02 Triage Confirm finding, identify owner. 03 Prioritise CVSS × EPSS × KEV scoring. 04 Remediate Patch, mitigate, or accept. 05 Verify Re-scan to confirm closure. 06 Post-closure Update SBOM, MTTR metrics. FEEDBACK · POST-CLOSURE DATA UPDATES DISCOVERY INPUTS PATCH SLA TIERS · NIST SP 800-40r4 BASELINE Critical + KEV / EPSS ≥ 50% 48h internet-facing · 7d internal Critical without active exploitation 14 days High 30 days Medium 90 days Low 180 days or documented risk-accept built by ransfordsnotes.com

Six phases form a loop, not a list. Equifax discovered the Struts CVE; the loop broke at prioritisation. The metric that distinguishes programme from scan is MTTR by severity tier. Source: NIST SP 800-40r4.

Common misconception

CVSS Base Scores reflect current exploitation risk, so monitoring CVSS scores alone is sufficient for prioritisation.

CVSS Base Scores are set at the time of CVE publication and do not change when new exploit code is released, when the vulnerability is added to the CISA KEV catalogue, or when a ransomware group begins actively exploiting it. A CVE published in 2021 with a CVSS 7.5 score may have an EPSS score of 80% today if exploit code was recently released. Review KEV additions daily; re-triage any open findings that appear on the catalogue even if they were previously de-prioritised on CVSS alone.

Common misconception

Running a monthly vulnerability scan and producing a report constitutes a vulnerability management programme.

Scanning produces a list of findings; a programme converts those findings into prioritised remediation work with named owners, SLA deadlines, escalation paths, and tracking to verified closure. Organisations that scan without a downstream process accumulate backlogs of thousands of unresolved findings. The Equifax 2017 breach occurred despite active scanning: the process that should have converted the CRITICAL alert into mandatory remediation with accountability did not exist. The metric that distinguishes a programme from a scan is mean time to remediate (MTTR) by severity tier, measured against defined SLAs.

Loading interactive component...
Loading interactive component...
Check your understanding

A vulnerability management team has 2,400 open CVEs: 180 CVSS Critical (9.0+), 600 High, and the remainder Medium or Low. Capacity allows approximately 50 remediations per week. The team wants to reduce risk from active exploitation most efficiently. Which prioritisation approach yields the most risk reduction per unit of effort?

Log4Shell (CVE-2021-44228, CVSS 10.0) was published on 9 December 2021 and added to the CISA KEV catalogue the same day. Your authenticated scan identifies three instances of a vulnerable Log4j version in internal developer tooling: a local CI build server, a test results dashboard, and a code coverage report generator. None are internet-facing. Your internet-facing production systems have already been patched. How should you classify and schedule remediation of the internal instances?

Equifax had vulnerability scanning enabled in March 2017. The scan tool identified CVE-2017-5638. The alert was generated. The system remained unpatched when attackers exploited it two months later. Which phase of the vulnerability lifecycle failed, and what process control would most directly have prevented the breach?

Loading interactive component...
Check your understanding

A vulnerability has a CVSS 4.0 base score of 6.8 (Medium) but appears in the CISA Known Exploited Vulnerabilities catalogue with an EPSS score of 0.94. How should it be prioritised?

Key takeaways

  • CVSS 4.0 measures intrinsic severity across four metric groups: Base (inherent characteristics), Threat (exploitation maturity), Environmental (deployment context), and Supplemental (informational only). The Threat metric group, new in v4.0, explicitly captures confirmed exploitation.
  • EPSS predicts exploitation probability within 30 days using machine learning. Combined with CVSS, it produces a risk-based prioritisation that reduces the active remediation queue by approximately 85% while covering nearly all actually exploited vulnerabilities.
  • The CISA KEV catalogue confirms active exploitation in the wild. Any KEV entry warrants immediate re-triage regardless of when the CVE was originally scored. Federal SLAs (48 hours to 2 weeks) are a practical baseline for commercial organisations.
  • A vulnerability lifecycle runs from discovery through triage, prioritisation, remediation, verification, and post-closure tracking. The Equifax breach was a prioritisation and escalation failure: discovery occurred; the mandatory remediation process did not.
  • Patch management SLAs must be documented, assigned to named owners, and tracked. Without enforcement, SLAs become aspirational targets that erode under delivery pressure.

You can now manage vulnerabilities systematically. But despite all preventive controls, incidents will occur. How do you detect an active intrusion and respond effectively under pressure? Module 22 covers detection and incident response.

Standards and sources cited in this module

  1. CVSS v4.0 Specification (FIRST, 2023)

    Base, Threat, Environmental, and Supplemental metric groups with scoring formula and worked examples.

  2. CISA KEV Catalogue (BOD 22-01)

    Actively exploited vulnerability catalogue with remediation deadlines for US federal agencies and best-practice SLA guidance.

  3. EPSS v3 Model Documentation (FIRST)

    Exploit Prediction Scoring System: model features, scoring methodology, and Cyentia Institute research on prioritisation effectiveness.

  4. NIST SP 800-40r4: Guide to Enterprise Patch Management Planning

    Patch management policy, SLA definition, and vulnerability lifecycle guidance.

  5. FTC vs Equifax Consent Order and Senate Judiciary Committee Testimony (2017-2018)

    Vulnerability management lifecycle failure case study: patch available, alert sent, remediation process missing.