Why CVSS Is Failing MSPs — and What to Use Instead
Most IT providers still triage patches by CVSS severity score. Here's why that's a losing strategy — and how exploit probability, KEV status, and SMB stack exposure give you a defensible, actionable patch queue.
The Problem With Sorting by Severity
Every Patch Tuesday, the same scene plays out across MSP dashboards: a wall of CVEs, color-coded red and orange, each stamped with a CVSS score that says "critical" or "high." The instinct is to start at the top and work down. It feels rigorous. It feels defensible.
It's also, increasingly, the wrong approach.
CVSS measures theoretical severity under ideal conditions. Attackers don't operate under ideal conditions — they exploit what's reachable, what's already weaponized, and what's sitting unpatched on the kind of infrastructure small businesses actually run.
When your patch queue is sorted by CVSS, you end up chasing theoretical 9.8s — many of which require local access, specific configurations, or version combinations that don't exist in your clients' environments. Meanwhile, a CVSS 6.5 in a VPN appliance actively used by ransomware groups goes unpatched for three more weeks.
The numbers make this concrete: roughly 1% of disclosed CVEs are actively exploited in the wild each year, yet 32.7% of all CVEs are rated Critical or High by CVSS. That's a massive queue inflation problem. Worse, 28.96% of CISA KEV entries showed exploitation on or before the day of public disclosure in 2025 — meaning nearly a third of confirmed-exploited vulnerabilities were being attacked before they even appeared in most patch management tools.
The Three Signals That Actually Predict Exploitation
If CVSS isn't the right primary signal, what is? The answer is a combination of three data sources that are all publicly available, but rarely used together in a coherent workflow.
CISA KEV — confirmed, not theoretical. The CISA Known Exploited Vulnerabilities catalog is the closest thing the security community has to ground truth on what's being actively attacked right now. Every entry has been confirmed exploited in the wild. If a CVE is in KEV, the debate about whether it's a real threat is over. For MSPs, KEV should trigger a different SLA: not "patch next maintenance window" but "patch within 48 hours." Critically, not every KEV entry is high CVSS. Some are 5.x or 6.x scores that would never surface at the top of a severity-sorted queue — that's exactly the point.
EPSS — probability, not severity. The Exploit Prediction Scoring System assigns each CVE a probability score representing how likely it is to be exploited within the next 30 days, trained on real-world exploitation data. The divergence from CVSS is sometimes striking: a vulnerability can have an EPSS of 0.90 while carrying a CVSS of 5.5. A useful working threshold: any CVE with EPSS above 0.10 deserves active attention. Above 0.40, treat it with urgency comparable to High severity. Above 0.70, treat it like a KEV.
Ransomware correlation. Ransomware groups are consistent — they find the CVEs that enable initial access in perimeter devices, VPNs, and remote access tools, and hammer them across campaigns. Several public databases flag CVEs that have been used in ransomware deployments. For SMB-focused MSPs, this signal is disproportionately important: ransomware groups increasingly target small businesses precisely because defenses are thinner.
Why SMB Stack Context Changes Everything
Generic CVE feeds don't account for what software your clients actually run. Most SMB environments have a recognizable pattern: Microsoft 365, commodity firewalls and VPNs (Fortinet, SonicWall, WatchGuard), backup software, and legacy line-of-business applications.
A CVSS 9.8 in enterprise middleware you don't run is irrelevant. A CVSS 7.2 in a firewall firmware version deployed across 20 of your clients is urgent. Before ranking patch urgency, filter the CVE list to only what's present in your environments — this alone dramatically reduces queue noise.
A Triage Framework for MSPs
Applied systematically, this becomes a five-step process that turns a wall of CVEs into a defensible, prioritized patch queue.
Step 1 — Filter by stack relevance. Remove any CVE that doesn't affect software in your client environments. If you don't run it, it doesn't belong in your queue.
Step 2 — Isolate KEV entries. Any stack-relevant CVE in CISA KEV moves to emergency tier. Target remediation within 48 hours.
Step 3 — Score remaining CVEs by EPSS. Sort non-KEV CVEs by exploitation probability. Apply a 0.10 threshold to separate active-watch from routine-queue items.
Step 4 — Flag ransomware-linked CVEs. Cross-reference with ransomware deployment databases. Any CVE tied to active SMB-targeting campaigns gets elevated regardless of EPSS score.
Step 5 — Apply perimeter exposure modifier. For internet-facing systems — firewalls, VPNs, remote access tools — increase urgency by one tier. Internal-only systems can wait for the next maintenance window.
The Result: Three Buckets Instead of Eighty CVEs
In practice, this framework produces three tiers. An emergency list (typically 0–5 items per week) of KEV entries and high-EPSS CVEs affecting perimeter devices — handled immediately. A weekly patch list of medium-EPSS CVEs in common SMB software — scheduled for the next maintenance window. A backlog of low-probability CVEs that meet none of the urgency criteria — patched on normal quarterly cycles.
This also changes client conversations. When you push an emergency patch for something that scored 6.8 on CVSS, "it's in CISA's actively exploited list and it affects your firewall" is a complete answer. When you don't emergency-patch a CVSS 9.4 that made the news, "that vulnerability requires local authenticated access on a platform you don't run, and there's no exploit activity in the wild" is equally complete. You're not ignoring headlines — you're triaging intelligently.
What to Watch Going Forward
The window between vulnerability disclosure and active exploitation continues to compress. The old assumption that you have days or weeks to assess a new CVE before attackers weaponize it is no longer reliable. For SMB-focused MSPs, the implication is not to panic — it's to automate the triage signal layer. The data sources exist and are free. What's needed is a workflow that ingests them, filters for relevance, and surfaces the handful of things that actually need action this week.
That's the shift from reactive patching to operationally predictive vulnerability management.
Analysis based on TIRESIS CVE scoring pipeline, CISA KEV catalog, and EPSS historical data. SMB Attack Probability Scores updated continuously. View this week's ranked CVE forecast →