CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

KEV vs EPSS vs CVSS: which signal should drive patching?

The three most-quoted vulnerability numbers answer three different questions. Treating any one of them as a priority list produces either panic or blind spots. Here is what each one actually tells you, and a patch order you can defend.

Three scores, three questions

CVSS (Common Vulnerability Scoring System) answers “how bad could this be?” It scores the technical characteristics of a flaw — attack vector, privileges required, impact — on a 0–10 scale. It says nothing about whether anyone is actually attacking it. Most databases, including NVD, publish a CVSS score for every CVE.

EPSS (Exploit Prediction Scoring System, from FIRST.org) answers “how likely is exploitation in the next 30 days?” It is a daily-updated model output between 0 and 1, driven by signals like exploit publication, chatter and vulnerability characteristics. It is a forecast — useful, but probabilistic.

CISA KEV (Known Exploited Vulnerabilities) answers “is it already happening?” A CVE only enters the KEV catalog when there is evidence of exploitation in the wild. It is the strongest signal of the three — and also the slowest, because confirmation takes time.

Where each one misleads

CVSS-first patching drowns you: thousands of critical-scored CVEs are published each year and the large majority are never exploited. EPSS-first patching chases a moving model output and is hard to explain to an auditor. KEV-only patching is defensible but late — our live Exploitation Gap report tracks CVEs with working public exploit code that KEV has not (yet) confirmed, and that list is never empty. Exploit code published today is tomorrow's mass scanning.

A defensible order

1. KEV membership first. Confirmed exploitation beats every model. Everything on the exploited list that touches your stack is a patch-now item; US federal agencies are legally bound to exactly this rule under BOD 22-01.

2. Public exploit code + high EPSS second. A CVE with a Metasploit module or PoC on GitHub (has_exploit on CSIRTS.com) and a rising EPSS is KEV-in-waiting. Patch it before confirmation arrives, not after.

3. CVSS as the tiebreaker. Within either group, sort by CVSS and by reachability — internet-facing before internal, unauthenticated before authenticated.

Frequently asked

Should I patch everything with CVSS 9.0 or higher first?
Not by score alone. Most critical-CVSS CVEs are never exploited, while attackers routinely use medium-scored flaws that are easy to reach. Confirmed exploitation (CISA KEV) and exploit availability are stronger urgency signals; CVSS works best as a tiebreaker within those groups.
Is a high EPSS score proof that a CVE is being exploited?
No. EPSS is a probability estimate that exploitation activity will be observed within 30 days, produced by a model. Confirmation comes from the CISA KEV catalog. A high EPSS with no KEV entry usually means "expect it soon" — a strong reason to patch before confirmation arrives.
What does it mean when a CVE is in KEV but has a low CVSS score?
It means attackers found it useful regardless of its theoretical severity — often because it is unauthenticated, internet-reachable, or chains with another bug. KEV membership overrides a modest CVSS: it is being used in real attacks, so treat remediation as urgent.
Where can I see all three signals for one CVE in one place?
CSIRTS.com CVE pages (csirts.com/cve/CVE-YYYY-NNNN) show the normalized severity and CVSS, the EPSS-based exploitation outlook, CISA KEV membership with the date added, and whether public exploit code exists — plus every CERT and vendor advisory covering the CVE.
All three signals, one page per CVE: severity, EPSS outlook, KEV status and exploit availability at csirts.com/cve/<CVE-ID> — or query them via the API, MCP server and open datasets. Related: exploited vs public exploit code · the 10-minute triage.