CVSS vs EPSS vs KEV: how to prioritize CVEs that matter

CVSS vs EPSS vs KEV is the question every patch queue has to answer: which of these three signals tells you what to fix this week? CVSS rates how bad a vulnerability would be if exploited. EPSS forecasts the next 30 days. KEV is the historical record of CVEs attackers have already used in the wild. The same CVE comes out ranked differently under each, and most patch queues let the wrong one win.

CloudKey orders CVSS vs EPSS vs KEV like this: KEV status first, EPSS probability second, CVSS only after both. If your team still patches the highest CVSS number first, you are likely fixing the wrong CVE this week.

CVSS vs EPSS vs KEV at a glance

Signal	What it measures	Source	Use it to decide
CVSS	Hypothetical severity if exploited	NVD (FIRST CVSS spec)	Triage floor, not queue order
EPSS	Probability of exploitation in next 30 days	FIRST EPSS model	Patch the not-yet-exploited
KEV	Confirmed in-the-wild exploitation	CISA KEV catalog	Patch now, with evidence

What KEV actually is

The Known Exploited Vulnerabilities catalog is a list, maintained by CISA, of CVEs that have confirmed evidence of active exploitation in the wild. A CVE only lands on KEV when there is observed in-the-wild use against a real target, not theoretical proof-of-concept code.

Two numbers make this list important:

• Roughly 1,200 CVEs sit on KEV as of writing, against more than 200,000 CVEs catalogued by NVD. That is about 0.6%.
• Studies from EPSS and academic groups put the share of KEV-listed CVEs that get exploited at orders of magnitude higher than the overall population.

If you patched only KEV-listed CVEs and nothing else, you would cover the majority of real attacks against your environment, with a fraction of the engineering effort of a “patch everything critical” queue.

Why CVSS alone misranks the queue

CVSS scores are computed from intrinsic technical properties: attack vector, complexity, required privileges, impact. They are useful, but they predict severity in the abstract, not the probability of exploitation.

Two consequences follow:

• A 9.8 CVSS on a niche product that no attacker tooling exists for is less urgent than a 7.5 CVSS on a widely deployed edge appliance that is already being mass-exploited.
• The CVSS distribution is heavy at the top. Roughly 17% of CVEs land at 9.0 or higher. If everything is critical, nothing is.

The result is a queue that loses signal. Teams burn out triaging “critical” findings while the actual breach vector sits halfway down the list with a 7.5.

Two real CVEs that prove the point

CVE-2024-3400: Palo Alto GlobalProtect

A command injection in PAN-OS GlobalProtect. CVSS base score: 10.0. KEV-listed within days of disclosure. EPSS climbed above 0.95 inside a week.

Every signal lined up. Even a CVSS-only queue would have caught it. The interesting question is the next one.

CVE-2024-21887: Ivanti Connect Secure command injection

CVSS base score: 9.1, lower than a long list of advisories that hit the same week. KEV-listed almost immediately, paired with active exploitation chained against an auth bypass. EPSS over 0.94.

A CVSS-first team would have queued it behind several 9.8s with no observed exploitation. A KEV-first team patched it the day it landed. The teams that got hit, got hit while their queue still showed it as a tier-two finding.

These are not anomalies. They are the rule for edge devices in 2024 and 2025: KEV catches the truly urgent CVEs days to weeks before CVSS-only ranking would.

Where EPSS fits in

EPSS is FIRST’s Exploit Prediction Scoring System. It outputs a probability between 0 and 1 that a CVE will be exploited in the next 30 days, derived from observed exploit code, vendor advisories, and other signals.

KEV is binary and historical: it says “this has been exploited.” EPSS is probabilistic and forward-looking: it says “this is likely to be exploited soon.” Used together they cover the timeline:

• KEV-listed: patch now, with evidence behind you.
• EPSS over 0.7 and not yet KEV-listed: patch in the next sprint, before it lands on KEV.
• EPSS under 0.1 and not KEV: ranked, but not your first ten.

CloudKey’s VulnMonitor reconciles all three signals against your asset inventory, then ranks the few CVEs that matter for your stack into a daily queue.

How CloudKey ranks

Every finding in VulnMonitor goes through four checks before it lands on your queue, in this order:

1. Is the CVE on KEV?
2. What is its EPSS score, and is the trend rising?
3. What is the CVSS base score?
4. Does the CVE match an asset in your inventory, and how reachable is that asset?

The fourth question matters as much as the first three. A KEV-listed CVE on a host that is not internet-facing and not in the privileged blast radius is still important, but it is not the same urgency as a KEV-listed CVE on a perimeter edge device.

A finding ranked by KEV plus reachability is the one that survives review and earns the engineering hour. The rest go through a fast lane to a quarterly hardening pass.

What to change in your queue this week

Three steps to order CVSS vs EPSS vs KEV this week:

1. Tag every CVE in your tracker with KEV status. If your scanner does not export it, pull the CISA feed directly and join on CVE ID.
2. Sort by KEV first, EPSS second, CVSS third. Stop using “Critical / High / Medium / Low” as the top-level filter.
3. Re-test every fix. A KEV-listed CVE that is “patched” without re-test is not closed. CloudKey penetration testing includes the re-test on every engagement.

This is not a research exercise. The first ten findings on a KEV-first queue close more real risk than the next five hundred on a CVSS-first queue. The patch budget that buys you matters more than the report it generates.