Introduction: When Volume Stopped Being the Problem
By December 29, 2025, nearly 49,209 CVEs had been published—43% more than 2024. That translates to ~135 new vulnerabilities every day. The surge was fueled by increased software complexity, open-source dependency growth, and the expansion of CVE Numbering Authorities (CNAs).
Yet despite record disclosures, breaches were not caused by tens of thousands of vulnerabilities. They were caused by a very small, highly targeted subset.
The lesson of 2025:
Vulnerability management failed not because of scale—but because of prioritization.
The 2025 CVE Reality in Brief
- Total CVEs (2025): 49,209
- H1 2025: 23,667 CVEs (+16% YoY)
- H2 2025: 25,542 CVEs (+30% YoY)
- High & Critical: ~38% (CVSS ≥7.0)
Severity Breakdown
- Critical: 6,675 (14%)
- High: 16,743 (34%)
- Medium: 21,367 (43%)
- Low / Unrated: Remainder
While severity appeared alarming, it proved to be a poor predictor of exploitation.
Exploitation: Where Risk Actually Materialized
In H1 2025, 400+ CVEs were actively exploited in the wild and in H2 equals or more numbers expected.
- 42% had public Proof-of-Concept (PoC) code
- 30% enabled Remote Code Execution (RCE)
- Microsoft platforms and edge devices dominated targets
- State-sponsored actors drove over half of exploitation
- Ransomware and zero-day usage increased sharply
Attackers exploited speed, exposure, and critical assets—not raw severity.
Why CVSS Failed Alone
CVSS measures technical impact, not:
- Likelihood of exploitation
- Asset exposure
- Business consequence
Security teams triaged 135+ CVEs per day, yet attackers focused on 1–3% of them.
This disconnect made one thing clear:
Severity without context creates noise, not security.
The New Prioritization Model: EPSS + Asset Criticality
EPSS: Likelihood Over Theory
The Exploit Prediction Scoring System (EPSS) consistently identified:
- Vulnerabilities likely to be exploited
- CVEs that later appeared in CISA’s KEV catalog
- Risks with public PoCs and active attacker interest
A high-EPSS vulnerability often proved more dangerous than a CVSS-critical one.
Asset Criticality: Where Vulnerabilities Actually Matter
In 2025, exploitation clustered around specific asset classes:
- Identity systems (AD, Entra, Okta, IAM APIs)
- Edge and perimeter devices (VPNs, firewalls)
- Cloud control planes
- Management and monitoring tools
A medium-severity vulnerability on a Tier-1 asset posed greater risk than a critical vulnerability on a non-critical internal system.
Risk is contextual. Assets matter as much as vulnerabilities.
A Practical 2026 Prioritization Framework
Risk = EPSS × Asset Criticality × Exposure
| Priority Tier | Criteria | Action |
|---|---|---|
| Tier 1 | KEV OR EPSS ≥0.9 on Tier-1 asset | Immediate remediation / isolation |
| Tier 2 | EPSS ≥0.7 + internet-facing | Patch ≤7 days |
| Tier 3 | Critical CVSS, low EPSS, non-critical asset | Normal cycle |
| Tier 4 | Medium/Low, internal, low-criticality | Accept / defer |
Key Rule for 2026:
High likelihood on critical assets beats high severity everywhere else.
Response Must Change: KEV as an Incident
The CISA Known Exploited Vulnerabilities (KEV) list proved to be the most reliable indicator of real risk.
In 2026:
- KEV additions must trigger incident-level response
- Internet-facing KEVs require 24–72 hour remediation
- No exception-based deferrals without executive risk acceptance
KEVs are not patching tasks—they are active threats.
Mitigation Is Not Failure
When patching cannot meet SLA:
- WAF / IPS virtual patching
- Network segmentation
- Privilege reduction
- Identity hardening
Under NIST risk principles, reducing exposure is a valid and often necessary response.
When Fixing Is Not Possible: Risk Acceptance with Governance
In a 49K-CVE year, not every vulnerability can be fixed within SLA.
However, unpatched risk must never be implicit or invisible.
Unpatched vulnerabilities are a business risk—not a technical oversight.
When Risk Acceptance Is Permitted
Risk acceptance is allowed only when all of the following apply:
- A fix is technically unavailable or infeasible
- Patching would cause material business disruption
- The asset is non-internet-facing or has low exposure
- Compensating controls materially reduce exploitability
Risk acceptance must never automatically apply to:
- CISA KEV vulnerabilities
- High-EPSS vulnerabilities on Tier-1 assets
- Internet-facing identity or edge systems
Mandatory Conditions Before Acceptance
If a fix cannot be applied, the following are non-negotiable:
- Compensating controls in place (WAF, IPS, isolation, privilege reduction)
- Asset exposure minimized and verified
- EPSS score and KEV status documented
- Residual risk explicitly assessed and owned
Risk acceptance without mitigation is risk neglect.
Measure What Matters
Stop Reporting
- Total CVEs patched
- Patch backlog size
Start Reporting
- % KEVs remediated within SLA
- Mean time to remediate high-EPSS vulnerabilities
- Open exploitable risks on Tier-1 assets
- Exposure-weighted risk reduction
Boards should ask:
“Which exploitable risks remain open on critical assets today?”
Conclusion: The Shift Is Permanent
2025 exposed the limits of volume-driven vulnerability management.
In 2026, success depends on:
- EPSS-driven prediction
- Asset-aware prioritization
- KEV-led response
- Business-aligned risk decisions
You cannot patch everything.
But you can patch what attackers exploit—where it matters most.
