For nearly two decades, vulnerability management has been built around a simple assumption:
Higher CVSS score equals higher priority.
Security teams scan. Dashboards populate. Critical vulnerabilities rise to the top. Patching teams race to close the highest-scoring findings.
The process is measurable. Auditable. Defensible.
And increasingly, it is failing.
Attackers are not sorting vulnerabilities by CVSS scores before launching attacks. They are looking for what is exposed, exploitable, automatable, and impactful.
That distinction is exactly why CISA’s recently released BOD 26-04 matters.
At first glance, the directive appears to be another federal patching mandate.
It is not.
It is a public acknowledgment that vulnerability severity and vulnerability risk are no longer the same thing.
And that may be the most important shift in vulnerability management in years.
The Industry’s Favorite Metric Has Become Its Blind Spot
CVSS was never designed to be a prioritization strategy.
It was designed to provide a standardized method of describing technical severity.
Somewhere along the way, many organizations began treating it as a risk management framework.
The result?
Security teams spend countless hours remediating vulnerabilities because they are classified as “Critical” while genuinely exploitable attack paths remain untouched.
Consider two vulnerabilities:
- A CVSS 9.8 vulnerability on an isolated internal server.
- A CVSS 7.5 vulnerability on an internet-facing application currently being exploited by threat actors.
Traditional vulnerability programs prioritize the first.
Attackers prioritize the second.
Only one side is optimizing for reality.
BOD 26-04 Signals a Different Future
CISA’s new directive introduces a fundamentally different approach.
Instead of asking:
“How severe is this vulnerability?”
It asks:
“How likely is this vulnerability to be used against us?”
The directive evaluates risk through four lenses:
Exposure
Is the asset accessible from the internet?
Public exposure dramatically increases attacker opportunity and reduces attacker effort.
Exploitation
Is the vulnerability already listed in CISA’s Known Exploited Vulnerabilities catalog?
If attackers are already using it successfully, likelihood is no longer theoretical.
Automation
Can exploitation be automated?
Automation transforms isolated attacks into industrial-scale campaigns capable of targeting thousands of organizations simultaneously.
Impact
What level of control does exploitation provide?
Remote code execution, privilege escalation, and administrative control create disproportionate business risk and deserve disproportionate attention.
Notice what is missing from the list.
CVSS.
Not because severity is irrelevant.
But because severity alone is insufficient.
The Vulnerability Backlog Problem
Most enterprises today are drowning in vulnerability data.
Millions of findings.
Thousands of remediation tickets.
Hundreds of competing priorities.
The traditional response has been predictable:
Patch more.
Scan more.
Generate more reports.
Yet breaches continue.
The reason is simple.
Organizations are attempting to solve a prioritization problem with volume.
More remediation activity does not automatically translate into less risk.
In fact, many teams are becoming exceptionally efficient at fixing vulnerabilities that attackers have little interest in exploiting.
Meanwhile, truly dangerous exposures remain untouched because they fall outside traditional scoring models.
What CISA Is Really Saying
Read between the lines of BOD 26-04 and a larger message emerges.
Security programs should stop measuring success by vulnerability counts.
The objective is not to eliminate vulnerabilities.
The objective is to reduce the probability of compromise.
That sounds obvious.
Yet many metrics still reward activity instead of outcomes.
Organizations celebrate:
- Number of vulnerabilities closed
- Percentage of Critical findings remediated
- Patch compliance rates
Attackers care about none of these metrics.
They care about one thing:
Can they get in?
BOD 26-04 aligns defensive priorities with that question.
The Most Overlooked Requirement
One requirement in the directive deserves special attention.
CISA does not simply require patching.
It requires agencies to determine whether exploitation has already occurred.
This changes the conversation entirely.
Historically, many organizations viewed patching as the finish line.
Install the update.
Close the ticket.
Move on.
But if attackers exploited the vulnerability before remediation, patching does not remove their access.
A patched system can still be a compromised system.
By emphasizing forensic triage and compromise assessment, CISA is reinforcing a critical reality:
Remediation without investigation can create a false sense of security.
The Rise of Exposure Management
The deeper implication of BOD 26-04 is that vulnerability management is evolving into exposure management.
Exposure management asks broader questions:
- Which assets matter most?
- Which vulnerabilities are actually reachable?
- Which attack paths are exploitable today?
- Which weaknesses create measurable business risk?
This shift moves security teams away from technical scoring exercises and toward operational risk management.
It is a more difficult approach.
But it is also a more effective one.
Why Every CISO Should Pay Attention
Although the directive applies to U.S. federal agencies, its lessons extend far beyond government.
The threat landscape does not distinguish between public and private sectors.
Attackers already prioritize vulnerabilities using exploitability, accessibility, and impact.
Defenders must do the same.
Organizations that continue to rely primarily on severity scores will increasingly find themselves patching what is loud rather than what is dangerous.
Organizations that embrace risk-based remediation will reduce exposure faster, focus resources more effectively, and align security operations with real-world threats.
Why This Shift Is Happening Now
A question naturally emerges:
If risk-based vulnerability management has been discussed for years, why is CISA formalizing it now?
The answer may lie in the changing economics of cyberattacks.
For decades, exploitation was constrained by time, skill, and scale. Attackers had to analyze disclosures, develop exploit code, identify vulnerable targets, and operationalize attacks. These activities created natural bottlenecks that often provided defenders with valuable time to respond.
Artificial intelligence is beginning to erode those bottlenecks.
AI-assisted tooling can help accelerate reconnaissance, vulnerability analysis, exploit development, attack-path discovery, and target identification. While skilled attackers remain essential, the time between vulnerability disclosure and exploitation continues to shrink.
This creates a dangerous reality for organizations that still prioritize remediation primarily through severity scores.
A vulnerability that is publicly exposed, actively exploited, and easily automatable can become a business risk long before traditional remediation cycles are completed.
The challenge is no longer finding vulnerabilities.
The challenge is determining which vulnerabilities matter before attackers do.
In many ways, AI has not broken vulnerability management.
It has exposed its biggest flaw.
The Future Beyond CVSS
CVSS is not disappearing.
It remains a valuable framework for understanding technical severity and communicating vulnerability characteristics.
What is disappearing is the assumption that severity alone determines remediation priority.
The future belongs to organizations that can answer questions such as:
- Which vulnerabilities are actively being exploited?
- Which assets are externally exposed?
- Which attack paths are reachable today?
- Which weaknesses create the greatest business impact?
- Which vulnerabilities can attackers weaponize at scale?
These are fundamentally different questions from:
“Which vulnerability has the highest score?”
BOD 26-04 reflects this evolution.
The directive is not declaring CVSS obsolete.
It is declaring CVSS insufficient.
Final Thought
Many people will remember BOD 26-04 as a federal patching directive.
History may remember it differently.
It may be remembered as the moment one of the world’s largest cybersecurity authorities publicly acknowledged a reality that attackers have understood for years:
A vulnerability’s severity does not determine its danger.
Its exploitability does.
As artificial intelligence accelerates the speed of discovery, weaponization, and exploitation, organizations can no longer afford to confuse severity with risk.
The future of vulnerability management is not about finding more vulnerabilities.
It is not about patching more vulnerabilities.
And it is certainly not about chasing higher scores.
The future is about understanding exposure, prioritizing attacker opportunity, and reducing the paths that lead to compromise.
The End of CVSS is not the death of a scoring system.
It is the end of treating a score as a strategy.
