Vulnerability prioritisation framework shifts from CVSS-only reliance to EPSS and GCVE metrics
Cisco Talos advocates moving beyond CVSS scoring for patch prioritisation, recommending EPSS (Exploit Prediction Scoring System) and GCVE (Google Chromium Vulnerability Evaluation) to focus remediation efforts on threats with genuine exploitation risk rather than severity alone.
Affected
This guidance from Cisco Talos addresses a well-documented problem in the vulnerability management field: CVSS scores conflate severity with exploitability and real-world threat likelihood. A vulnerability rated 9.8 may have no public exploits and low weaponisation potential, yet organisations still rush to patch it ahead of scores 6.5 vulnerabilities that are actively exploited in the wild. This misalignment wastes remediation resources and creates the 'panic patching' cycle that introduces operational risk.
EPSS provides a probability-based model for whether a vulnerability will be exploited within 30 days, grounded in observed threat behaviour rather than abstract technical characteristics. GCVE applies similar logic specifically to Chromium-based vulnerabilities, a critical attack surface given browser ubiquity. Both metrics add contextual threat intelligence that CVSS cannot provide by design.
The practical implication is significant: organisations with finite patching capacity should triage by EPSS scores rather than CVSS alone. A high-CVSS, low-EPSS vulnerability can be deferred; a low-CVSS, high-EPSS vulnerability should move to the front of the queue. This represents a maturation in how the industry approaches vulnerability management, moving from checkbox compliance to data-driven risk allocation.
Defenders should integrate EPSS and GCVE into their patch management tooling, update patch advisory review processes to include these metrics alongside CVSS, and educate stakeholders that lower CVSS scores do not necessarily mean lower priority. The challenge lies in adoption: many organisations lack the infrastructure to consume and act on multiple scoring systems, and legacy patch management workflows often default to CVSS thresholds.
This guidance reflects industry recognition that panic patching is counterproductive. However, adoption will remain uneven across enterprises until vulnerability scanning platforms, patch management solutions, and vulnerability databases make these alternative metrics readily available and actionable. The security teams most likely to benefit are those with mature threat intelligence programmes and sufficient staffing to implement more nuanced triage workflows.
Sources