Why CVSS Scores Are Failing Developers — And What Works Instead

CVSS Was Never Designed for Real-World Attacks

Here’s a uncomfortable truth every developer and security professional needs to hear right now: CVSS vulnerability scoring is failing at its most fundamental task. It scores vulnerabilities in isolation while attackers chains them together. That’s not a flaw in the system—it’s a design mismatch that active exploitation campaigns are now exposing at scale.

What the Palo Alto Breach Tells Us

In November 2024, Operation Lunar Peek gave attackers unauthenticated remote admin access—and eventual root—across more than 13,000 exposed Palo Alto Networks management interfaces. Two CVEs made it possible: CVE-2024-0012 and CVE-2024-9474.

Here’s where CVSS broke down completely. Palo Alto Networks scored the pair 9.3 and 6.9 under CVSS v4.0. The NVD scored the same vulnerabilities 9.8 and 7.2 under CVSS v3.1. Two different scoring systems. Two completely different risk assessments. The 6.9 fell below most enterprise patch thresholds because admin access appeared required. The 9.3 sat queued for maintenance with the assumption that segmentation would hold.

Neither score communicated what happens when you chain them together. An authentication bypass upstream eliminates the prerequisite entirely. One CVE gets you in. The second CVE gets you root. Together, they’re a complete system compromise. Separately, they look manageable.

“Adversaries circumvent [severity ratings] by chaining vulnerabilities together,” Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, told VentureBeat in an exclusive interview. “They just had amnesia from 30 seconds before.”

Both CVEs now sit on the CISA Known Exploited Vulnerabilities catalog. Neither score flagged the kill chain. The triage logic consumed those scores as isolated inputs, and so did the SLA dashboards and board reports those dashboards feed. CVSS did exactly what it was designed to do—score one vulnerability at a time. The problem is that adversaries do not attack one vulnerability at a time.

The Five Triage Failures Exposing Your Systems

By 2025, 48,185 CVEs were disclosed—a 20.6% year-over-year increase. Jerry Gamblin, principal engineer at Cisco Threat Detection and Response, projects 70,135 for 2026. The infrastructure behind vulnerability scoring is buckling under that weight. NIST announced in April 2026 that CVE submissions have grown 263% since 2020, and the NVD will now prioritize enrichment for KEV and federal critical software only. These five failure classes are what CVSS was never designed to catch.

Chained CVEs and the Authentication Gap

The Palo Alto pair is the textbook case. The authentication bypass CVE-2024-0012 makes the privilege escalation CVE-2024-9474 immediately actionable—regardless of the latter’s individual score. Teams assessed each CVE independently, deprioritized the lower score, and queued the higher one for maintenance.

Run a co-resident audit on every KEV CVE in your environment this month. Flag any pair where one CVE provides authentication bypass and another enables privilege escalation. Score them as a combined critical regardless of individual CVSS ratings. If your current triage logic treats each CVE as an isolated event, your dashboards are showing false safety.

Nation-State Speed vs. Monthly Patch Cycles

The CrowdStrike 2026 Global Threat Report documents a 42% year-over-year increase in vulnerabilities exploited as zero-days before public disclosure. Average breakout time across observed intrusions: 29 minutes. The fastest observed breakout: 27 seconds.

China-nexus adversaries weaponize newly patched vulnerabilities within two to six days of disclosure. A KEV addition treated as a routine queue item on Tuesday becomes an active exploitation window by Thursday. “Before it was Patch Tuesday once a month. Now it’s patch every day, all the time. That’s what this new world looks like,” said Daniel Bernard, Chief Business Officer at CrowdStrike.

Weekly patch windows are now indefensible in board presentations. The data is clear: if your SLA for internet-facing systems extends beyond 72 hours, you’re operating in a threat model that ended two years ago.

What developers need to do differently

Chronis—former CISO of Paramount—moved beyond CVSS-first prioritization and reported reducing actionable critical and high-risk vulnerabilities by 90%. That’s not a marginal improvement. That’s a fundamental shift in triage philosophy. Here’s how to replicate it.

Run a Chain-Dependency Audit This Month

Start with every KEV-listed CVE in your environment. Flag any co-resident CVE scored 5.0 or above—the threshold where privilege escalation and lateral movement capabilities typically appear in CVSS vectors. Any pair that chains authentication bypass to privilege escalation gets triaged as critical regardless of individual scores.

This takes approximately two hours for most mid-size environments. The output fundamentally changes your risk posture. A CVE-2024-9474 scoring 6.9 becomes a critical immediate priority when CVE-2024-0012 exists on the same network segment. That’s the insight CVSS cannot communicate because it was never designed to.

Compress Critical SLAs to 72 Hours

For internet-facing systems, your patch SLA needs to shrink to 72 hours. This is not aspirational—it’s operational survival. CrowdStrike’s breakout data makes weekly patch windows indefensible.

Build this into your dev workflows by automating CVE enrichment data into your vulnerability management pipeline. Integrate KEV updates as automated tickets. Route them to the on-call responder immediately on publication. The days of manual triage for critical exposures are over—AI-accelerated discovery is already accelerating volume beyond what human-only workflows can process.

Where This Goes Next (3-Month to 2-Year Outlook)

Short-Term: Pipeline Breaking Points

Here’s what’s coming: 70,000+ CVEs in 2026. NVD enrichment already collapsing for non-KEV submissions. Security teams losing visibility into enrichment context they previously relied upon.

Anthropic’s Claude Mythos Preview demonstrated autonomous vulnerability discovery, finding a 27-year-old signed integer overflow in OpenBSD’s TCP SACK implementation across roughly 1,000 scaffold runs at a total compute cost under $20,000. If frontier AI drives a 10x volume increase—which Meyers projects is likely—the result is approximately 480,000 CVEs annually. Pipelines built for 48,000 break at 70,000 and collapse at 480,000.

CrowdStrike launched Project QuiltWorks in April 2026—a remediation coalition with Accenture, EY, IBM Cybersecurity Services, Kroll, and OpenAI formed specifically to address vulnerability volume that frontier AI models are now generating. When five major firms build a coalition around a pipeline problem, the market is signaling what individual organizations cannot solve alone.

Longer-Term: Beyond CVSS-First Prioritization

Chris Gibson, executive director of FIRST, has been direct: using CVSS base scores alone for prioritization is “the least apt and accurate” method. FIRST’s own EPSS (Exploit Prediction Scoring System) and CISA’s SSVC (Stakeholder Specific Vulnerability Categorization) decision model add exploitation probability and decision-tree logic.

Within 18 months, board-level metrics will shift from CVSS scores to aging KEV exposure. The question will no longer be “what’s our highest CVSS?” It will be “how long have we been exposed to a KEV-listed vulnerability on an internet-facing system?” That silence is the vulnerability. Metrics that track everything except aging KEV exposure are hiding the risk that adversaries actually exploit.

The shift is already beginning. Organizations that run chain-dependency audits, compress critical SLAs to 72 hours, and build KEV aging reports into their board metrics will be positioned to survive the volume surge. Everyone else is relying on a scoring system designed for a threat landscape that ended in 2024.