Cybersecurity CVE CVSS Vulnerability Management

Do you need to Fix all high and critical CVEs?

Pallavi Vishwakarma

Member of Technical Staff

Jan 18 2023

3 min reading

Do you need to Fix all high and critical CVEs?
Image by yunaranyancat

Current situation of patching vulnerabilities by organizations:


Understanding how to control the cost of managing and preserving their information assets and business processes is a crucial challenge for many modern organizations. Adopting a vulnerability management methodology that can identify and fix known vulnerabilities is a key element of this difficulty. 


Unfortunately, there haven't been many improvements in remediation procedures despite decades of research and technological advancements. Firms struggle to establish and implement a remediation strategy that will best patch those vulnerabilities that represent the greatest risk while also deprioritizing those vulnerabilities that pose the lowest risk because they will always have more exposed vulnerabilities than resources to address them.


Why organization should rethink fixing CVEs first which are marked as high and critical?


According to a study by Kennasecurity “Even though 20% of published CVEs have a clear threat (either actively exploited in the wild or a published exploit exists), only about 5% of them represent real risk right now for most firms.” 


From this you can understand that even though the CVE is marked under the critical section may not posses any risk in your environment. Organizations should risk-rate the CVEs based on their own environment and business concerns to assist make patch administration effective. 


Severity/CVSS is merely one input. The environment is what matters most to make context-aware decisions, exposing serious issues among a stack of vulnerabilities (e.g., business criticality of the impacted asset, type of data managed, net exposure, threat actors actively exploiting the vuln). You are obliged to make blind decisions and adopt a wasteful approach if you don't understand (or evaluate) the surroundings.


How an organization can patch vulnerabilities that are currently totally dependent on the CVSS approach?

As an organization that is using the CVSS score to prioritize its vulnerability you already know many vulnerabilities are daily assigned under the critical section and what amount of workload you have fixing all these vulnerabilities. So, instead of just focusing on your CVSS score you can try this approach to prioritize your vulnerability:

  • A risk score should be assigned to each asset. Numerous attributes are used to calculate this. Examples of this include the location (DMZ, corp, hr, dev), the type of data held (pii, cc, etc.), and revenue-generating vs not.
  • A score is assigned to each attribute. In general, risk increases as a score does. Then you add the CVSS to that number. Each vuln has a score that connects it to the asset.
  • Now you can prioritize your vulnerabilities by their value.

What are the alternatives?


Technical investigation:


While this takes time, it can offer you a much clearer picture of the risk posed by a CVE by having your developers validate whether or not any impacted classes are affected and, if so, what the implications may be.


Use the Exploit Prediction Scoring System:


This freely-available data set rates the "all other things equal" likelihood of exploitation for a range of CVEs. And also the EPSS scoring system reduces the 85% of efforts of the security team compared to the CVSS scoring system while obtaining the same result. You can use the EPSS calculator to calculate the vulnerability risks.


Consider purchasing a commercial tool to prioritize vulnerabilities:


With regard to your particular business or network context, proprietary technologies may have access to more or more up-to-date data and can assist you in identifying hazards more effectively. However, strategies typically only address the possibility of exploitation and not impact.


Final thoughts


Vulnerability management is not all about patching. it's about providing data to the right people to allow them to decide their priorities and in some cases point out the obvious things like "what's causing or allowing vulnerabilities on to the estate" but every firm is unique, so a universal solution does not apply.


That’s why we are saying you shouldn’t stop fixing all high and critical vulnerabilities but you must not mandate fixing all of them.



SecOps Solution is an agent-less Risk-based Vulnerability Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.


To schedule a demo, drop us a note at


View SecOps Solution in action

Sign up for a personalized one-on-one walk-through.