But here is the reality check that should keep every CISO awake at night: out of those nearly 50,000 vulnerabilities, only 245 actually made it onto CISA’s Known Exploited Vulnerabilities (KEV) catalog.

While that number is likely conservative, with honeypot data suggesting the real count of exploited flaws is 2-3x higher according to VulnCheck, the signal remains clear. We are drowning in noise, and the traditional way we prioritize security patches is failing.

The CVSS Myth: Why “Critical” Doesn’t Always Mean “Dangerous”

For years, the Common Vulnerability Scoring System (CVSS) has been the gold standard for prioritization. If it’s a 9.0 or 10.0, you patch it first.

The data shows that CVSS alone is insufficient:

• The Critical Failure: In 2025, 4,089 vulnerabilities were rated “CRITICAL,” yet only 69 (1.7%) were actually exploited.
• The Hidden Dangers: There were 77 “HIGH” severity vulnerabilities exploited, actually more than the number of exploited criticals.
• The False Alarms: Nearly 20,000 vulnerabilities had a CVSS score of 9.0+ but carried less than a 1% probability of exploitation.

Additional examples include:

• CVE-2024-55550 (Mitel MiCollab) had a CVSS of 2.7 — rated LOW. Most vulnerability scanners would deprioritize it. But it was actively used in ransomware attacks and made CISA’s KEV list.
• CVE-2025-0282 (Ivanti Connect Secure) had a CVSS of 9.0 and an EPSS of 94%. It hit KEV the same day it was disclosed. Ransomware operators had working exploits within hours.

One would be ignored by CVSS-only prioritization. The other would be drowned out by 4,000 other “criticals” competing for attention.

This is why a more nuanced approach to vulnerability prioritization is required – one that separates real-world risk from theoretical severity.

Consider this: if your team is blindly chasing every CVSS 10, they are likely ignoring the 6,235 medium-severity vulnerabilities that have a greater than 10% exploitation probability and an average EPSS (Exploit Prediction Scoring System) of 32%. These are the vulnerabilities that fly under the radar until they become the entry point for a breach.

The Real Signal: KEV-listed vulnerabilities average a 56% EPSS, while non-KEV vulnerabilities average just 3.3%. That is a 17x difference in risk. If you aren’t using EPSS and KEV data, you aren’t managing risk; you’re managing noise.

The Seven-Day Squeeze: Attackers are Faster Than Your Change Management

The old “30-day patching cycle” is officially dead. In 2025, speed became the primary differentiator between a secure organization and a vulnerable one.

Data from the KEV catalog reveals a brutal timeline:

• 40% of exploited vulnerabilities were weaponized within 7 days of disclosure.
• 49 CVEs were exploited on the same day or the day after they were published.
• 48 more within the first week.
• 29 within the first month.
• 119 after 30+ days.

But here’s the part that should concern you most:

7 vulnerabilities were exploited before National Vulnerability Database (NVD) public disclosure.

True zero-days added to KEV in 2025:

• Android Framework — 6 days before CVE publication
• Apple Multiple Products — 2 days before
• SonicWall SMA1000 — 1 day before
• Google Chrome V8 — 1 day before
• N-able N-Central — 1 day before

These weren’t theoretical risks. They were in KEV before NVD even had a record. Monthly patching cycles assume attackers need time to build exploits. They don’t. For the vulnerabilities that matter, weaponization happens in hours, not weeks.

Why Old Bugs Still Matter

One of the most surprising trends of 2025 was the resurrection of legacy flaws. Attackers don’t care how “fresh” a bug is; they care if it works.

In August 2025, CISA added CVE-2007-0671, an 18-year-old Microsoft Office Excel bug, to the KEV list. It was joined by:

• 15-year-old bugs in Firefox and Internet Explorer.
• The 11-year-old “Shellshock” flaw (CVE-2014-6278).

Nearly a quarter of the vulnerabilities added to the KEV in 2025 were over a year old. This highlights a massive blind spot: legacy systems and unpatched “forgotten” infrastructure are still targets for modern attackers.

Your Perimeter is Under Siege

The “Edge” remained the primary battlefield in 2025. 23% of all KEV entries (56 vulnerabilities) targeted network edge devices. January 2025 opened with a coordinated assault on perimeters. Ivanti Connect Secure and Fortinet FortiOS dropped within days of each other. Both had 94% EPSS. Both hit KEV same-day. Both had ransomware operators weaponizing them within hours.

The most targeted vendors included:

• Fortinet (8): FortiOS, FortiProxy, FortiWeb
• Cisco (8): Routers, firewalls, and IOS
• Ivanti (7): Connect Secure and Policy Secure
• SonicWall (5) & Citrix (5)

These devices are the “front door” of the enterprise. They often run specialized firmware that lags behind standard OS patching cycles. Threat actors like Sandworm, Volt Typhoon, and APT28 have built entire playbooks around these edge devices, maintaining arsenals of hundreds of specific CVEs. If you are not patching your perimeter infrastructure within days of a release, you are effectively leaving your organization exposed.

The 2025 Vendor Leaderboard

Who was targeted most in 2025? The list of KEV entries by vendor shows that attackers follow the market share:

1. Microsoft: 39 vulnerabilities
2. Apple: 9 vulnerabilities
3. Fortinet & Cisco: 8 vulnerabilities each
4. Ivanti, Google, & Linux: 7 vulnerabilities each

Furthermore, 24 of these KEV entries were documented as being used in ransomware attacks, with file transfer platforms and remote access tools remaining the top prizes for extortionists.

Moving Beyond the Noise: A New Strategy for 2026

You can not patch all 50,000 vulnerabilities. It is operationally impossible. To survive the current threat landscape, organizations must shift their mindset:

1. Ditch CVSS-Only Prioritization: Stop treating every “Critical” score like an emergency. Focus on EPSS scores and KEV status to identify what is actually being used in the wild.
2. Accelerate the Edge: Perimeter devices need a separate, high-velocity patching track. Same-day or next-day patching should be the goal for firewalls and VPNs.
3. Audit the “Unpatchable”: Go back and look at your legacy systems. Those 10-year-old vulnerabilities you thought were “low risk” because the systems were internal are now prime targets for lateral movement.
4. Automate Intelligence: You need tools that don’t just find vulnerabilities, but prioritize them based on real-world exploitation data.

At WiseBee, we are helping solve exactly this problem. We help security teams cut through the noise of 50,000 CVEs to find and fix the 245 that actually matter.

The data is clear: the attackers have already changed their strategy. It’s time you changed yours.

Try WiseBee to reduce risk within your organization.