For years, vulnerability management has been reduced to a simple equation:
CVSS ≥ 9 = Drop everything and patch.
The problem is that attackers don’t think this way.
They care about what they can exploit today, at scale, against exposed assets.
With the introduction of BOD 26-04, CISA has formally moved away from a vulnerability prioritization model centered on severity scores and adopted a risk-based approach. The new directive prioritizes remediation based on four factors:
- Is the asset internet accessible?
- Is the vulnerability being actively exploited?
- Can exploitation be automated?
- What is the impact if exploitation succeeds?
In other words:
Risk = Exposure + Exploitability + Impact
not
Risk = CVSS score.
This change didn’t happen in a vacuum. CISA’s own data shows that only 26% of known exploited vulnerabilities were fully remediated in 2025, down from 38% the previous year, while the median remediation time increased to 43 days. At the same time, AI is reducing the cost and time required for attackers to discover and weaponize vulnerabilities.
The uncomfortable truth is that most organizations are overwhelmed by vulnerability backlogs. Security teams spend enormous effort patching thousands of “critical” findings while missing the small number of vulnerabilities that are actually being exploited.
Another important aspect of BOD 26-04 is the emphasis on assessing for compromise before patching. If a vulnerability has already been exploited and an attacker has established persistence, patching alone does not solve the problem. The first question for high-risk vulnerabilities should increasingly be:
Are we already compromised?
This is also a signal that vulnerability management, threat hunting, and incident response can no longer operate as independent functions.
For CISOs, there are some clear takeaways:
- Stop measuring success solely by the number of Critical or High CVSS findings.
- Prioritize internet-facing and actively exploited vulnerabilities.
- Integrate threat intelligence and exploit intelligence into remediation decisions.
- Build exposure management capabilities instead of relying on vulnerability counts.
- Add compromise assessment and threat hunting to high-risk patching workflows.
This directive only applies to U.S. federal agencies, but the industry should pay close attention. Just as the KEV catalog became a de facto standard, risk-based remediation will likely become the new benchmark for mature security programs.
CVSS is not disappearing. It still provides a useful measure of technical severity.
But as the primary mechanism for deciding what gets patched first, its reign is effectively over.
The future of vulnerability management is not:
“Patch everything above 9.0.”
It’s:
“Patch what attackers can exploit and what can materially hurt the business.”
And that is a much better way to manage risk.
Appendix: Vulnerability Response Timeline
Federal agencies shall remediate vulnerabilities based on the timelines detailed in Table 1: Remediation Timelines.
Table 1: Remediation Timelines is informed by the SSVC system, which provides the cyber community with a vulnerability analysis methodology that accounts for a vulnerability’s exploitation status, impacts to safety, and prevalence of the affected product in a singular system.
Technical impact depicts how much post-exploitation control an adversary gains over the affected asset and is similar to the Common Vulnerability Scoring System (CVSS) base score’s concept of “severity.” When evaluating technical impact, the definition of scope is particularly important.
References:
- https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities-revoked
