Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 博客



Why CVSS alone can't help you prioritize vulnerability remediation based on risk

Frameworks and standards for prioritizing vulnerability remediation continue to evolve, yet far too many organizations rely solely on CVSS as their de facto metric for exposure management. Here, we discuss other important frameworks and provide guidance on how Tenable can help.

A successful exposure management program requires having a strategy for prioritizing vulnerability remediation in the most efficient and effective manner possible. Given the number of CVEs published in the National Vulnerability Database (NVD) every year — over 20,000 in 2022 — and the fact that a number of those CVEs may require fixes in multiple products, it is not feasible for security and IT teams to fix everything.

Unfortunately, until recently the frameworks and standards used in the industry to help identify and prioritize which vulnerabilities to fix first have either failed entirely or fallen short. There are many factors that could be considered for determining what makes one vulnerability more important to remediate than another, and every organization will have their own unique requirements and expectations. Yet, in every case there are three foundational elements that should be considered in order to take a risk-informed approach to vulnerability management. These elements are:

  • Impact: What is the impact to the affected application or system, as well as the organization, if the vulnerability is successfully exploited? Understanding the impact any given vulnerability can have in your particular organization is critical to prioritizing which ones to fix first.
  • Likelihood of exploitation: Not all vulnerabilities are created equally and some are easier to exploit than others. Many attackers will aim for the lowest hanging fruit, so understanding which vulnerabilities are actually feasibly exploitable or are being actively exploited is critical.
  • Asset value: Attackers look for assets with the highest value. For example, compromising a dev system that doesn’t have anything of value on it may provide a foothold but it isn’t going to be as interesting a target as compromising the domain controller or a company’s enterprise resource planning (ERP) system. Within the complex systems and environments with which businesses operate today, asset value is not always as simple as figuring out whether the system itself is running critical software. The roles and permissions granted to the users of that system can be equally important when we consider asset value. Determining asset value requires having a comprehensive view of identity data as well.

Vulnerability management starts with CVSS

While not its intended use case, the Common Vulnerability Scoring System (CVSS) has, in many organizations, become the de facto means for prioritizing vulnerability remediation. This is largely due to the lack of any other usable scoring standard within the industry. CVSS was never intended to be a mechanism for prioritizing remediation based on actual risk, but rather is simply a measure of the impact a vulnerability would have post exploitation.

The CVSS standard has evolved since its inception, with CVSSv3 being the current standard. CVSSv3 was published in 2015 with an aim at addressing some of the significant shortcomings of CVSSv2, the biggest of which was identifying vulnerabilities that, post exploitation, could result in the compromise of resources outside of the scope of the original application. CVSSv3.1 was published a few years later, but it primarily addressed guidance on analysis rather than actual scoring deficiencies. While these improvements were welcome, CVSSv3 is still best used as a measure of severity rather than a measure of risk.

The CVSS base metrics are made up of two components — the exploitability metrics and the impact metric. The exploitability metrics describe aspects of a vulnerability that may make it easier or harder to exploit, such as whether authentication is required or whether exploitation requires tricking someone into taking an action. The impact metrics describe the post-exploitation impact broken down into confidentiality, integrity, and availability.

CVSS temporal metrics, an extension of the CVSS base vector, take a tiny step in the direction of capturing risk by incorporating an exploit maturity metric, but even this falls significantly short as it is only a measure of the most mature exploit ever made available for that vulnerability. As a result, likelihood of exploitation and asset value are missing in most organization’s risk-based prioritization processes.

CVSS also provides an environmental metric, which enables an organization to adjust CVSS scores based on characteristics specific to its environment. The environmental metric can make CVSS more useful for prioritization, but is difficult to implement at scale and is rarely used.

Another core issue with using CVSS as a prioritization mechanism is that the scoring system results in far too many High and Critical vulnerabilities for any organization to successfully remediate.

how to prioritize vulnerability remediation baed on risk - 1

原文:Tenable Research, January 2023

In 2022 there were over 20,000 CVEs published to NVD with 40% of them getting a high severity and over 17% getting a critical severity. In other words, more than half of all published CVEs in 2022 would have required near-immediate attention by any organization that bases its remediation service level agreements (SLAs) on CVSSv3 ratings. That isn’t sustainable. The core limitation of CVSS is that it does not take into account the risk of exploitation. Based on observable data, Tenable Research has evidence of either proof of concept availability or actual exploitation in only 15% of all CVEs published. When we focus even further on vulnerabilities for which we have evidence that the vulnerability has been exploited in the wild, the percentage drops to around 3% of all CVEs.

How the cybersecurity industry is evolving vulnerability prioritization

We’ve seen an evolution in vulnerability management frameworks over the last couple of years, with several efforts aimed at delivering risk-informed prioritization by incorporating exploitation likelihood context. Below, we explore two core frameworks: Exploit Prediction Scoring System (EPSS) and Stakeholder-Specific Vulnerability Categorization (SSVC) .


According to the Forum of Incident Response and Security Teams (FIRST), the Exploit Prediction Scoring System (EPSS) is “an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild.” The goal of EPSS is to enable defenders to better prioritize vulnerability remediation by leveraging current threat information from real-world exploit data. The model produces a probability score between 0 and 1 that represents the likelihood that a vulnerability will be exploited.

EPSS is primarily focused on overcoming the fact that CVSS does not provide any measurement on exploitation risk. Unfortunately, EPSS does not provide any guidance on the impact of exploitation or the importance of the asset that is vulnerable, so on its own it is not sufficient for making well informed decisions around risk-informed prioritization.


Stakeholder-Specific Vulnerability Categorization (SSVC) is a vulnerability analysis methodology developed by Carnegie Mellon Univeristy’s Software Engineering Institute in collaboration with the U.S. Cybersecurity and Infrastructure Security Agency (CISA). According to CISA, the core SSVC methodology looks at a vulnerability’s exploitation status, impacts to safety and prevalence of the affected product. Another important aspect of SSVC is that it is designed to be a customizable decision tree geared towards a company’s prioritization requirements.


CISA recently published a guide based on its implementation of SSVC. The CISA SSVC decision tree looks at five values:

  • Exploitation status: This determines the current state of exploitation of a vulnerability based on information available at the time of analysis.
  • Technical impact: Technical impact is similar to the CVSS base score’s concept of severity.
  • Automatable: Automatable represents the ease and speed with which an exploit can propagate.
  • Mission prevalence: Mision prevalence represents how critical an application or asset is to an organization’s function. An important distinction from the original SSVC framework is that mission prevalence is not simply a count of affected instances.
  • Public well-being impact: This looks at the impact of an affected system compromise on humans.

According to the CISA guide, prioritization uses these five values to reach one of four possible decisions:

  • Track: The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines.
  • Track*: The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines.
  • Attend: The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability, and may involve publishing a notification either internally and/or externally. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.
  • Act: The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible.

One glaring issue here is that the phrase “standard update timelines” is not well defined in the guide. If the intent is that “standard update timelines” are whatever existing SLAs an organization has, these are typically based on CVSS metrics and can be very tight for anything that is rated a Critical vulnerability. On the other end of the spectrum, if the phrase is treated as “whenever the business would usually get around to patching the software” this could create a lack of clarity on priority or a growing list of vulnerabilities that will never be patched.

SSVC is designed to deliver on all of the foundational elements — impact, likelihood of exploitation and mission criticality for the asset. Additionally, SSVC by design, is customizable so organizations can tweak the decision tree to fit their needs. While SSVC is a significant step forward as a useful framework for risk based prioritization, many organizations will face barriers, some of them significant, in operationalizing the framework. Gaining access to reliable and accurate threat intelligence, having a strong understanding of asset context for all assets, including identity and cloud, and developing a system for performing the analysis and prioritization at scale require a high degree of maturity and significant investment.

Risk-informed prioritization with Tenable

Since 2018, Tenable has provided a number of capabilities that deliver on the concept of risk-informed prioritization. We have vulnerability and asset scores that not only deliver on the foundational measurements of vulnerability impact, likelihood of exploitation, and asset criticality but do so in a scalable way without requiring customers to maintain complex data tracking systems. Additionally, we have several reports and dashboards that bring focus to the most effective actions that customers can take to reduce risk across their assets. These capabilities, which are incorporated into the Tenable One Exposure Management Platform, include:


Tenable’s vulnerability priority rating (VPR) can help users prioritize vulnerability remediation by assigning a rating based on two core components: technical impact and threat. VPR uses the CVSSv3 impact subscore to measure the technical impact on confidentiality, integrity and availability following exploitation of a vulnerability. Added to the technical impact is a threat component that reflects both recent and potential future threat activity against a vulnerability. This is critical, as it means that the risk associated with a vulnerability will evolve as the threat landscape evolves, ensuring that companies focus on the most important vulnerabilities of today rather than on an ever-growing list of vulnerabilities that have been exploited in the past.

Asset criticality rating

Tenable’s asset criticality rating (ACR) represents an asset’s relative risk as an integer from 1 to 10, with a higher ACR value indicating greater risk. ACR is reflective of an asset’s risk based on measurements such as location on your network and proximity to the internet, device type and device capabilities. ACR can help users ensure that those devices which are likely to have the highest impact on business function are prioritized for remediation.

Recommended actions

Tenable’s recommended actions capability identifies the set of remediations a user can apply in order to have the greatest impact on reducing cyber risk with the smallest number ofactions. This aggregates findings based on supersedence chains to show the top level patch, rather than a series of patches, to apply for a given product, and then calculates risk reduction against the aggregated vulnerability risk ratings and asset criticality. Taking these actions helps companies recognize risk-informed prioritization at larger scales without having to perform significant manual analysis of a wide range of vulnerabilities and assets.


Going beyond the core fundamentals of understanding vulnerability risk and asset criticality, a new capability in Tenable One, Attack Path Analysis, allows users to better understand the attack paths that are present within their infrastructure. Users can further focus their prioritization efforts on the vulnerabilities that exist within a critical chain that would be of particular interest for an attacker. These attack paths are likely avenues that an attacker would leverage to gain access to a company’s most critical resources in a real world attack and, thus, are critical to prioritize for remediation.

Bringing it all together

Customers can leverage this data in a number of different ways depending on the Tenable products they are using.

Tenable One

Tenable One customers are able to leverage our full suite of tools, including Tenable.io, Tenable.cs, Tenable.ad and Attack Path Analysis to get a complete picture of their environment, going beyond just traditional vulnerability management assets. The asset overview feature in Tenable One allows users to see all of their assets and their associated Asset Exposure Score — a score that combines both VPR and ACR to create a risk score for a given asset (see example below).

how to prioritize vulnerability remediation baed on risk - 2

原文:Tenable Research, January 2023

As discussed previously, the recommended actions view enables organizations to identify a set of actions that will maximize risk reduction (see example below).

how to prioritize vulnerability remediation baed on risk - 3

原文:Tenable Research, January 2023

Tenable.sc provides an ACR summary dashboard (https://www.tenable.com/sc-dashboards/acr-summary) which includes a component ACR Summary - Highlighted Patches (VPR and ACR 7-10). These are going to be the assets and vulnerabilities that have high risk of exploitation, high technical impact, and represent an asset that is a high risk.

how to prioritize vulnerability remediation baed on risk - 4

原文:Tenable Research, January 2023

Tenable.sc and Tenable Lumin

Tenable.sc and Tenable Lumin customers can also leverage the solutions and recommended actions views, respectively, to determine the fixes they can apply that will achieve the highest risk reduction in the most efficient manner possible. These views enable risk reduction that takes into account the number of hosts affected, the number of vulnerabilities that would be remediated and the highest VPR score for the vulnerabilities that would be remediated.


Developing an exposure management program requires taking a risk-informed approach to vulnerability remediation that goes well beyond CVSS metrics. No one solution is right for every organization. While we have seen positive steps in industry frameworks over the last couple of years, there are still a number of hurdles to overcome. Whether you’re ready to kick off an exposure management program or are simply looking to embrace a more risk-informed approach to vulnerability remediation, Tenable has several solutions that provide mature and scalable capabilities.




输入您的电子邮件以在收件箱中接收最新的 Cyber Exposure 警报。



Tenable.io Vulnerability Management 试用版还包括 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

tenable.io 购买

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

65 项资产



免费试用 Nessus Professional

免费试用 7 天

Nessus® 是当今市场上功能最全面的漏洞扫描器。

新产品 - Nessus Expert 现已推出

Nessus Expert 添加了更多功能,包括外部攻击面扫描,以及添加域和扫描云基础设施的功能。单击此处试用 Nessus Expert。

填写下表可继续试用 Nessus Professional。

购买 Nessus Professional

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买多年期许可,即享优惠价格添加高级支持功能,获取一年 365 天、一天 24 小时的电话、社区和聊天支持。






Tenable.io Vulnerability Management 试用版还包括 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

Tenable.io 购买

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

65 项资产



试用 Tenable.io Web Application Scanning

完整享有专为现代化应用程序而设、属于 Tenable.io 平台组成部分的最新 Web 应用程序扫描功能。可安全扫描全部在线资产组合的漏洞,具有高度准确性,而且无需繁重的手动操作或中断关键的 Web 应用程序。 立即注册。

Tenable Web Application Scanning 试用版还包括 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.cs Cloud Security。

购买 Tenable.io Web Application Scanning

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

5 个 FQDN



试用 Tenable.io Container Security

完整获得已集成至漏洞管理平台之唯一容器安全产品的功能。监控容器映像中的漏洞、恶意软件和策略违规。与持续集成和持续部署 (CI/CD) 系统进行整合,以支持 DevOps 实践、增强安全性并支持企业政策合规。

购买 Tenable.io Container Security

Tenable.io Container Security 经由与构建流程的集成,可供全面了解容器映像的安全性,包括漏洞、恶意软件和策略违规,借以无缝且安全地启用 DevOps 流程。

试用 Tenable Lumin

通过 Tenable Lumin 直观呈现及探索 Cyber Exposure,长期追踪风险降低状况,并比照同行业者进行基准度量。

Tenable Lumin 试用版还包括 Tenable.io Vulnerability Management、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

购买 Tenable Lumin

联系销售代表,了解 Lumin 如何帮助获取整个企业的洞见并管理网络安全风险。

试用 Tenable.cs


Tenable.cs Cloud Security 试用版还包括 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.io Web Application Scanning。

联系销售代表购买 Tenable.cs

联系销售代表,了解有关 Tenable.cs 云安全的更多信息,并了解如何轻松加入您的云帐户,并在几分钟内获得云错误配置和漏洞的可见性。

免费试用 Nessus Expert

免费试用 7 天

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

已经有 Nessus Professional?
免费升级到 Nessus Expert 7 天。

购买 Nessus Expert

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。