When new Common Vulnerabilities and Exposures (CVE) are disclosed in popular software, it is usually a race by security teams to determine the impact to their attack surface before attackers weaponize an exploit and use against a vulnerable endpoint. As this impact analysis can be extremely time-consuming, our customers rely on our attack surface management (ASM) managed service to handle the heavy lifting when it comes to analysis of new CVEs via threat intelligence, asset identification, fingerprinting, exploit development, and exploitation.

If our team determines a CVE meets our reporting threshold and impacts customer attack surfaces, it is classified as an emerging threat (ET), and workflows are executed to notify customers of any affected assets. As we’ve evolved this program since 2019, we found that ET execution requires an accelerated pace compared to our normal investigative workflow, and a head start on situational awareness for high profile CVEs is essential for success.

Given the sheer number of newly disclosed CVEs (nearly 40,000 in 2024), we found that any strategy to distill these down to an actionable list could greatly improve our reaction time and the speed at which we notify our customers. Out of this need, the Threat Enablement and Analysis (TEA) team was formed and tasked with monitoring the constant flow of newly disclosed CVEs – assigning priority to each and determining impact to our customer attack surfaces.

Why CVSS Isn't Enough

The Common Vulnerability Scoring System (CVSS) is the de facto standard used to rate the severity of vulnerabilities, and while it can be a helpful part of prioritization for ETs, it doesn't tell the whole story. There tends to be other attributes that are vital to real world risk that aren't necessarily captured by CVSS.

For example, an unauthenticated RCE in a web application technology with zero instances exposed externally to the internet could have a CVSS of 9.9, but considering its use is not widespread, the chance that customers would be affected is nonexistent. Another typical ‘gotcha’ we see often is a CVE with a high CVSS in common software which requires a specific non-default configuration, eliminating the actual likelihood of a vulnerable instance which meets the necessary prerequisites for exploitation. To account for these situations, TEA developed a system of prioritization based on attributes that give a more holistic view of real-world impact.

TEA-er’d Prioritization

To distinguish the signal from noise, our team designed a tiered scoring system (1-3) that leverages different attributes to rank CVEs by importance. Using this system, we're able to immediately rule out certain CVEs based on disqualifying attributes, while elevating priority for CVEs with attributes that we've determined reflect real-world impact to our customers.

• Tier 1 (Critical Threat) - Imminent impact to customer attack surfaces.
• Tier 2 (Probable Threat) - Potential impact to customer attack surfaces.
• Tier 3 (Low Threat )- Unlikely impact to customer attack surfaces.

Filtering the Noise

As the ASM service aims to simulate real-world adversaries, we found that certain CVEs can be excluded from our ET prioritization process based on what we know of attacks commonly weaponized for mass exploitation. Generally, attackers gravitate towards easily exploitable CVEs that land them on systems or provide access to sensitive data. The following attributes are less appealing to attackers as they add unnecessary friction to ease of exploitation.

• Authentication required
• User Interaction required
• Denial-of-Service vulnerabilities
• Local vulnerabilities (prior access required)

Distilling the Signal

After making the necessary exclusions, we compare newly disclosed CVEs against the following key attributes which enable our team to identify ETs that are likely to impact our customers. Depending on which of these attributes is or is not relevant to the CVE determines the tier and subsequent urgency of each ET workflow.

• Common in enterprise
• Code Execution / Privileged Access / Significant Information Disclosure
• Exploited in the wild (KEV)
• Public Proof of Concept available
• Default configuration

Deprioritizing Overhyped, Low-impact CVEs

We often see newly disclosed CVEs gain high visibility and hype via social media, blog posts, and news sites, but aren't necessarily as serious as originally perceived. While situational awareness is important to track threats as new information develops, without a reliable methodology for prioritization, security teams waste valuable time and resources chasing down potential threats that have little to no impact.

Below are some notable examples of this.

• CVE-2025-24813 – A remote code execution (RCE) vulnerability affecting Apache Tomcat was widely reported but found to only affect applications where specific non-default settings were misconfigured, greatly reducing vulnerable instances.
• CVE-2024-47176 – An RCE affecting the CUPS print service gained media attention, but as details were revealed about exploitation, it became clear that the vulnerable service was not installed by default on Unix distributions and default configurations limited remote access to the vulnerable service's default port.
• CVE-2024-53677 – An RCE vulnerability affecting Apache Struts gained widespread attention, but given the custom nature of Struts applications, vulnerable file upload functionality was not easily identified and/or exploitable.

When the above CVEs were disclosed, the TEA team leveraged our tiered prioritization process by mapping them to our key ET attributes, and found all fell in the tier 3 – Low Threat category, as shown below. 

Prioritizing High-Profile, Critical-Impact CVEs

Alternatively, there are newly disclosed CVEs which gain media attention and hype that is absolutely warranted. These are the CVEs which map to all the ET key attributes, and require the quickest response, as they are ideal candidates for mass-scanning and exploitation. The following are examples of ETs in recent years that had wide reach, high impact, and minimal effort for exploitation.

• CVE-2024-24919 – An arbitrary file read vulnerability affecting Check Point security gateway devices gained significant attention when reports of in-the-wild exploitation had been observed leading to credential compromise and lateral movement within networks.
• CVE-2024-23897 – An arbitrary file read vulnerability affecting Jenkins CLI command parser that could allow attackers to read files and, in some cases, obtain remote command execution (RCE).
• CVE-2023-3519 – An RCE vulnerability affecting NetScaler (formerly Citrix) ADC and NetScaler Gateway which was used in mass exploitation campaigns shortly after disclosure.

The above CVEs were mapped to our key ET attributes and determined to fall within the tier 1 – Critical Threat category, as shown below.

From Signal to Actionable Intelligence

With thousands of CVEs disclosed each year, it is easy to feel overwhelmed when trying to identify which ones truly matter. If we leverage an effective prioritization process, suddenly the seemingly insurmountable task of combing through these CVEs becomes attainable.

Although it can be easy to get caught up in inflated CVSS scores and security theater, a focus on attributes proven to determine real-world impact can be vital to cutting through the noise. This strategy enables a shift from a reactive, frantic mindset to a deliberate, informed approach – one that reduces risk more effectively by aligning focus with actual threats.