Skip to main content
News Directory 3
  • Business
  • Entertainment
  • Health
  • News
  • Sports
  • Tech
  • World
Menu
  • Business
  • Entertainment
  • Health
  • News
  • Sports
  • Tech
  • World
Why CVSS Scores Miss Real-World Threats: Fixing Triage Failures in the AI Era - News Directory 3

Why CVSS Scores Miss Real-World Threats: Fixing Triage Failures in the AI Era

April 25, 2026 Lisa Park Tech
News Context
At a glance
  • The recent exploitation of two vulnerabilities in Palo Alto Networks systems, which together granted attackers unauthenticated remote admin access and eventual root control over more than 13,000 exposed...
  • During Operation Lunar Peek in November 2024, attackers leveraged CVE-2024-0012, scored 9.3 by Palo Alto Networks under CVSS v4.0 (9.8 in NVD’s CVSS v3.1), to bypass authentication, and...
  • Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, noted in an exclusive interview with VentureBeat on April 22, 2026, that adversaries circumvent severity ratings by chaining vulnerabilities...
Original source: venturebeat.com

The recent exploitation of two vulnerabilities in Palo Alto Networks systems, which together granted attackers unauthenticated remote admin access and eventual root control over more than 13,000 exposed management interfaces, has reignited debate over the adequacy of the Common Vulnerability Scoring System (CVSS) in modern threat landscapes. Despite individual CVSS scores suggesting manageable risk, the chained exploitation revealed a critical gap in how vulnerabilities are assessed and prioritized.

During Operation Lunar Peek in November 2024, attackers leveraged CVE-2024-0012, scored 9.3 by Palo Alto Networks under CVSS v4.0 (9.8 in NVD’s CVSS v3.1), to bypass authentication, and CVE-2024-9474, scored 6.9 by the vendor (7.2 in NVD v3.1), to escalate privileges. Although the latter score fell below typical enterprise patch thresholds due to the perceived requirement of admin access, the initial authentication bypass eliminated that barrier entirely. Neither score reflected the combined impact of the attack chain.

Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, noted in an exclusive interview with VentureBeat on April 22, 2026, that adversaries circumvent severity ratings by chaining vulnerabilities together, adding that the triage logic that missed the chain suffered from “amnesia from 30 seconds before.” Both CVEs are listed in the CISA Known Exploited Vulnerabilities catalog, yet existing scoring treated them as isolated events, a limitation mirrored in SLA dashboards and board reporting.

As Meyers emphasized, CVSS was designed to score one vulnerability at a time — a method that fails when attackers combine flaws. Peter Chronis, former CISO of Paramount, wrote that CVSS base scores are theoretical measures that ignore real-world context, noting that moving beyond CVSS-first prioritization at his organization reduced actionable critical and high-risk vulnerabilities by 90%. Chris Gibson, executive director of FIRST, the body that maintains CVSS, has stated that using base scores alone for prioritization is “the least apt and accurate” method.

FIRST’s Exploit Prediction Scoring System (EPSS) and CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) model attempt to address gaps by adding exploit probability and decision logic, but experts argue they still lack environmental context. In 2025, 48,185 CVEs were disclosed — a 20.6% year-over-year increase — with projections of 70,135 for 2026, according to Jerry Gamblin of Cisco Threat Detection and Response. The growing volume has strained infrastructure, prompting NIST to announce on April 15, 2026, that it will prioritize CVE enrichment only for KEV and federal critical software.

Five Triage Failure Classes CVSS Was Never Designed to Catch

First, chained CVEs that appear safe in isolation become dangerous when combined, as seen in the Palo Alto case. Teams assessed each flaw independently, deprioritized the lower-scoring flaw, and queued the higher one for maintenance, missing the exploitable sequence.

View this post on Instagram about Meyers, Palo
From Instagram — related to Meyers, Palo

Second, nation-state actors increasingly weaponize patches within days. The CrowdStrike 2026 Global Threat Report documented a 42% year-over-year increase in vulnerabilities exploited as zero-days before disclosure, with an average breakout time of 29 minutes and a fastest observed at 27 seconds. China-nexus adversaries have been observed weaponizing newly patched flaws within two to six days of disclosure, turning routine patch queue items into active threats by midweek.

Third, adversaries stockpile old vulnerabilities. Salt Typhoon accessed senior U.S. Officials’ communications by chaining CVE-2023-20198 and CVE-2023-20273 on Cisco devices — flaws patched in October 2023 but left unapplied for over a year. CVSS does not downgrade priority based on how long a CVE remains unpatched, and no standard metric tracks aging KEV exposure.

How Vulnerability Scores Actually Work (CVSS Explained)

Fourth, identity-related gaps — such as help desk social engineering or weak verification processes — fall outside CVSS entirely. A 2023 help desk impersonation call led to over $100 million in losses with no CVE assigned. Meyers remarked that “a pro needs a zero day if all you have to do is call the help desk and say I forgot my password.” Similarly, agentic AI systems now operate with independent credentials and permissions, often outside traditional vulnerability governance, creating blind spots in enterprise risk tracking.

Fifth, AI-driven vulnerability discovery is outpacing defensive capacity. Anthropic’s Claude Mythos Preview autonomously identified a 27-year-old integer overflow in OpenBSD’s TCP SACK implementation across roughly 1,000 test runs for under $20,000 in compute cost. Meyers warned that if frontier AI increases vulnerability discovery tenfold, annual volumes could reach 480,000 — far exceeding current pipeline limits built for tens of thousands. He noted that when adversaries find flaws faster than defenders can respond, those flaws become exploits.

In response, CrowdStrike launched Project QuiltWorks, a coalition with Accenture, EY, IBM Cybersecurity Services, Kroll, and OpenAI to address the surge in AI-generated vulnerabilities in production code. The initiative reflects growing concern that no single organization’s patch process can keep pace with machine-scale threat discovery.

Security Director Action Plan

To close these gaps, security leaders should conduct five actions:

Security Director Action Plan
Meyers Salt Typhoon Vulnerability
  • Run a chain-dependency audit on every KEV CVE in the environment this month, flagging any co-resident CVE scored 5.0 or above — the threshold where privilege escalation and lateral movement typically appear — and treating any authentication bypass paired with such a flaw as critical regardless of individual scores.
  • Compress KEV-to-patch SLAs to 72 hours for internet-facing systems, based on observed breakout times that render weekly windows indefensible.
  • Build a monthly KEV aging report for the board tracking every unpatched KEV CVE, days since disclosure, days since patch availability, and ownership, to expose risks like those exploited by Salt Typhoon.
  • Add identity-surface controls — including help desk authentication gaps and agentic AI credential inventories — to the vulnerability reporting pipeline, ensuring they fall under the same SLA framework as software CVEs to prevent siloed governance.
  • Stress-test pipeline capacity at 1.5x and 10x current CVE volume, using Gamblin’s 2026 projection of 70,135 and Meyers’ estimate of up to 480,000 annually to present the looming gap to the CFO before the next budget cycle.

As vulnerability discovery accelerates and attack methods evolve, relying solely on CVSS scores risks leaving critical chains undetected — a lesson underscored by the compromise of over 13,000 devices from two flaws that, in isolation, seemed manageable.

Share this:

  • Share on Facebook (Opens in new window) Facebook
  • Share on X (Opens in new window) X

Related

Search:

News Directory 3

News Directory 3 catalogs US newspapers, news services, newsstands and digital news outlets across all 50 states. Browse local publishers by city, state, or topic, and follow current headlines linked back to their original sources.

Quick Links

  • Disclaimer
  • Terms and Conditions
  • About Us
  • Advertising Policy
  • Contact Us
  • Cookie Policy
  • Editorial Guidelines
  • Privacy Policy

Browse by State

  • Alabama
  • Alaska
  • Arizona
  • Arkansas
  • California
  • Colorado

© 2026 News Directory 3. All rights reserved.
For contact, advertising, copyright, issues email: office@newsdirectory3.com