Vulnerability management needs triage

Vulnerability management is shifting from patch-everything to fix-the-few flaws most likely to be used against the systems that matter most. (netspi.com) NetSPI’s Q1 2026 roundup, published April 13, said its top five cases included Oracle WebLogic Server Proxy Plugin remote code execution, Ivanti Endpoint Manager Mobile authentication bypass and path traversal, and a BeyondTrust remote code execution flaw. The firm said those bugs stood out because attackers could reach them remotely and, in several cases, without user interaction or prior privileges. (netspi.com) The basic problem is volume. The United States Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog showed 1,566 entries on April 14, 2026, and the agency says organizations should use that list as an input to their vulnerability management prioritization framework. (cisa.gov) A software flaw score is not the same thing as attack risk. The Forum of Incident Response and Security Teams, which maintains the Exploit Prediction Scoring System, says its model estimates the probability a vulnerability will be exploited, but that defenders still need to weigh asset value, accessibility, and business impact before deciding what to remediate first. (first.org) That is the triage model NetSPI is pushing. Its WebLogic example ties a single internet-reachable flaw to possible system takeover, data integrity problems, compliance exposure, and outages in core business services, not just a high Common Vulnerability Scoring System number. (netspi.com) Federal guidance has been moving in the same direction. The National Institute of Standards and Technology said in a May 19, 2025 white paper that prioritizing vulnerabilities most susceptible to active exploitation is a core element of managing cybersecurity risk. (nist.gov) The same guidance also undercuts a habit many security teams still have: treating every “critical” Common Vulnerability Scoring System rating as equally urgent. The Exploit Prediction Scoring System user guide says attackers are not only targeting the most severe vulnerabilities, and that severity scores need to be combined with threat data to decide what gets patched first. (first.org) CISA’s catalog shows how that urgency is enforced in practice for federal agencies. Entries added on April 13, 2026 included due dates as soon as April 16 for Fortinet FortiClient Enterprise Management Server and April 27 for Adobe Acrobat flaws, reflecting deadlines tied to active exploitation rather than abstract severity alone. (cisa.gov) NetSPI’s report lands in that gap between theory and operations: too many flaws, too few engineers, and too many systems to patch at once. Its answer is to rank vulnerabilities by exploitability, exposure, and the importance of the affected asset before the patch backlog turns into a breach report. (netspi.com)