Patch exploited flaws before others
- CISA’s Known Exploited Vulnerabilities catalog, not raw severity scores alone, is driving April 2026 patching after new Microsoft and ConnectWise flaws were added Monday. - CISA’s catalog listed 1,585 exploited CVEs on April 29, and its guidance says fewer than 4% of all CVEs are publicly exploited. - Security teams are folding KEV and EPSS into remediation queues as exploit evidence outranks theoretical severity. (cisa.gov)
A software flaw is a bug; an exploited flaw is a bug attackers are already using. CISA is telling defenders to patch the second kind first. (cisa.gov) (first.org) That approach runs through CISA’s Known Exploited Vulnerabilities catalog, a public list of CVEs with evidence of real-world abuse. On April 29, the catalog showed 1,585 entries. (cisa.gov) CISA added Microsoft Windows CVE-2026-32202 and ConnectWise ScreenConnect CVE-2024-1708 to that list on April 28. Federal Civilian Executive Branch agencies have until May 12, 2026, to remediate both. (cisa.gov) The logic is simple: severity measures how bad a flaw could be, while exploitation tells you attackers are already through the door. CISA’s 2021 directive shifted federal patching toward that evidence-based list. (cisa.gov 1) (cisa.gov 2) That shift narrows the pile fast. CISA-cited guidance says fewer than 4% of all CVEs have been publicly exploited in the wild, and EPSS guidance from FIRST says roughly 5% or fewer ever are. (first.org) (cisa.gov) EPSS, short for Exploit Prediction Scoring System, is the forecast layer. It assigns a daily probability that a published CVE will be exploited in the next 30 days. (first.org) That means a security team can split work three ways: patch KEV items first, use EPSS to rank the rest, and keep Common Vulnerability Scoring System ratings as one input instead of the whole answer. (first.org) (runzero.com) RunZero’s new “KEVology” report argues the catalog is not a compliance checklist so much as an operational signal. It also found commodity exploit tools often appear days, weeks, or years before a KEV addition. (runzero.com) Google’s threat researchers are seeing the same pressure in the field. Google Threat Intelligence Group tracked 90 zero-days exploited in 2025, with 43 hitting enterprise technologies, the highest share on record. (cloud.google.com) The practical result is procedural, not philosophical. If a CVE lands on KEV, patch windows, change approvals, and exception processes have to move faster than they do for a merely “critical” bug. (cisa.gov) (runzero.com) The patch line is no longer led by the scariest score on paper. It is led by the flaw attackers are already exploiting. (cisa.gov)
