PatchDayAlert
Analysis · 7 min read · 1,448 words By Colten Anderson

The patch queue is being rebuilt around the asset, not the score

In the same month, CISA and Microsoft both demoted CVSS as the thing that decides what to patch first. The order of operations is inverting: asset context is becoming the queue.

The patch queue is being rebuilt around the asset, not the score

Two of the loudest institutions in vulnerability management moved off CVSS in the same month. On June 1, 2026, Microsoft’s Security Exposure Management update stopped relying primarily on CVSS severity and switched its exposure score to a composite of EPSS plus asset context. Nine days later, on June 10, CISA issued BOD 26-04, which consolidated and revoked the older CVSS-based mandates (BOD 19-02 and BOD 22-01). Federal civilian agencies are, in the words of the trade coverage, “no longer required to use CVSS to prioritize.”

The obvious read is that this is the severity-inflation argument finishing its victory lap. Everyone already knew CVSS was a noisy ranking. We’ve made that case ourselves: everything is critical, so nothing is critical. Demote the base score to one input, stack KEV and EPSS and exposure on top, done.

That’s the right conclusion to the wrong question. The more interesting detail is not that the score got better inputs. It’s that the score is no longer the spine of the queue at all.

The pattern is an inversion, not a re-ranking

For roughly a decade, the queue was built vulnerability-first. You pulled the CVE list, sorted high-to-low on the base score, and worked down until you ran out of maintenance window. The asset was a downstream lookup: which boxes have this CVE. Severity decided the order; the asset just told you where to apply it.

Both June 2026 moves flip that. Microsoft’s predefined asset classifications, per the Help Net Security report, include domain controllers, senior-executive workstations, identity providers, and high-traffic Key Vaults. The model starts from “what is this thing and how much does it matter,” then ranks CVEs against it. BOD 26-04 does the same in policy form: its four signals are asset exposure (is it publicly reachable), KEV listing, whether exploitation is automatable, and technical impact (how much control a successful attack yields). Severity rank isn’t one of the four. CISA’s own framing, per the directive coverage, is that “a severity label alone doesn’t dictate what to fix first.”

Read those two side by side and the structural story is plain. The authority over “what’s at the top of the list” is moving from the score to the asset graph. The CVE list still exists, but it’s now ranked inside an asset-scoped frame, with severity demoted to a tiebreaker. This is the institutional name for the shift: exposure management, or CTEM, the continuous-prioritization loop Gartner introduced in 2022 and formalized into Exposure Assessment Platforms by the first Magic Quadrant for the category in November 2025. The defining phrase across that market is prioritizing exposures “with business and threat context.” Context first. The CVE is the detail.

The evidence that the score had to go

The numbers behind the move are not subtle. CVE volume went from 28,818 in 2023 to 40,009 in 2024 to roughly 48,185 in 2025, per Jerry Gamblin’s annual review. Somewhere between 39 and 48 percent of recent cohorts carry a High or Critical rating, call it 19,000 a year. And only about 2 to 6 percent of CVEs are ever exploited; the estimates vary by method, from under 2 percent in the Kenna/Cyentia work to around 6 percent in the Cyentia/FIRST study, with VulnCheck counting 768 confirmed-exploited bugs in 2024. So “patch all High/Critical” routes the bulk of the team’s effort at vulnerabilities that, by the widest reading of the data, are 94 to 98 percent noise relative to actual exploitation.

The supply side made it worse. NVD’s enrichment backlog passed 27,000 by the end of 2025, and in April 2026 NIST narrowed its policy to enrich only KEV, federal, and executive-order-critical CVEs immediately, leaving the rest “not scheduled.” Roughly 60 percent of 2025 CVEs may never get full metadata. CVSS v4 adoption tells the same story from another angle: only 25.9 percent of 2025 CVEs got a v4 score, per VulnCheck. A scoring system that doesn’t get applied to most of the catalog can’t be the catalog’s organizing authority. The institutions didn’t abandon CVSS so much as notice it had already stopped showing up for work.

What replaces it is tunable in a way CVSS never was. The Cyentia/FIRST analysis of EPSS found that at a 0.1 threshold you get roughly 80 percent coverage at 50 percent efficiency; dial it to 0.6 and you get 80 percent efficiency at 60 percent coverage. That’s a knob you set against your own remediation capacity. A base score gives you a number and no lever.

And the asset half of the equation is where exploitation actually lives. The Cyentia/FIRST data also found that fewer than 5 percent of exploits affect more than one in ten organizations. Even a confirmed-exploited bug is rarely universal. Whether a given CVE matters to you is, structurally, an asset-context question, which is exactly the thing CVSS doesn’t know and can’t.

What this means for the queue you own

If you set patching priority for a team, the practical shift is that your queue’s first sort key is changing from severity to asset. You’re no longer asking “what are the worst CVEs this week and where do they land.” You’re asking “which of my assets are reachable and critical, and what’s open on them.” Severity becomes the thing you reach for to break ties inside an asset-scoped list, not the thing that builds the list. That’s the same instinct behind organizing the queue around business impact first; the June moves are that instinct hardening into federal policy and into the default behavior of a major platform.

Here’s the counterweight, and it’s the part that keeps this honest. Asset-first prioritization assumes you have an accurate, tagged, current inventory of what you own. Most shops don’t. Forrester’s work, cited by Flexera, found fewer than half of organizations trust their CMDB enough to automate against it. A vendor-commissioned Trend Micro survey of security leaders reported 74 percent had an incident involving an unknown or unmanaged asset, though that figure skews enterprise. And the throughput problem doesn’t go away: the 2026 DBIR, via Nucleus, put median time-to-full-resolution at 43 days, with only 26 percent of KEV instances fully patched across 2025, down from 38 the year before.

The failure mode is specific and worse than the disease. A severity sort fed bad data is at least honestly noisy; you know you’re guessing. A context model fed stale asset data deprioritizes with false confidence. A reachability check that wrongly marks a vulnerable, internet-facing box as “unreachable” doesn’t lower its risk, it deletes it from the queue. Picus put it plainly: scanners “know nothing about the environment those flaws live in,” but the contextual fix demands documenting controls that organizations already struggle to document. For federal civilian agencies under a mandate, and for the top of the market with clean cloud-native topology, the inversion is real today. For the median hybrid or on-prem shop, it’s aspirational, and the asset graph is the prerequisite nobody is funding.

What to watch

BOD 26-04 carries a 180-day implementation runway, landing around December 7, 2026. The question that runway answers is whether the asset-first queue survives contact with agencies that don’t have the inventory to feed it. If December arrives and the directive holds without a quiet carve-out for shops that can’t classify their own assets, that’s the signal the inversion is durable rather than aspirational. If it slips, the lesson is that the model outran the data layer it depends on.

One caveat worth carrying: the BOD 26-04 details here come from trade press, because the primary CISA PDF returned a 403 during research. The shape of the four signals is well attested; the exact remediation windows are secondhand until the original directive is readable.

Watch your own inventory, too. The honest test of whether you can run an asset-first queue isn’t the tooling, it’s whether you’d trust your CMDB to tell a model “skip this one.” Our daily digest triages on exploitation signal rather than raw CVSS for the same reason these institutions did: the score was never the thing that told you what to fix first.

Sources

Share

Related field notes

Get the free CVE triage cheat sheet

Subscribe and we'll email you the one-page triage flow for fresh CVEs. Plus the weekly digest.

Subscribe