A 30-minute Patch Tuesday triage you can actually run
How to get from 150 CVEs to the 4-8 that change your week, using only public signals and a clock.
Microsoft drops 150-plus CVEs on a Tuesday morning. By Wednesday afternoon, the security team wants a deployment plan, the change board wants a ring schedule, and someone in Slack is asking whether “that CLFS thing” is the one they should care about. You have half an hour before the next meeting.
This is the workflow for that half hour. It assumes you already know what CVSS is, you have MSRC bookmarked, and you can read JSON. It will not give you a finished deployment plan. It will give you a defensible short list and the start of an answer to “what changes this week.”
One caveat up front: there is no formally published “30-minute Patch Tuesday triage” procedure from CISA, NIST, SANS, or MS-ISAC. The phrase is practitioner shorthand for don’t spend three days on this. What follows borrows from SSVC, NIST SP 800-40 Rev 4, and BOD 22-01, compressed for a Tuesday afternoon.
What you need before the clock starts
Open these tabs in this order. If you have to hunt for them mid-triage, you’ve already lost five minutes.
- The Microsoft Security Update Guide filtered to today’s release date. The portal exports CSV; the CSV is faster than clicking through.
- The CISA KEV catalog as flat JSON. No auth required.
- The SANS ISC Patch Tuesday diary for the current month. Johannes Ullrich strips out Edge and Chromium noise, which saves time.
- EPSS scores from FIRST.org, either via their API or the daily CSV dump.
- A scratch document for the short list. Plain text is fine.
The phases
| Phase | Time | Output |
|---|---|---|
| 1. Hard signals | 0-5 min | List of “Exploited = Yes” and “Publicly Disclosed = Yes” CVEs |
| 2. Severity + Exploitability | 5-15 min | Critical-rated CVEs with Exploitability Index 0 or 1 |
| 3. The “Important” sweep | 15-25 min | Important-rated CVEs with EPSS ≥ 0.1 or KEV presence |
| 4. Ride-alongs and known issues | 25-30 min | Anything outside the Microsoft bulletin that lands the same week |
Phase 1: hard signals (0-5 min)
Open the MSRC CSV. Sort by Exploited descending, then by Publicly Disclosed descending. Per the MSRC Security Update Guide FAQ, “Exploited = Yes” means Microsoft has confirmed in-the-wild exploitation before the patch shipped. That is a true zero-day, and it is the hardest signal in the entire bulletin. “Publicly Disclosed = Yes” means details were out before the patch, which starts the clock on opportunistic exploitation.
Recent months have shipped between two and six “Exploited” zero-days; Bleeping Computer’s December 2025 coverage flagged three. Copy every “Exploited = Yes” CVE onto your short list. Copy every “Publicly Disclosed = Yes” CVE that is also rated Critical or higher.
Now cross-reference the KEV JSON. Any “Exploited = Yes” entry that is already in KEV is locked in: under BOD 22-01, federal civilian agencies remediate within 14 calendar days of catalog addition, and most non-federal orgs treat that as a benchmark. Note the KEV due date next to the CVE.
Phase 2: severity + exploitability (5-15 min)
Filter the CSV to Severity = Critical. Per Microsoft’s severity rating system, Critical means code execution with no user interaction required. The self-propagating tier.
For each Critical entry, check the Exploitability Index. Microsoft’s index documentation defines four values: 0 (Exploitation Detected), 1 (Exploitation More Likely), 2 (Exploitation Less Likely), 3 (Exploitation Unlikely). Microsoft frames the index as a 30-day forward estimate, not a guarantee.
Critical + Exploitability 0 or 1 goes on the short list, scheduled within days. Critical + Exploitability 2 or 3 goes into the second tier; track it but don’t break the change window for it.
Phase 3: the “Important” sweep (15-25 min)
This is the phase most triage workflows skip, and it is where the actual exploited bugs tend to hide.
Tenable’s 2024 Patch Tuesday year-in-review pegged 93.6% of 2024 Patch Tuesday CVEs as Important. Tenable’s 2025 review found 62.5% of the 24 zero-days exploited in the wild that year were elevation-of-privilege flaws, a class almost always rated Important rather than Critical. Three exploited EoP zero-days from the last 18 months illustrate the pattern. CVE-2024-49138 (December 2024, CLFS driver, CVSS 7.8, Important) was the only confirmed Patch Tuesday zero-day exploited in the wild across all of 2024. CVE-2025-29824 (April 2025, CLFS driver, CVSS 7.8, Important) was weaponized by Storm-2460 to deploy ransomware against IT, retail, and financial-sector targets before the patch shipped. CVE-2024-49039 (November 2024, Task Scheduler EoP, Important) was confirmed exploited the same fall.
None of those would have surfaced on a Critical-only filter. None would have made it on a CVSS-9-or-higher cut.
So filter the CSV to Severity = Important and sort by EPSS descending. Pull every Important entry with EPSS ≥ 0.1. The 0.1 threshold is not an official FIRST recommendation; it has emerged as a practitioner default because, per FIRST’s documentation, EPSS v4 achieves coverage of eventually-exploited CVEs comparable to patching all CVSS 7+ items while requiring action on only about 6% of the CVE population versus 50%.
A note on what this filter is correcting for. Tenable’s research found that more than 75% of CVSS 7+ vulnerabilities have no published exploit and are never attacked. Picus Security’s Q1 2025 telemetry put roughly 28% of actively exploited vulnerabilities at a medium CVSS base score. CVSS measures theoretical worst case in isolation. The Important + high-EPSS sweep is what catches the difference.
Cross-reference KEV one more time. Any Important entry already in KEV is short-list, regardless of EPSS.
Phase 4: ride-alongs and known issues (25-30 min)
Two things to check before you close the tab.
First, the ride-alongs. Microsoft is not the only vendor shipping on Patch Tuesday week. The canonical example is September 2023, when Microsoft patched two exploited zero-days, Adobe patched an exploited Acrobat/Reader zero-day (CVE-2023-26369), Apple patched the two BLASTPASS WebKit zero-days (CVE-2023-41064, CVE-2023-41061), and Google patched the libwebp zero-day (CVE-2023-4863), all in the same week. If your environment includes Adobe Reader, macOS, or Chromium, scan the SANS ISC diary for the same date for vendor coverage beyond Microsoft.
Second, known issues. January 2022’s KB5009557 sent domain controllers into LSASS-triggered boot loops, broke Hyper-V on UEFI hosts, and corrupted ReFS volumes. Microsoft issued an OOB emergency fix six days later. Check the MSRC “Known Issues” notes for each KB on your short list, and watch Bleeping Computer for the first 48 hours of community-reported regressions. Out-of-band fixes between Patch Tuesdays are not rare; Microsoft shipped one for the 2025 RRAS RCE on a hotpatch channel.
At 30 minutes, what you have
A short list of 4-8 CVEs, ordered: KEV entries first, then “Exploited = Yes” non-KEV entries, then Critical + Exploitability 0/1, then Important + EPSS ≥ 0.1. Each entry has a CVE ID, a severity, an exploitation status, and (where relevant) a KEV due date. Each KB on the list has been checked for known issues.
What you do not have: a deployment plan, a ring schedule, or a business-impact assessment. Those come next, and they take longer than thirty minutes. The triage was just to find the work.
Two follow-ups before you close the laptop. Re-check KEV at the 48-hour and 72-hour marks; a CVE that shipped “Exploited = No” on Tuesday may be in the catalog by Thursday, and a plan locked on Tuesday afternoon should accommodate that. And re-read the MSRC Known Issues column on Thursday morning, after the first wave of deployments has flushed out regressions.
The point of the half-hour clock is not speed for its own sake. It is to keep the triage from absorbing the whole week, so the deployment work has somewhere to land. The CVEs that matter are not the ones with the biggest CVSS numbers. They are the ones with evidence of exploitation, and that evidence is public, free, and on the same Tuesday timeline as the patches.
Our daily digest does this same filter every weekday: KEV first, then exploited-in-wild, then high-EPSS, capped at the items that actually change the day’s work.
Sources
- CISA Known Exploited Vulnerabilities Catalog — ongoing
- CISA SSVC landing page — ongoing
- NIST SP 800-40 Rev 4 — 2022-04
- CISA BOD 22-01 — 2021-11-03
- MSRC Security Update Guide FAQs — ongoing
- Bleeping Computer: December 2025 Patch Tuesday — 2025-12
- Microsoft Security Update Severity Rating System — ongoing
- MSRC Exploitability Index — ongoing
- Tenable: 2024 Patch Tuesday Year in Review — 2025
- Tenable: 2025 Patch Tuesday Year in Review — 2026
- Tenable: December 2024 Patch Tuesday (CVE-2024-49138) — 2024-12
- Microsoft Security Blog: Exploitation of CLFS zero-day leads to ransomware — 2025-04-08
- Tenable: November 2024 Patch Tuesday (CVE-2024-43451, CVE-2024-49039) — 2024-11
- FIRST.org EPSS SIG — ongoing
- Tenable: Stop Using CVSS for Prioritization — ongoing
- Picus Security: Vulnerability Prioritization in 2026 — 2025
- Krebs on Security: Adobe, Apple, Google & Microsoft 0-days, September 2023 — 2023-09
- SANS ISC Patch Days archive — ongoing
- Bleeping Computer: DC boot loops, Hyper-V regression — 2022-01
- Bleeping Computer: OOB fix for Patch Tuesday regressions — 2022-01-18
- Bleeping Computer: RRAS OOB hotpatch — 2025
Share
Related field notes
-
A 4.3 that mattered: the 13-day gap between patch and exploitation flag
Microsoft patched CVE-2026-32202 on April 14 without marking it exploited. APT28 had been using it since at least December. The gap between those two facts is where triage models break.
-
Does this CVE actually apply to you? Three filters before you patch
Single-score triage fails in both directions: 10.0s that don't apply, 4.3s that get exploited for 13 days. Three filters reduce the queue.
-
Microsoft April 2026 Patch Tuesday: the CVE count is the wrong unit
Roughly 160+ CVEs landed in April. About six of them change what an IT team does this week.
One email, every weekday morning.
You're in. Check your inbox.