{"id":6647,"date":"2026-01-21T10:30:00","date_gmt":"2026-01-21T10:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6647"},"modified":"2026-01-21T10:30:00","modified_gmt":"2026-01-21T10:30:00","slug":"vulnerability-prioritization-beyond-the-cvss-number","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6647","title":{"rendered":"Vulnerability prioritization beyond the CVSS number"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The common vulnerability scoring system (CVSS) has long served as <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/ir\/2022\/NIST.IR.8409.pdf\">the industry\u2019s default for assessing vulnerability severity<\/a>. It has become one of the few \u201csources of truth\u201d for cybersecurity professionals.<\/p>\n<p>And, you know the drill. A new CVE drops; it gets a CVSS score; teams rush to patch the items with the biggest numbers.<\/p>\n<p>It all feels logical, scientific \u2014 even objective. But in practice, it often fails us.<\/p>\n<p>In the cases of Equifax, SolarWinds and Log4Shell, a similar pattern has emerged: the actual damage did not stem solely from the technical severity of the flaws, but rather from the manner in which those flaws propagated through interconnected systems. High CVSS scores did not always correlate with high operational impact. Low-scoring assets triggered the cascading failures. Often, a \u201cmedium\u201d vulnerability can have the most significant impact due to its location and the systems it interacts with.<\/p>\n<p>CVSS scores have enormous value as a starting point. They do not capture the relational dynamics. They do not demonstrate how one vulnerability\u2019s exploitation may <a href=\"https:\/\/www.first.org\/cvss\/specification-document\">amplify or propagate risk<\/a> through dependencies, shared credentials or inherited configurations.<\/p>\n<p>We have historically treated vulnerabilities as isolated points on a list, yet the actual risk lies in their connections.<\/p>\n<h2 class=\"wp-block-heading\">Why the CVSS score isn\u2019t the whole story<\/h2>\n<p>The CVSS rating system focuses on the characteristics of a single asset \u2014 how easy a flaw is to exploit, whether a patch exists and the potential confidentiality or availability impact. That\u2019s important, and it\u2019s a solid starting point. But it doesn\u2019t account for something crucial: context.<\/p>\n<p>A vulnerability in a tightly isolated sandbox may score a 9.8 but never affect anything else. Meanwhile, a 5.2 in a single sign-on service, the system that every other system trusts, can become a blast radius multiplier. The score alone tells us nothing about how that flaw might ripple across the enterprise.<\/p>\n<p>In the real world, vulnerabilities don\u2019t stay put. They move. They inherit privileges. They hitch rides through pipelines. They land in places no one expected.<\/p>\n<p>Risk isn\u2019t only about severity. It\u2019s about propagation.<\/p>\n<h2 class=\"wp-block-heading\">A different way to look at vulnerabilities<\/h2>\n<p><a href=\"https:\/\/www.uscybersecurity.net\/csmag\/unified-linkage-models-recontextualizing-cybersecurity\/\">This is where the unified linkage model (ULM) comes in<\/a>. Instead of asking, \u201cHow bad is this vulnerability on its own?\u201d ULM asks, \u201cWhat can this vulnerability affect once it starts moving?\u201d<\/p>\n<p>It focuses on three kinds of relationships:<\/p>\n<p><strong>Adjacency:<\/strong> Systems that sit side by side and can influence each other, even without direct data exchange.<\/p>\n<p><strong>Inheritance:<\/strong> Flaws that travel downstream \u2014 like a vulnerability hidden inside an open-source library embedded in dozens of applications.<\/p>\n<p><strong>Trust:<\/strong> Systems that depend on each other\u2019s integrity \u2014 like identity providers, update services or CI\/CD tools.<\/p>\n<p>When you map these relationships, you stop seeing a list of vulnerabilities and start seeing a network of pathways. Suddenly, a seemingly minor flaw can reveal a much larger story.<\/p>\n<h2 class=\"wp-block-heading\">How vulnerabilities really move<\/h2>\n<p>Modern development pipelines make it incredibly easy for vulnerabilities to spread unnoticed. A flawed library pulled into a build is included in a Docker image. That image gets promoted to production. The container gains new permissions. And eventually, an external endpoint exposes it to the internet. By the time someone sees the CVE notification, the vulnerability may already be alive inside mission-critical systems.<\/p>\n<p>The question isn\u2019t just \u201cWhat\u2019s the score?\u201d \u2014 it\u2019s \u201cWhere can this go?\u201d<\/p>\n<h2 class=\"wp-block-heading\">Revisiting Log4Shell through a linkage lens<\/h2>\n<p>Log4Shell didn\u2019t become historic because it was technically severe. Hundreds of vulnerabilities are rated critical every year. It became historic because it was everywhere. Log4j was inherited through nested dependencies, embedded in countless libraries and trusted by systems that consumed untrusted data.<\/p>\n<p>It was a perfect storm of inheritance, adjacency and trust.<\/p>\n<p>Log4Shell taught us that a vulnerability\u2019s true danger lies not only in what it is, but in where it lives.<\/p>\n<h2 class=\"wp-block-heading\">What happens when we score based on linkage?<\/h2>\n<p>ULM doesn\u2019t replace CVSS scores. It enhances them. It forces us to think about depth, reach and influence.<\/p>\n<p>A vulnerability in a retired development VM might score 9.8. However, if nothing depends on it, its real-world priority may be low.<\/p>\n<p>Meanwhile, a flaw in a GitHub runner that feeds production builds could score much higher when evaluated through linkage. It sits in a trusted pipeline, inherits credentials and can influence downstream systems. In a ULM view, its urgency skyrockets.<\/p>\n<p>A number alone can mislead. A narrative reveals risk.<\/p>\n<h2 class=\"wp-block-heading\">How organizations can start using ULM today<\/h2>\n<p>This doesn\u2019t require a massive overhaul. It starts with a mindset shift:<\/p>\n<p>Map how systems connect, not just what systems exist.<\/p>\n<p>Look for shared components, shared identities, shared pipelines.<\/p>\n<p>Ask which systems others trust, depend on or inherit from.<\/p>\n<p>Then prioritize vulnerabilities based on where they sit in that network \u2014 especially those near identity systems, CI\/CD pipelines or widely used shared services. These are the silent amplifiers.<\/p>\n<p>Start small. Focus on the systems with the most downstream influence. The picture will come into focus quickly.<\/p>\n<h2 class=\"wp-block-heading\">The bottom line<\/h2>\n<p>Vulnerability management isn\u2019t a numbers game. It\u2019s a relationship game.<\/p>\n<p>CVSS tells us, in theory, how severe a vulnerability is. ULM helps us understand how dangerous it could be in practice. And in a world of accelerating complexity, automation and interconnected systems, that context is no longer optional.<\/p>\n<p>To defend our environments, we have to stop seeing vulnerabilities as dots. We have to start seeing the lines between them.<\/p>\n<p>That\u2019s where the real risk lives.<\/p>\n<p><strong>This article is published as part of the Foundry Expert Contributor Network.<br \/><a href=\"https:\/\/www.csoonline.com\/expert-contributor-network\/\">Want to join?<\/a><\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The common vulnerability scoring system (CVSS) has long served as the industry\u2019s default for assessing vulnerability severity. It has become one of the few \u201csources of truth\u201d for cybersecurity professionals. And, you know the drill. A new CVE drops; it gets a CVSS score; teams rush to patch the items with the biggest numbers. It [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6648,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6647","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6647"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6647"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6647\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6648"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6647"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6647"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6647"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}