
In November 2024, during Operation Lunar Peek, attackers gained unauthenticated remote admin access and eventual root across more than 13,000 exposed Palo Alto Networks management interfaces. Palo Alto Networks scored CVE-2024-0012 at 9.3 and CVE-2024-9474 at 6.9 under CVSS v4.0. NVD scored the same pair 9.8 and 7.2 under CVSS v3.1. Two different scoring systems provided different answers for the same vulnerabilities. The 6.9 score fell below patch thresholds, while the 9.3 score waited for maintenance.
Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, mentioned in an exclusive interview on April 22, 2026, that adversaries circumvent severity ratings by chaining vulnerabilities together. The triage logic that missed the chain was described as having amnesia from 30 seconds before.
Both CVEs are on the CISA Known Exploited Vulnerabilities catalog, but the scoring systems did not flag the kill chain. The triage logic treated each CVE as an isolated event, which was reflected in the SLA dashboards and board reports.
The CVSS base scores are theoretical measures of severity that ignore real-world context, as noted by Peter Chronis, former CISO of Paramount. Moving beyond CVSS-first prioritization can reduce actionable critical and high-risk vulnerabilities significantly. The EPSS model by FIRST and CISA’s SSVC decision model address some of the gaps in using CVSS base scores alone for prioritization.
Five triage failure classes CVSS was never designed to catch
In 2025, 48,185 CVEs were disclosed, showing a 20.6% year-over-year increase. Jerry Gamblin, principal engineer at Cisco Threat Detection and Response, projects 70,135 for 2026. The infrastructure behind the scores is struggling under this weight.
Chained CVEs, nation-state adversaries weaponizing patches, stockpiled CVEs, identity gaps, and AI-accelerated discovery are some of the challenges that CVSS was not designed to catch. Adversaries are finding vulnerabilities faster than defenders, leading to a significant problem. Projects like QuiltWorks aim to address the increasing vulnerability volume generated by frontier AI models in production code.
Hey Security Director, Let’s Take Action!
So, when these five big firms come together to tackle a pipeline problem, it’s pretty clear that relying on just one organization’s patch workflow won’t cut it.
Here’s the plan:
1. Conduct a thorough chain-dependency audit on all KEV CVEs in the system this month. Keep an eye out for any CVEs with a score of 5.0 or higher – that’s where things like privilege escalation and lateral movement usually come into play. And if there’s a pair chaining authentication bypass to privilege escalation, consider it critical, no matter what the individual scores say.
2. Speed things up by making sure KEVs are patched within 72 hours for systems facing the internet. According to the CrowdStrike 2026 Global Threat Report, the average time to patch is 29 minutes, with the fastest being 27 seconds. Waiting a week to patch just won’t fly in a board meeting.
3. Keep the board in the loop with a monthly report on aging KEVs. Make sure they know how long each CVE has been unpatched, how long the patch has been available, and who’s responsible. Remember the Cisco CVE that was exploited 14 months after a patch was released? Yeah, we don’t want that happening again.
4. Don’t forget about identity-surface controls in the vulnerability reporting process. Authentication gaps and AI credential issues need to be addressed just like software vulnerabilities. If they’re in a separate silo, they’re basically in no-man’s land.
5. Test the pipeline’s capacity at 1.5x and 10x the current CVE volume. With projections like Gamblin’s 70,135 CVEs for 2026 and Meyers’s even higher estimates, we need to be prepared. Let’s show the CFO the capacity gap now, before a breach happens that proves we weren’t ready.
Let’s get ahead of this, team. Our systems, our data, and our reputation are on the line. Time to take action!
