HomeResearch › Exploitation Concentration
Original Analysis

Exploitation Is Concentrated: Why Patch Prioritization Should Follow KEV, Not CVSS

B
Bivash — Founder & Principal Analyst, CYBERDUDEBIVASH SENTINEL APEX
Published 2026-07-05 · Analysis · Editorial standards

Executive summary

Across the entire CISA Known Exploited Vulnerabilities catalog (1631 CVEs confirmed exploited in the wild), real-world exploitation is dramatically concentrated. The top five vendors account for 43.8% of every entry; the top ten for 54.3%. A vulnerability-management program that ranks work by CVSS treats a rarely-touched flaw and a mass-exploited one as equals. Ranking by KEV presence, ransomware association, and CISA's assigned remediation window does not.

Every security team faces the same arithmetic: far more CVEs are published than any team can patch immediately, so something has to decide the order. For most organizations that "something" is still CVSS base score. It is the wrong instrument for the job — not because the score is inaccurate, but because it measures the wrong thing. CVSS estimates how bad exploitation would be. It says nothing about whether exploitation is actually happening. The CISA KEV catalog answers exactly that question, and when you analyze it in aggregate, the signal is unusually clean.

Finding 1 — A handful of vendors carry most of the risk

Microsoft alone accounts for 23.2% of the entire catalog — 378 distinct CVEs confirmed exploited in the wild. Cisco, the next-largest, sits at 5.7%. This is not a knock on any vendor; large install bases attract attackers. It is a planning fact: your exposure to confirmed exploitation is dominated by a small set of technologies, and your patch cadence for those should be structurally faster than for everything else.

If you can only guarantee a rapid-patch SLA for a handful of product families, the KEV catalog tells you precisely which handful.

Finding 2 — One in five exploited CVEs is ransomware-linked

20.1% of catalog entries (328 CVEs) are flagged by CISA as used in known ransomware campaigns. For Microsoft, that share is 27.5%. Ransomware association is the single most actionable enrichment in the catalog, because it maps a vulnerability directly to the outcome executives care about most. A KEV entry with a ransomware flag is not a patch ticket — it is a business-continuity control, and should be routed and escalated as one.

Finding 3 — CISA's remediation windows are a free urgency signal

Each KEV entry carries a federal remediation deadline. The median window across the catalog is 21 days, but it is not uniform: CISA assigns tighter deadlines to the threats it assesses as most urgent. Juniper entries carry a median window of just 4 days. Most teams never look at this field. It is, in effect, a government-funded triage label sitting unused in a public feed.

What to do with this

  1. Add a KEV gate to your VM workflow. Any CVE present in the KEV catalog jumps the queue regardless of CVSS. This is now US federal baseline (BOD 22-01); adopt it whether or not you are required to.
  2. Structurally accelerate your top KEV vendors. Build a faster patch lane for the product families that dominate the catalog for your stack — for most organizations that starts with Microsoft.
  3. Escalate the ransomware flag. Route ransomware-linked KEV entries to business-continuity owners, not just the patch queue.
  4. Inherit CISA's deadlines. Use the remediation window as your internal SLA. It is a defensible, externally-sourced urgency label.
  5. Detect while you patch. Patching takes time; deploy detections for KEV entries in parallel. Our detection pack ships traceable Sigma rules for the highest-priority entries in this dataset.

None of this requires a threat-intelligence subscription or a proprietary risk score. It requires treating a free, authoritative, public dataset as the prioritization backbone it already is. The full figures behind this analysis — vendor rankings, ransomware shares, remediation windows, and monthly velocity — are published as the Exploitation Velocity Index, updated from the catalog and downloadable as JSON so you can reproduce every number here.

✓ Sources & reproducibility

Operationalize it

Traceable Sigma detections for the highest-priority KEV entries — every rule linked to its CVE, KEV date, and vendor advisory.