CVSS is 8.6 but Cytidel's Risk Rating is Low. Here's Why.

CVSS tells you potential impact. Threat intelligence tells you reality. Here's how a hybrid approach to vulnerability prioritisation actually works.

A customer asked me recently why a CVSS 8.6 vulnerability was rated "Low" in our platform.

It's a fair question — and one I get asked a lot when people are new to threat-led prioritisation. An 8.6 feels like it should be urgent. The instinct to treat high CVSS scores as high priority is deeply ingrained in how most teams have been taught to think about vulnerabilities.

But here's the reality: CVSS alone makes prioritisation impossible at scale.

Of the ~42,000 CVEs published so far this year, about 42% have High or Critical CVSS scores. That's over 15,000 vulnerabilities. No team is patching their way through that list. When everything is urgent, nothing is.

This is why we built our Risk Rating around real-world threat signals — not just theoretical severity.

Recently, we published a blog analysing the CVE landscape for 2025, highlighting CVSS vs Threat-led, or Cytidel Risk Rating, prioritisation. The image below gives a quick summary as to the scale of the CVSS-led prioritisation challenge, and also the gaps.

When CVSS Gets It Right

Let's be clear: CVSS isn't useless. Far from it.

The other day, a CVSS 10 dropped in React Router (CVE-2025-55182). Remote code execution, affecting React Server Components across React 19, Next.js 15 and 16 with App Router enabled. Likely internet-facing software. The kind of vulnerability that has all the hallmarks of something really impactful.

Our CTI team flagged it to customers immediately, without waiting for the risk rating to catch up, without waiting for further exploitation evidence. Some vulnerabilities demand action based on their characteristics alone: a perfect CVSS score, RCE capability, and widespread deployment in internet-facing applications.

This one moved fast. Within hours of disclosure, POCs were circulating, exploitation was observed in the wild, and threat actors, including groups identified as Earth Lamia and Jackpot Panda, were already scanning for vulnerable instances. Our Risk Rating tracked that momentum in real-time. It hit High quickly and has since moved to Significant as more evidence emerged.

That's CVSS doing exactly what it's designed to do: flag potential impact.

When CVSS Misleads

But that 8.6 the customer asked about? A completely different story.

No POCs circulating. No exploitation in the wild. No threat actor interest. Minimal chatter across news and social media. Theoretically severe, practically quiet.

If you prioritised purely on CVSS, this vulnerability would be competing for attention alongside thousands of others. Your team would be stretched thin, chasing theoretical risk while potentially missing the vulnerabilities that are actually being weaponised.

And the data backs this up. Recapping the 2025 CVE data (shown in the first image in this post):

• 14% of CVEs with evidence of actual exploitation had Low or Medium CVSS scores. These are vulnerabilities that attackers are actively using — and CVSS alone would have told you to deprioritise them.
• 33% of CVEs linked to known threat actors also had Low or Medium CVSS scores. The adversaries targeting your industry aren't always going after the headline-grabbing critical vulnerabilities. They're exploiting what works.
• Over 42% of CVEs with evidence of potential public exploitation never made it onto the CISA KEV list. Even the gold-standard prioritisation lists miss a significant portion of real-world threats.

CVSS measures potential impact in a vacuum. It doesn't account for whether anyone is actually exploiting the vulnerability, whether exploit code exists, or whether threat actors have shown interest.

The Hybrid Approach

So how do you reconcile these two realities: the CVSS 10 that demands immediate action and the CVSS 8.6 that can wait?

You need both human insight and automated, continuous analysis.

Human insight catches the obvious "drop everything" moments. When a CVSS 10 RCE drops in widely-deployed, internet-facing software, experienced analysts recognise the pattern. They don't wait for threat intelligence to confirm what they already know: this is going to be exploited, and fast.

But human insight doesn't scale to 42,000+ CVEs per year. No team can manually monitor the threat landscape across thousands of news sources, social media feeds, exploit repositories, vendor advisories, and dark web forums. The volume is simply too high, and the signals change too quickly.

This is where automated, threat-led analysis comes in. Our Risk Rating continuously evaluates every CVE against real-world signals:

• Exploitation evidence: Is there proof this vulnerability is being exploited in the wild?
• Proof-of-concept availability:Has exploit code been published?
• Threat actor associations: Are known adversaries using this vulnerability in campaigns?
• Trending activity: Is this vulnerability gaining traction across news and social media?
• CVSS and vulnerability characteristics: What's the theoretical impact and attack vector?

The rating is dynamic. It updates as the threat landscape changes. A vulnerability that's quiet today might spike tomorrow when a POC drops or a threat actor picks it up. The system tracks that momentum so you don't have to.

What This Means in Practice

Over the last 12 months, our Significant and High ratings accounted for approximately 350 CVEs (under 1% of the total published).

That's a 97% reduction in ticket volume compared to standard CVSS-based prioritisation that looks at High and Critical (7.0 and above).

But it's not about reducing workload for its own sake. It's about focusing attention on what's actually being targeted while clearing the noise that distracts from real risk.

The goal isn't to replace CVSS. It's to put CVSS in context. A CVSS 10 with active exploitation and threat actor interest is categorically different from a CVSS 10 that exists only in a research paper. Both might score the same on paper. Only one is an immediate threat to your organisation.

The Bottom Line

CVSS tells you how bad something could be. Threat intelligence tells you what's actually happening.

A CVSS 8.6 rated Low isn't a fault in the system. It's the system recognising that theoretical severity and real-world risk are not the same thing.

When that changes, such as when POCs emerge, when exploitation is observed, or when threat actors start being associated, the rating updates. That's the point.

For the vast majority of vulnerabilities, the risk rating is the way to go. For the rare cases where human judgment says "act now regardless," experienced analysts still have that discretion.

That's the hybrid approach. And it's the only way to stay ahead of a threat landscape that's growing faster than any team can handle manually.

Want to see how Cytidel's Risk Rating works in practice? Schedule a demo to see how we help security teams focus on the 1% of vulnerabilities that actually matter.