CVSS Scores Fail: Chained Exploits Ignite Cyber Chaos

Operation Lunar Peek in November 2024 exposed over 13,000 Palo Alto Networks management interfaces to unauthenticated remote admin access, eventually leading to root access. This incident underscored how attackers circumvent CVSS scoring by chaining vulnerabilities, a tactic ignored by traditional triage logic. Adam Meyers, of CrowdStrike, noted that adversaries exploit the system by combining exploits, making isolated vulnerability scoring insufficient.

The CVSS system, designed to score vulnerabilities individually, fails to capture the compound effect when multiple flaws are chained. This was evident with CVE-2024-0012 and CVE-2024-9474, where their combined impact was not reflected in their individual scores, allowing them to slip below patch thresholds. Security leaders advocate for moving beyond CVSS-first prioritization, incorporating factors like exploitation probability and decision-tree logic to better manage risk.

The volume of disclosed CVEs is rapidly increasing, with projections indicating a significant surge in 2026. This surge, coupled with nation-state actors weaponizing patches within days and stockpiling older vulnerabilities for years, strains current defense infrastructure. Furthermore, identity gaps and AI-accelerated vulnerability discovery present new challenges that existing systems are ill-equipped to handle.

To address these evolving threats, a five-point action plan is proposed. This includes conducting chain-dependency audits, compressing SLAs for patching internet-facing systems to 72 hours, and creating aging reports for KEVs. It also calls for integrating identity-surface controls into vulnerability reporting and stress-testing pipeline capacity against projected increases in CVE volume driven by AI.