Executive Summary
Financial institutions face an overwhelming volume of vulnerabilities each year, many of which remain unpatched due to poor prioritization. This article highlights the growing need for financial entities to adopt a risk-based framework that enables them to focus remediation efforts on the most dangerous, actively exploited vulnerabilities.
Key takeaways:
- Common Vulnerabilities and Exposures (CVE) have increased nearly 4x since 2015, surpassing 25,000 annually, making manual triage difficult.
- Relying only on Common Vulnerability Scoring System (CVSS) scores leads to alert fatigue and ineffective remediation.
- A U.S.-based bank applied our framework and achieved an 83% reduction in critical vulnerabilities, as well as resolving an active Matter Requiring Attention (MRA) from its regulator.
- Effective vulnerability management is a process: scan → identify → prioritize → remediate → report.
- Partnering with experts accelerates results and strengthens regulatory confidence.
- Recent government action in April 2025 extended funding to preserve the CVE program and ensure uninterrupted operations—highlighting its critical role in global cybersecurity.
- In May 2025, NIST proposed the Likely Exploited Vulnerabilities (LEV) metric to estimate which CVEs will likely be exploited. While promising, it is still under evaluation and not yet operational. NIST is seeking industry collaboration to validate its effectiveness.
Bottom line:
To stay ahead of today’s threat landscape, financial institutions must evolve from traditional vulnerability scanning to strategic, exploit-based prioritization.
Introduction
In today’s hyper-connected world, financial institutions face relentless cybersecurity threats. From ransomware campaigns to zero-day exploits, attackers are quicker than ever in leveraging unpatched vulnerabilities. Yet, one of the most under-addressed risks within many banks and financial entities is not the absence of a vulnerability management program but the lack of effective prioritization. With thousands of vulnerabilities reported each year, how can institutions distinguish between those that demand immediate action and those that can wait? The answer lies in adopting a risk-based vulnerability prioritization framework.
Historic Lessons in Vulnerability Exploitation
The urgency of proactive vulnerability management became globally evident with the WannaCry ransomware outbreak in 2017, a campaign that crippled organizations worldwide, including banks, hospitals, and public services. The ransomware exploited a Microsoft Windows vulnerability (EternalBlue) previously stolen from the U.S. National Security Agency (NSA) by a hacker group known as the Shadow Brokers. According to the U.S. Department of Justice, the campaign was tied to state-sponsored actors and highlighted the devastating consequences of failing to patch known vulnerabilities. Despite the availability of a fix released by Microsoft two months before the attack, the vulnerability remained unpatched in many systems, leading to damages estimated in the billions.
These events catalyzed a shift in vulnerability management strategies, pushing governments and organizations toward a more structured approach. One of the foundational milestones was the growth of the National Vulnerability Database (NVD), managed by the National Institute of Standards and Technology (NIST). The NVD provides standardized identifiers (CVEs), severity metrics (CVSS), and searchable metadata for vulnerabilities.
As seen in public data from CVE Details, published vulnerabilities have surged dramatically over the last decade. In 2015, around 6,500 CVEs were published. By 2020, that number exceeded 17,000; in 2023, it surpassed 25,000. As of early 2025, the current pace suggests a similar or even higher trend.
Possible factors contributing to these increases include:
Greater adoption of vulnerability disclosure programs.
Proliferation of connected devices and software.
Expansion of attack surfaces in cloud, IoT, and APIs.
Advances in automated vulnerability discovery tools.
This rapid growth has exposed a paradox: more information does not necessarily mean better security, especially if institutions lack the means to interpret and act on it effectively.
Recent Developments
A major development occurred in April 2025, when it was revealed that MITRE—a U.S.-based not-for-profit organization that operates federally funded cybersecurity programs—had its contract to manage the Common Vulnerabilities and Exposures (CVE) program set to expire on April 16. This sparked widespread concern over the continuity of this vital cybersecurity resource. The potential defunding of the CVE system threatened to disrupt vulnerability coordination across industries, software vendors, incident response teams, and critical infrastructure.
In response, on April 16, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) stepped in to extend MITRE’s contract, ensuring the CVE program would continue uninterrupted. This last-minute intervention underscored the strategic importance of CVE tracking for public and private cybersecurity operations.
Simultaneously, the announcement of the CVE Foundation marked another pivotal shift. Formed by a group of CVE Board members, the non-profit Foundation is intended to ensure long-term sustainability, neutrality, and global trust in the CVE program by transitioning it into a more community-driven governance model. While the Foundation’s complete roadmap is still unfolding, its creation reflects growing recognition that vulnerability coordination must be decentralized to eliminate single points of failure.
Meanwhile, international collaboration is also evolving. In parallel, the European Union Agency for Cybersecurity (ENISA) launched the European Vulnerability Database (EUVD), a platform aggregating multiple sources of vulnerability intelligence. This momentum highlights a global trend toward federated and transparent vulnerability-tracking ecosystems.
These developments reaffirm the role of CVE as a foundational tool for threat intelligence and vulnerability prioritization. They also reinforce the urgency for financial institutions to align with reliable, community-supported sources in their remediation strategies.
The Challenge: Volume Without Prioritization
Financial institutions, particularly large banks, often conduct vulnerability scans across hundreds of systems and applications. These scans can yield thousands of findings—many labeled as “critical” or “high.” However, not all vulnerabilities pose the same level of risk. For instance, a critical vulnerability on a disconnected test server is far less urgent than a medium-level vulnerability actively exploited in the wild.
Without a clear prioritization framework, teams experience alert fatigue, overlook key threats, and extend the time to resolve genuinely dangerous issues. Relying solely on CVSS scores is no longer sufficient. This realization has prompted regulatory bodies like the Cybersecurity and Infrastructure Security Agency (CISA) to take action by publishing the Known Exploited Vulnerabilities (KEV) Catalog, which lists vulnerabilities actively used in real-world attacks. CISA mandates federal agencies prioritize remediation of these vulnerabilities, and this list has become a key reference point for cybersecurity programs across industries.
Evolving Metrics: NIST’s Proposed LEV Model
In May 2025, NIST released a white paper titled “Likely Exploited Vulnerabilities: A Proposed Metric for Vulnerability Exploitation Probability,” introducing the Likely Exploited Vulnerabilities (LEV) model. Unlike existing tools that either predict near-term exploitation (EPSS) or list confirmed exploited vulnerabilities (KEV), the LEV model estimates the probability that a vulnerability has been exploited at some point.
This model adds value to four key areas:
- It provides a statistical estimate of the proportion of CVEs likely to have been exploited.
- It enables the evaluation of KEV list completeness, identifying potential gaps.
- It supplements remediation strategies where KEV lists are incomplete or unavailable.
- It offers a data-driven way to adjust inaccurate EPSS scores, which are known to underestimate previously exploited CVEs.
According to the NIST white paper, although tens of thousands of vulnerabilities are disclosed yearly, only about 5% are exploited in real-worldattacks. Despite this, many organizations struggle to focus their remediation efforts on that critical subset, often spreading resources too thin across low-risk issues. At the same time, NIST points out that the CISA KEV list, a key reference for confirmed exploited vulnerabilities, includes just 0.5% of all CVEs. This gap suggests that numerous serious threats may go unrecognized, and it highlights the opportunity for LEV to help fill those blind spots by identifying vulnerabilities that are highly likely to have been exploited but are not yet included in KEV lists.
Importantly, NIST has not announced a formal implementation date for the LEV metric. It remains a proposed model that requires further validation. NIST actively seeks industry collaboration to test its effectiveness and determine its operational readiness. For now, LEV is a powerful conceptual tool to augment KEV and EPSS-based prioritization.
A Framework Inspired by Real-World Impact
Drawing from direct experience working with financial institutions across the U.S. and Latin America, our Firm implemented a customized vulnerability prioritization risk-based framework anchored in the KEV Catalog. The approach’s essence is giving the highest priority to actively exploited vulnerabilities confirmed by authoritative threat intelligence sources such as CISA. Additional risk indicators include the vulnerability’s exploitability through common attack tools and the time it has remained unresolved.
This strategic prioritization model enables organizations to focus on vulnerabilities that present the most significant immediate risk while avoiding the trap of overextending resources on lower-impact issues.
Case Study: Tangible Results from a U.S. Bank
One of the most compelling outcomes of this approach occurred at a prominent bank based in Miami, Florida. At the start of the engagement, the institution had a significant backlog of Critical and High vulnerabilities, the vast majority of which were over a year old, indicating significant delays in remediation and a gap in communicating risk to executive leadership. After applying our framework:
- Within three months, total Critical and High vulnerabilities were reduced by over 70%, with aged vulnerabilities dropping similarly.
- Within five months, the total volume dropped by more than 80%, and aged vulnerabilities were reduced by nearly 87%.
These improvements highlighted a notable shift in patch discipline, operational accountability, and board-level visibility.
Notably, the bank’s regulator issued a Matter Requiring Attention (MRA) specifically related to its vulnerability management program deficiencies. Following the implementation of our framework and the measurable improvement in its risk posture, the regulator officially closed the MRA, recognizing the bank’s strengthened controls and remediation efforts. This transformation improved audit outcomes and executive visibility and enabled the security team to channel resources toward the most immediate threats instead of spreading themselves thin across hundreds of low-impact issues.
Recommendations for Financial Institutions
1. Incorporate Threat Intelligence: Integrate feeds like CISA KEV and EPSS (Exploit Prediction Scoring System) to enrich your vulnerability data.
2. Implement a risk-based Framework: Move beyond CVSS-based models and adopt multi-tier risk prioritization that accounts for exploitability and threat context.
3. Define and Operate an End-to-End Process: A complete vulnerability management lifecycle should include scanning, identification, prioritization using a risk-based framework, remediation based on priority, and consistent reporting to technical teams and executive leadership.
4. Automate and Track Remediation: Use dashboards and automation tools to ensure monthly tracking of remediation progress.
5. Engage Business Stakeholders: Involve application owners and risk managers in the vulnerability management lifecycle to ensure decisions align with business impact.
6. Rely on Expert Partners: Leverage specialized firms with experience designing and implementing custom frameworks to accelerate results and meet regulatory expectations.
Conclusion
Financial institutions must evolve from traditional vulnerability management to strategic prioritization in an era where time-to-exploit is measured in days or hours. With increasing regulatory pressure and rising threat complexity, adopting a framework grounded in real-world exploitability is no longer optional but essential.
Organizations must scan and detect vulnerabilities and be equipped to interpret, prioritize, and act on those findings effectively. This requires a comprehensive, risk-based lifecycle approach—from identification to remediation and executive reporting.
Building such a mature program internally can be resource-intensive and complex for many institutions. In these cases, working with external experts who bring proven methodologies and practical implementation experience can offer valuable support. They can help teams accelerate progress while maintaining a strong focus on risk reduction and regulatory alignment.
Institutions can reduce risk, optimize resources, and build resilience against the next wave of cyber threats by focusing efforts on what truly matters and leveraging strategic partnerships where needed.
Thank you for reading our financial institution’s vulnerability management article. If you find these insights valuable, please ‘Like’ and ‘Share’ to spread the knowledge within your professional network. Your engagement is crucial in fostering a broader understanding of these critical topics.
Remember to “Follow US” for ongoing updates and insights into the intersection of finance and technology. Your involvement is key to building a community at the forefront of industry trends and innovations. We appreciate your support and look forward to continuing this journey together.
Let’s keep the conversation going!
Follow us, stay informed, stay secure, and let’s navigate the risk landscape together.
