The modern software supply chain is operating under unprecedented pressure as new vulnerabilities emerge at a record pace. In 2024 alone, more than 33,000 new Common Vulnerabilities and Exposures (CVEs) have been reported – a record figure pushing security teams and developers to triage vulnerabilities at scale while trying to stay focused on their core vulnerabilities.
Yet, despite the high number of CVEs labelled “critical”, a closer look reveals that many of these threats aren’t nearly as severe in practice. In fact, recent research found that just 12% of these CVEs were flagged as “critical” by official sources truly warranted that designation.
This disconnect highlights a growing challenge for the cybersecurity industry. Although established CVE scoring systems like MITRE offer a useful baseline, they often fail to account for the unique context of each organization’s environment. As a result, teams risk focusing on theoretical risks while genuine threats may be overlooked.
Director of Threat Research at JFrog.
Take, for example, CVE-2024-45490 – a vulnerability in a widely used software tool that received a 9.8 CVSS Score. Although it received a “Critical” rating, further analysis and context revealed it is only applicable in 10% of cases. Exploiting this flaw would require a very specific and unlikely set of conditions for developers, making real-world exploitation extremely improbable.
To bring greater clarity to teams evaluating CVEs, security leaders should establish a checks and balances system of evaluating these threats with the necessary contextual analysis. This approach can help teams cut through the noise of low-risk vulnerabilities and ensure resources are directed toward their most pressing security problems.
Why context matters more than classification
A recent analysis of 140 high-profile CVEs revealed that 88% of Critical and 57% of High CVE scores were not as severe as the CVSS scoring would have you believe. Only 27 CVEs (15%) were found to be truly highly exploitable.
This highlights the importance of assessing the real-world context of CVEs. Without this information, misclassification can lead to alert fatigue, drain productivity and morale, and increase the risk of human error, which can cause more harm than the vulnerabilities themselves.
By factoring in aspects of the CVE like exploitability in their specific environment, exposure levels, and business impact, teams can make more informed decisions about which vulnerabilities demand immediate attention.
The toll on developers and security teams
The constant flood of security warnings and CVE disclosures makes it increasingly difficult to distinguish real threats from less urgent issues. Over time, this overwhelming volume of alerts can erode focus, leading to burnout, slower response times, and a greater likelihood of dangerous mistakes. As threat actors grow more sophisticated, the risk of critical issues slipping through the cracks only intensifies.
A major contributor to this fatigue is the prevalence of false positives. When security tools flag benign activity as malicious, analysts are still required to investigate these alerts to rule out real threats. Instead of focusing on building new features or improving existing products, developers are also often pulled away to respond to a barrage of other security notifications, many of which turn out to be inconsequential.
Ultimately, vulnerability fatigue not only hampers the effectiveness of security teams and developers alike but also puts organizations at greater risk of serious security incidents. To break this cycle, organizations need smarter, context-driven prioritization that empowers teams to focus on what truly matters.
A smarter way forward
The ever-growing list of CVEs demands a smarter, more strategic approach, one that goes beyond surface-level assessments. Context is king. By taking the time to understand how vulnerability applies to their unique environment, organizations can avoid unnecessary panic and instead zero in on risk.
Adopting a context-first mindset also facilitates better alignment between security leaders and business decision-makers. It supports a more measured, collaborative approach to risk that balances security with agility, resilience, and innovation.
In a world where every alert can feel like a fire drill, the ability to distinguish real threats from false alarms is more than a convenience. It’s a necessity.
We’ve listed the best firewalls for small business.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:
