A zero-day is dangerous not because it is sophisticated, but because the exposure window — the time between a flaw being usable and your environment being protected — is wide open. Closing that window is a prioritization problem, not a patching marathon.
The window is shrinking
The time from disclosure to exploitation has compressed dramatically. A large share of newly-exploited vulnerabilities are weaponized within days, and many appear on watchlists at or before public disclosure. Internet-facing edge devices — VPNs, firewalls and file-transfer appliances — are disproportionately targeted because one flaw yields direct, unauthenticated access.
This is T1190 (Exploit Public-Facing Application) in its purest form.
Why CVSS alone fails
A CVSS 9.8 that nobody is exploiting is less urgent than a 7.5 with a public exploit hitting your sector today. Severity describes potential impact; it says nothing about likelihood. Effective prioritization combines three signals:
- Severity — CVSS base score.
- Exploitation — is it in the CISA KEV catalog, and what does EPSS predict?
- Exposure — how many of your assets are actually affected and reachable?
Defending during the window
Patching is the fix, but it is rarely instant. Compensating controls buy time:
- Virtual patching / WAF rules to block known exploit patterns.
- Network segmentation to limit blast radius.
- Attack-surface reduction — take the vulnerable service off the internet if you can.
- Targeted detection and threat-hunting for exploitation attempts.
Track CVE details against the National Vulnerability Database and your own asset inventory so "are we affected?" takes minutes, not days.
Key takeaways
- The exposure window is closing fast — assume days, not weeks, to weaponization.
- Prioritize on severity + exploitation (KEV/EPSS) + your real asset exposure.
- Compensating controls (WAF, segmentation, surface reduction) buy time before patching.
- A current asset inventory turns "are we affected?" into a minutes-long question.