Organizations that have managed vulnerability backlogs using CVSS-based prioritization may carry significant unrecognized exposure — not from new attacks, but from automated exploitation of risks they formally accepted. A successful breach through a deferred vulnerability could trigger regulatory scrutiny, given that regulators increasingly expect organizations to demonstrate that risk acceptance decisions remain current and defensible. The reputational consequence of a breach attributed to a known, unpatched vulnerability is severe: 'we knew and didn't fix it' is a difficult posture to defend to customers, partners, or a board.
You Are Affected If
Your organization maintains a vulnerability backlog with deferred or accepted-risk items rated medium or low on CVSS
Your environment includes unmaintained or end-of-life third-party components (CWE-1104), particularly in public-facing applications
Your vulnerability prioritization process relies primarily on CVSS base scores without integrating exploitation probability signals such as EPSS
Your compensating controls for deferred vulnerabilities were assessed against manual attacker capabilities rather than automated AI-assisted exploitation
Your environment includes software deployment tools or privileged access infrastructure exposed to exploitation via T1072 or T1068 attack paths
Board Talking Points
AI tooling is making old, previously low-risk vulnerabilities exploitable at scale — risks we formally accepted may no longer carry the assumptions under which we accepted them.
We should conduct an immediate review of deferred vulnerability deferrals, prioritizing internet-exposed and privileged systems, with findings reported to the board within 60 days.
If we do not re-evaluate accepted risks against the current threat environment, we face the possibility of a breach through a known vulnerability — a position that is difficult to defend to regulators, customers, and the board.
