Bottom line: CISA defines a new vulnerability prioritization model requiring vulnerabilities with three or more risk characteristics—internet exposure, active exploitation, automatable exploits, or high post-exploitation impact—to be patched within three days, marking a shift away from pure CVSS-based prioritization.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has introduced a new framework for patch prioritization through Binding Operational Directive 26-04. It replaces sole reliance on severity scores with a system that accounts for four concrete risk factors.
The new directive responds to an escalating threat landscape: according to Verizon’s 2026 Data Breach Investigations Report, organizations patched only 26% of actively exploited vulnerabilities in full during 2024—a decline from 38% in the previous year. The median remediation time for these known risks is 43 days, while attackers have narrowed their exploitation window to days or hours.
BOD 26-04 relies on four concrete criteria for risk assessment: public internet reachability of the affected system, listing in CISA’s Known Exploited Vulnerabilities (KEV) catalog, exploitability automation, and the level of control following successful exploitation. Vulnerabilities exhibiting at least three of these attributes must be patched within three days. Vulnerabilities with a lower risk profile can be addressed longer-term or until the next major release.
Chris Butera, Acting Executive Assistant Director for Cybersecurity at CISA, justified the shift by noting that artificial intelligence now enables attackers to identify and exploit vulnerabilities at scale and in part autonomously. Defenders cannot afford to spend weeks patching systems that may already be compromised. CVSS severity scores have proven to be poor predictors of actual exploitation—a consensus reached also by security research from the RAND Corporation and representatives of the FIRST community.
Source: www.csoonline.com · Published June 10, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 of the EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.