Patch triage signals that actually work (CVSS isn’t enough)

Published May 31, 2026 · HI Tech Hui · ~6 min read

Why this matters for Hawaii businesses

Most organizations don' fail patching because they don' care. They fail because the backlog is larger than the change windows, the maintenance windows are shared with production uptime needs, and critical systems are owned by multiple vendors. In managed IT, the difference between a stable environment and an incident is often one decision: what gets patched first.

Microsoft put it plainly in its May 2026 Patch Tuesday guidance: “Triage by exposure and impact, not raw count.” and “Beyond CVSS, the Security Update Guide also publishes the Exploitability Index, public exploit code status, and observed exploitation — use the full set of signals when prioritizing.” (Microsoft MSRC)

CVSS is a severity score, not a work plan

CVSS is useful, but it is intentionally generic. It cannot tell you whether:

• The vulnerable component is reachable from the internet in your environment.
• An exploit exists and is being used today.
• The vulnerable host is a tier-0 identity system where compromise becomes enterprise compromise.
• You can patch safely without breaking business-critical workflows.

That's why high-performing vulnerability management programs treat CVSS as one input — and then apply context.

The three signals that should drive patch triage

1) Exposure: can an attacker reach it?

Start with reachability. Vulnerabilities on internet-facing systems should move to the front of the line — especially when the attack requires no authentication. The most common places we see exposure in SMB and mid-market environments:

• Remote access: VPN gateways, RDS/RD Gateway, VDI portals, and admin consoles.
• Email and collaboration: Microsoft 365 identity connectors, legacy mail services, and third-party email security gateways.
• Public web apps and APIs: CMS plugins, customer portals, and line-of-business applications.

Rule of thumb: if the system has a public DNS record and listens on the internet, it belongs in your urgent patch lane by default.

2) Exploitability signals: is it likely to be used?

Exploitability signals are the missing bridge between bad in theory and bad in practice. Microsoft’s Security Update Guide includes additional indicators beyond CVSS, including exploitability and whether exploitation has been observed (Microsoft MSRC).

For most environments, you can make patch decisions using three yes/no questions:

• Observed exploitation: is it being exploited in the wild?
• Exploit code: is there public exploit code or a clear exploitation path?
• Preconditions: does exploitation require authentication, user clicks, or unusual conditions?

3) Asset criticality and blast radius: what happens if it falls?

Not all systems are equal. Some systems are tier 0: identity, authentication, device management, backup, and security tooling. A compromise there is rarely a single-host event — it becomes a business event.

In practical terms, prioritize patching on:

1. Identity infrastructure: domain controllers, federation, and Entra Connect/Sync.
2. Security controls: EDR management servers, SIEM collectors, and admin portals.
3. Backups: backup servers, repositories, immutable storage controllers.
4. Core business systems: ERP/POS, scheduling, and patient/customer data platforms.

A simple patch-triage model you can operationalize

If you need a lightweight system for a weekly cadence, use three lanes. This works well for small IT teams and outsourced IT Services engagements.

Lane A: Patch inside 72 hours

• Internet-facing assets, especially remote access and admin interfaces
• Tier-0 identity systems
• Anything in CISA's Known Exploited Vulnerabilities (KEV) catalog

Lane B: Patch inside 7 days

• High severity vulnerabilities on internal servers
• Endpoint vulnerabilities with reliable detection/mitigation in place
• Issues with clear compensating controls (segmentation, strict firewalling, feature disablement)

Lane C: Patch in the normal cycle (but track)

• Low exposure systems
• Vulnerabilities requiring rare conditions or strong prerequisites
• Updates with high operational risk that need staged testing

What to do when you can’t patch immediately

Sometimes patching is blocked by vendor support, application dependencies, or a narrow change window. Don’t let can’t patch become can’t reduce risk. Use compensating controls that are defensible and measurable:

• Reduce exposure: remove internet reachability; enforce VPN; restrict by IP; close ports.
• Tighten identity: MFA, separate admin accounts, least privilege. Microsoft explicitly calls out MFA and separated admin accounts as high-leverage controls (Microsoft MSRC).
• Segment: isolate admin and server networks; block lateral movement paths.
• Increase detection: ensure logs are centralized; alert on admin logons, new services, and suspicious authentication activity.
• Write it down: assign an owner, a target date, and the compensating control. If it’s not documented, it’s not managed.

FAQ: patch prioritization for executives

How do I know we're making progress?

Ask for two numbers every week: (1) the count of Lane A items older than 72 hours, and (2) the percentage of tier-0 assets fully patched and rebooted. If either number is moving the wrong direction, you need help.

What should we outsource vs. keep in-house?

Many organizations keep business scheduling and change approval internal, and outsource the operational work: endpoint patching, vulnerability scanning, patch verification, and 24/7 monitoring. That split tends to work well for Hawaii SMBs that need predictable uptime.

Sources

• Microsoft Security Response Center (MSRC) — A note on this month's Patch Tuesday (May 2026)
• CISA — Known Exploited Vulnerabilities Catalog

---

If you want this triage model operationalized — with patch verification, asset inventory, and monitoring — HI Tech Hui can help through our managed IT and cybersecurity services, including our SOC. Contact us for a readiness review.