A Singapore-based financial services company ran quarterly vulnerability scans across its 2,400-host environment and received 14,300 findings. The security team prioritised remediation based on CVSS scores — fixing all Critical and High severity vulnerabilities first. They were confident in their approach until a Red Team engagement revealed that the most damaging simulated breach path began not through a CVSS 9.8 remote code execution vulnerability on an internet-facing server — which the team had already patched — but through a CVSS 4.3 cross-site scripting vulnerability in an internal HR portal that had been deprioritised for six months because it carried a Medium severity rating. The attacker used the XSS to steal an HR administrator's session cookie, escalated to domain admin through a service account with excessive privileges, and moved laterally across the production environment. The CVSS score had correctly assessed the vulnerability's technical severity. It had said nothing about its actual exploitability in context, its position in the attack chain, or the damage that could result from it.
This is the fundamental problem with vulnerability management programmes that rely exclusively on CVSS scores: severity and risk are not the same thing. A CVSS 9.8 vulnerability on an isolated internal system that requires local network access and specific preconditions poses far less actual risk than a CVSS 4.3 vulnerability on an internet-facing application that can be exploited by any anonymous user. And yet organisations that manage their vulnerability programmes purely by CVSS severity will consistently deprioritise the latter in favour of the former — until the red team or an actual incident demonstrates the flaw in that logic.
Why CVSS Scores Alone Are Insufficient for Singapore Enterprises
The Common Vulnerability Scoring System was designed as a standardised framework for describing the technical characteristics of a vulnerability — exploitability, impact, scope, and collateral damage potential. It was not designed as a prioritisation tool for resource-constrained security teams. The CVSS Base Score reflects intrinsic properties of the vulnerability, not the contextual factors that determine whether that vulnerability represents an actual risk to a specific organisation at a specific point in time.
For Singapore enterprises, this distinction matters particularly because of how the threat landscape differs from global assumptions embedded in CVSS scoring. The Exploit Prediction Scoring System (EPSS), which estimates the probability that a vulnerability will be exploited in the wild within the next 30 days, shows that fewer than 15% of CVSS High and Critical vulnerabilities are ever actively exploited in Singapore's specific threat environment. The remaining 85% consume remediation resources that could be directed toward vulnerabilities that threat intelligence indicates are actually being targeted.
Singapore's regulatory environment adds another dimension to vulnerability prioritisation. MAS TRM guidelines require financial institutions to maintain effective vulnerability management programmes — but the guidelines do not prescribe that all Critical CVSS vulnerabilities must be remediated within a specific timeframe regardless of context. The CII Governance Standards under the Cybersecurity Act similarly require risk-based approaches that account for the criticality of the affected system. A vulnerability management programme that cannot demonstrate risk-based prioritisation — not just CVSS-based triage — will face regulatory scrutiny when assessed against these standards.
Building a Risk-Based Vulnerability Prioritisation Framework
A mature vulnerability management programme combines multiple data sources to produce a risk-prioritised view of the vulnerability landscape. The following framework reflects the approach we use with Singapore enterprise clients.
Step 1: Threat Intelligence Integration — Know What Is Being Exploited
The first layer of prioritisation should be threat intelligence. CISA's Known Exploited Vulnerabilities (KEV) catalogue identifies vulnerabilities that have been confirmed as actively exploited in real-world attacks. The EPSS provides probability-of-exploitation estimates updated daily based on current exploitation patterns. Singapore enterprises should weight remediation of KEV-listed vulnerabilities highest — regardless of their CVSS score — because the evidence of active exploitation means the vulnerability is not theoretical. A CVSS 6.5 vulnerability that appears on the KEV catalogue represents a higher actual risk than a CVSS 9.1 vulnerability that has never been exploited.
Step 2: Asset Criticality — Understand What You Are Protecting
Not all assets are equal. A vulnerability on a public-facing web server that processes personal data carries a different risk profile than the same vulnerability on an isolated laboratory workstation. Singapore enterprises should maintain an asset inventory with data classification labels — critical, high, medium, low — and factor the criticality of the vulnerable asset directly into remediation priority. A system that processes personal data under the PDPA, or a system designated as critical infrastructure under the Cybersecurity Act, should elevate the priority of any vulnerability found on it, regardless of its CVSS score.
Step 3: Exposure Context — Is the Vulnerability Actually Reachable?
A vulnerability that cannot be reached by an attacker — because it is behind a firewall, requires local access, or is only exploitable under specific conditions that do not exist in your environment — may warrant lower priority than the CVSS score suggests. Exposure context assessment requires understanding your network architecture, your authentication requirements, your network segmentation, and your existing compensating controls. A vulnerability on an internet-facing system is categorically different from the same vulnerability on an air-gapped internal system. Both should be fixed — but the former should be fixed first.
Step 4: Attack Path Analysis — Can an Attacker Reach This Vulnerability?
The most sophisticated vulnerability management programmes use attack path analysis to understand how a vulnerability connects to the overall kill chain. A vulnerability that is reachable only from within the trusted network segment, after an attacker has already obtained domain administrator credentials, poses less incremental risk than a vulnerability that provides the initial entry point into the environment. Tools that model attack paths — including the MITRE ATT&CK framework mapping of vulnerability exploitability — can help security teams understand which vulnerabilities create the most dangerous potential attack chains in their specific environment.
PDPA and MAS Compliance Note: For Singapore financial institutions and organisations processing significant volumes of personal data, the PDPA requires reasonable security arrangements to protect personal data against unauthorised access, collection, use, or disclosure. A vulnerability management programme that can demonstrate systematic, risk-based remediation — not just High/Critical CVSS scoring — provides stronger evidence of compliance than one that patches selectively based on severity scores alone. Regulators assessing your security programme will look for evidence of ongoing operational security, not just audit-time remediation.
A Practical Remediation Prioritisation Framework for Singapore Enterprises
Based on the above analysis, we recommend a four-factor risk score for each vulnerability:
- Threat Factor (40%): Is this vulnerability on CISA KEV? What is the EPSS score? Is there evidence of active exploitation targeting Singapore or Southeast Asian organisations? Active exploitation or KEV listing = immediate priority regardless of other factors.
- Asset Factor (30%): What is the classification of the affected asset? Is it internet-facing? Does it process personal data or financial information? Does it support critical business operations? Higher asset criticality elevates priority.
- Exposure Factor (20%): Is the vulnerable service accessible from the internet? From the internal corporate network? From the OT environment? Is there a compensating control that reduces exploitability? Higher exposure elevates priority.
- Technical Factor (10%): What is the CVSS score? What is the CVSS vector — particularly the Attack Vector and Privileges Required components? Higher CVSS with a network-accessible, low-privilege-exploitation profile warrants higher priority than CVSS alone would suggest.
Applying this four-factor framework to the 14,300 findings in the financial services scenario above would have immediately elevated the CVSS 4.3 XSS vulnerability on the internal HR portal — because the HR portal processed personal data and was accessible to all employees, including the HR administrator whose session cookie provided the initial lateral movement vector. It would have also deprioritised a CVSS 9.1 remote code execution vulnerability on an isolated, hardware-secured management interface that required physical access to exploit.
Know Which Vulnerabilities to Fix First
Building a risk-based vulnerability management programme requires the right data sources, the right tooling, and the right framework. Infinite Cybersecurity helps Singapore enterprises implement vulnerability management programmes that go beyond CVSS scoring — integrating threat intelligence, asset criticality, and exposure context to produce prioritised remediation plans that reflect actual risk. We also offer dedicated VAPT services with Singapore-context threat intelligence to help you understand which vulnerabilities matter most in your specific environment.
The Continuous Process
Vulnerability management is not a quarterly scan-and-patch cycle. It is a continuous process of discovery, prioritisation, remediation, and verification that must keep pace with the threat landscape. New vulnerabilities are disclosed daily. New assets are deployed weekly. New attack techniques are published monthly. A vulnerability management programme that produces a prioritised list once a quarter and then waits for the next cycle will always be behind the threat actors targeting Singapore enterprises.
The organisations that manage this best treat vulnerability management as an operational discipline — with defined SLAs for each priority tier, automated scanning and alerting, integration with threat intelligence feeds, and regular review of the prioritisation framework itself to ensure it reflects current threat intelligence. The goal is not to fix every vulnerability. It is to fix the right vulnerabilities first — and to demonstrate, credibly, that you have a defensible, risk-based rationale for every remediation decision you make.