CVSS Scores Failed: Chained CVEs Gave Root Access to 13K ...
During Operation Lunar Peek, attackers exploited two seemingly manageable CVEs to gain root access across 13,000 Palo Alto devices. The culprit? A vulnerability scoring system never designed for how adversaries actually attack.
When Do Vulnerability Scores Miss the Kill Chain?
Learn more about nasa's moonfall drones to scout lunar south pole in 2025
During Operation Lunar Peek in November 2024, attackers gained unauthenticated remote admin access across more than 13,000 exposed Palo Alto Networks management interfaces. They achieved eventual root access by exploiting two CVEs that CVSS scored as manageable threats when evaluated separately.
Palo Alto Networks scored CVE-2024-0012 at 9.3 and CVE-2024-9474 at 6.9 under CVSS v4.0. The National Vulnerability Database scored the same pair 9.8 and 7.2 under CVSS v3.1. Two scoring systems delivered two different answers for identical vulnerabilities.
The 6.9 score fell below most enterprise patch thresholds. Admin access appeared required for exploitation. The 9.3 sat queued for routine maintenance. Network segmentation would supposedly hold the line.
It didn't.
What Chain Did CVSS Never See?
CVE-2024-0012 bypassed authentication completely. CVE-2024-9474 escalated privileges to root level. Scored separately under both CVSS versions, the escalation flaw filtered below patch thresholds because admin access appeared required as a prerequisite.
The authentication bypass upstream eliminated that prerequisite entirely. Neither score communicated the compound effect when adversaries chained them together.
"Adversaries circumvent [severity ratings] by chaining vulnerabilities together," Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, told VentureBeat in an exclusive interview on April 22, 2026. On the triage logic that missed the chain: "They just had amnesia from 30 seconds before."
Both CVEs now sit on the CISA Known Exploited Vulnerabilities catalog. Neither score flagged the kill chain potential. The triage logic that consumed those scores treated each CVE as an isolated event, and so did the SLA dashboards and board reports those dashboards feed.
Why Does CVSS Work Exactly as Designed (And Why Is That the Problem)?
CVSS did exactly what it was designed to do: score one vulnerability at a time. The problem is that adversaries do not attack one vulnerability at a time.
"CVSS base scores are theoretical measures of severity that ignore real-world context," wrote Peter Chronis, former CISO of Paramount and a security leader with Fortune 100 experience. By moving beyond CVSS-first prioritization at Paramount, Chronis reported reducing actionable critical and high-risk vulnerabilities by 90%.
Chris Gibson, executive director of FIRST, the organization that maintains CVSS, has been equally direct: using CVSS base scores alone for prioritization is "the least apt and accurate" method, Gibson told The Register.
FIRST's own EPSS and CISA's SSVC decision model address part of this gap by adding exploitation probability and decision-tree logic. But those tools still operate within a framework built for individual vulnerability assessment.
For a deep dive on samsung foldable phone ban: patent lawsuit explained, see our full guide
What Volume Crisis Drives the Scoring Crisis?
In 2025, 48,185 CVEs were disclosed, a 20.6% year-over-year increase. Jerry Gamblin, principal engineer at Cisco Threat Detection and Response, projects 70,135 for 2026.
For a deep dive on ai should elevate your thinking, not replace it, see our full guide
The infrastructure behind the scores is buckling under that weight. NIST announced on April 15 that CVE submissions have grown 263% since 2020. The NVD will now prioritize enrichment for KEV and federal critical software only.
Non-KEV submissions get no enrichment. No CVSS analysis. No exploitability assessment. Just a CVE number and a description.
What Five Triage Failure Classes Was CVSS Never Designed to Catch?
1. When Do Chained CVEs Look Safe Until They're Not?
The Palo Alto pair from Operation Lunar Peek is the textbook example. Meyers described the operational psychology: teams assessed each CVE independently, deprioritized the lower score, and queued the higher one for maintenance.
Meanwhile, adversaries combined them into a complete attack path from unauthenticated access to root control. The compound risk never appeared in any dashboard, SLA tracker, or board report.
2. How Fast Do Nation-State Adversaries Weaponize Patches?
The CrowdStrike 2026 Global Threat Report documented a 42% year-over-year increase in vulnerabilities exploited as zero-days before public disclosure. Average breakout time across observed intrusions: 29 minutes. Fastest observed breakout: 27 seconds.
China-nexus adversaries weaponized newly patched vulnerabilities within two to six days of disclosure.
"Before it was Patch Tuesday once a month. Now it's patch every day, all the time. That's what this new world looks like," said Daniel Bernard, Chief Business Officer at CrowdStrike.
A KEV addition treated as a routine queue item on Tuesday becomes an active exploitation window by Thursday. CVSS scores contain no temporal component that reflects this weaponization velocity.
3. How Long Do Nation-State Actors Stockpile CVEs?
Salt Typhoon accessed senior U.S. political figures' communications during the presidential transition by chaining CVE-2023-20198 with CVE-2023-20273 on internet-facing Cisco devices. Both were patched in October 2023 and remained unapplied more than a year later.
Sixty-seven percent of vulnerabilities exploited by China-nexus adversaries in 2025 were remote code execution flaws providing immediate system access, according to the CrowdStrike 2026 Global Threat Report.
CVSS does not degrade priority based on how long a CVE has gone unpatched. No board metric tracks aging KEV exposure. That silence is the vulnerability.
4. What Identity Gaps Never Enter the Scoring System?
A 2023 help desk social engineering call against a major enterprise produced more than $100 million in losses. No CVE was assigned. No CVSS score existed. No patch pipeline entry was created.
The vulnerability was a human process gap in identity verification, sitting entirely outside the scoring system's aperture.
"A pro needs a zero day if all you have to do is call the help desk and say I forgot my password," Meyers said.
Agentic AI systems now carry their own identity credentials, API tokens, and permission scopes, operating outside traditional vulnerability management governance. Merritt Baer, CSO at Enkrypt AI, has argued on record that identity-surface controls are vulnerability equivalents belonging in the same reporting pipeline as software CVEs.
In most organizations, help desk authentication gaps and agentic AI credential inventories live in a separate governance silo. In practice, nobody's governance.
5. How Does AI-Accelerated Discovery Break Pipeline Capacity?
Anthropic's Claude Mythos Preview demonstrated autonomous vulnerability discovery, finding a 27-year-old signed integer overflow in OpenBSD's TCP SACK implementation across roughly 1,000 scaffold runs at a total compute cost under $20,000.
Meyers offered a thought-experiment projection in the exclusive interview with VentureBeat: if frontier AI drives a 10x volume increase, the result is approximately 480,000 CVEs annually.
Pipelines built for 48,000 break at 70,000 and collapse at 480,000. NVD enrichment is already gone for non-KEV submissions.
"If the adversary is now able to find vulnerabilities faster than the defenders or the business, that's a huge problem, because those vulnerabilities become exploits," said Bernard.
CrowdStrike on Thursday launched Project QuiltWorks, a remediation coalition with Accenture, EY, IBM Cybersecurity Services, Kroll, and OpenAI formed to address the vulnerability volume that frontier AI models are now generating in production code. When five major firms build a coalition around a pipeline problem, no single organization's patch workflow can keep pace.
What Must Security Directors Do Now?
The five failure classes above map to five specific actions that belong in next quarter's security roadmap.
Run a Chain-Dependency Audit on Every KEV CVE
Flag any co-resident CVE scored 5.0 or above, the threshold where privilege escalation and lateral movement capabilities typically appear in CVSS vectors. Any pair chaining authentication bypass to privilege escalation gets triaged as critical regardless of individual scores.
This audit should happen this month, not next quarter. The Palo Alto breach proves that scoring systems will not flag these chains automatically.
Compress KEV-to-Patch SLAs to 72 Hours for Internet-Facing Systems
The CrowdStrike 2026 Global Threat Report breakout data makes weekly patch windows indefensible in a board presentation. A 29-minute average breakout time and 27-second fastest breakout time means adversaries move faster than your change management process.
Internet-facing systems with KEV exposure need 72-hour patch SLAs, not 30-day maintenance windows.
Build a Monthly KEV Aging Report for the Board
Every unpatched KEV CVE, days since disclosure, days since patch availability, and owner. Salt Typhoon exploited a Cisco CVE patched 14 months earlier because no escalation path existed for aging exposure.
The board needs to see how long known exploited vulnerabilities sit unpatched in production. That metric belongs in the same report as revenue and headcount.
Add Identity-Surface Controls to the Vulnerability Reporting Pipeline
Help desk authentication gaps and agentic AI credential inventories belong in the same SLA framework as software CVEs. If they sit in a separate governance silo, they sit in nobody's governance.
The $100 million help desk social engineering loss had no CVE, no CVSS score, and no patch pipeline entry. It still produced a nine-figure loss.
Stress-Test Pipeline Capacity at 1.5x and 10x Current CVE Volume
Gamblin projects 70,135 CVEs for 2026. Meyers's thought-experiment projection: frontier AI could push annual volume past 480,000.
Present the capacity gap to the CFO before the next budget cycle, not after the breach that proves the gap existed. Pipeline capacity is now a budget conversation, not just an operational one.
What's the Bottom Line for Business Leaders?
Operation Lunar Peek delivered a $10 million lesson in how vulnerability scoring systems fail when adversaries chain attacks together. CVSS scored CVE-2024-0012 and CVE-2024-9474 as manageable threats. Chained together, they gave attackers root access to 13,000 devices.
The scoring system worked exactly as designed. The problem is that adversaries do not attack the way scoring systems assume they will. They chain vulnerabilities, weaponize patches within days, and exploit identity gaps that never receive CVE numbers.
Continue learning: Next, explore fast16: high-precision sabotage 5 years before stuxnet
Security directors
Related Articles
Acer's New Chromebook: A Game-Changer for Businesses?
Acer's Chromebook Plus Spin 514 combines AI and potent computing, offering businesses a glimpse into the future of work.
Sep 5, 2025
Transforming Gaza: From Conflict Zone to Tech Hub
A leaked plan from the Trump administration reveals a bold strategy to turn Gaza into a thriving high-tech hub. Discover the potential.
Sep 3, 2025
Sony's Paywall Strategy: Xperia Feature Sparks Debate
Sony's recent strategy to lock a key Xperia feature behind a subscription has sparked a debate on innovation versus monetization.
Sep 4, 2025
Comments
Loading comments...