Cybe secu i y Vulne abili y P io i isa ion ia
Risk Assessmen
S e e Taylo 1, Panos Melas1, Mike Su idge1, Paolo De Lu iis2, Manuel
Leone2, Ma in Gilje Jaa un3, and Ra ishanka Bo gaonka 3
1Uni e si y o Sou hamp on, Sou hamp on, UK
{S.J.Taylo , pmelas, ms8}@so on.ac.uk
2Secu i y Enginee ing and Th ea Managemen , TIM S.p.A, To ino, I aly
{paolo.delu iis, manuel.leone}@ elecomi alia.i
3So wa e Enginee ing, Sa e y and Secu i y, SINTER Digi al T ondheim, No way
{Ma in.G.Jaa un, Ra i.Bo gaonka }@sin e .no
Abs ac . The Common Vulne abili ies and Exposu es (CVE) da abase
lis s a la ge numbe o ulne abili ies ha a e p esen in speci ic e sions
o so wa e lib a ies and applica ions, bu al hough he e is a se e i y
anking, i does no immedia ely ollow ha an iden i ied ulne abili y
wi h high se e i y will be pa icula ly impo an o a speci ic applica-
ion. This pape p esen s he mo i a ion o CVE P io i iza ion o a
gi en case and desc ibes an ou line p ocess o e alua ing he p io i y o
CVEs ia isk assessmen simula ions.
Keywo ds: Vulne abili ies, CVE, SBOM, Risk, So wa e
1 In oduc ion
A Common Vulne abili ies and Exposu es (CVE) ins ance desc ibes a speci ic
secu i y issue in so wa e o ha dwa e, assigning i a globally unique iden i ie
(e.g., CVE-2025-12345). I helps secu i y p o essionals ack and add ess secu i y
isks e ec i ely in a s anda dized manne . The CVE ini ia i e was launched a
he beginning o 2000 by he US MITRE o ganiza ion [1] and is oday commonly
used by he cybe secu i y expe communi y and indus y: many ools, such as
scanne s and (cybe ) h ea in elligence pla o ms, use CVE o iden i y and ack
ulne abili ies.
The o al coun o CVEs inc eases signi ican ly e e y yea . In 2025, mo e han
45.000 published ulne abili ies a e expec ed [2]. This high numbe clea ly high-
ligh s he complexi y o ulne abili y managemen , equi ing secu i y expe s
and companies o in es signi ican e o and esou ces o e ec i ely sa egua d
hei ne wo ks and mi iga e po en ial isks. In ac , add essing his la ge num-
be o ulne abili ies is o en imp ac ical due o ma ke -d i en ime p essu es,
limi ed budge s, o he cons ained emedia ion capabili ies o de ice manu ac-
u e s. Fo ins ance, he F aunho e Ins i u e epo ed be ween 348 and 579
high-se e i y CVEs pe de ice [3]. The e o e, i is impo an o ha e ools and
me hodologies ha help p io i ize ulne abili y emedia ion o achie e e ec i e
isk educ ion a easonable e o cos .
Au ho e sion. To be p esen ed a 2025 ARES Wo kshops, Ghen , Belgium
This e sion o he con ibu ion has been accep ed o publica ion, a e pee
e iew bu is no he Ve sion o Reco d. The Ve sion o Reco d will be a ailable
online a : h ps://link.sp inge .com/ Copy igh (c) 2025 Sp inge Na u e
2 S. Taylo e al.
2 Rela ed Wo k
2.1 Cu en App oaches
The Common Vulne abili y Sco ing Sys em (CVSS) [4] uses a sco ing app oach,
whe e he sco e anges om 0 o 10, highe numbe s indica ing mo e c i ical
secu i y isks. The alue ep esen s he se e i y o a cybe secu i y ulne abili y
based on he ela ed impac and exploi abili y. The sco e does no ep esen he
likelihood o an a ack, al hough some pa ame e s can be used indi ec ly o e al-
ua e such aspec s (e.g., i a CVE can be exploi ed ia ne wo k, i s exploi abili y
likelihood is g ea e han a CVE ha equi es physical access o he de ice o
be exploi ed). CVSS alues (in pa icula CVSS 3, bu pa ially also CVSS 4)
a e global and s a ic alues bound o he CVE in insic cha ac e is ics, wi h-
ou conside ing eal-wo ld ac o s like a acke mo i a ion, a ailabili y o P oo
o Concep (PoC) o public exploi s, he a ge de ice’s con igu a ion and i s
posi ioning wi hin he ne wo k a chi ec u e, he p esence o addi ional secu i y
mechanisms, such as i ewalls, In usion P e en ion Sys em (IPS), e c. To o e -
come hese limi a ions, Secu i y eams ypically conside addi ional sou ces o
in o ma ion. A key sou ce is Cybe Th ea In elligence eeds ha ake in o con-
side a ion he ac ual h ea s/ isks he de ice con aining he CVE is exposed
o.
The Exploi P edic ion Sco ing Sys em (EPSS) p oposed by he FIRST o -
ganiza ion in 2019 [5] is a amewo k based on Machine Lea ning algo i hms,
ha es ima es he p obabili y o a CVE being exploi ed in he wild, hus help-
ing o ganiza ions p io i ize pa ching by ocusing on ulne abili ies ha a e mo e
likely o be ac i ely a acked.
The Vulne abili y P io i y Ra ing (VPR), p oposed and main ained by Ten-
able [6], is designed as an enhancemen o e he adi ional CVSS sco es and
inco po a es h ea in elligence, ulne abili y age, exploi a ailabili y, and asse
con ex o p io i ize ulne abili ies and o help o ganiza ions o ocus on ulne -
abili ies ha a e mos likely o be exploi ed in eal-wo ld a acks. The Known
Exploi ed Vulne abili ies (KEV) ca alog [7], main ained by he Cybe secu i y
and In as uc u e Secu i y Agency (CISA), aims o iden i y ulne abili ies ha
a e ac i ely being exploi ed by cybe c iminals. These ulne abili ies ha e been
con i med o be used in eal-wo ld a acks, making hem high-p io i y a ge s o
pa ching. While KEV p ima ily s eng hens he secu i y pos u e o U.S. go e n-
men agencies, i also se es as a aluable esou ce o o ganiza ions wo ldwide.
Se e al ini ia i es on his opic ha e also been egis e ed in he comme cial
domain. Among hese, we men ion Cisco Vulne abili y Managemen ( o me ly
Kenna.VM [8]), whose p ima y goal is p o iding a p io i ized lis o ulne abili-
ies analyzing da a inges ed om se e al sou ces (such as ulne abili y scanne s)
and combining hem wi h eal-wo ld exploi ac i i y.
2.2 Main Limi a ions
The p oposed me hods o CVE p io i iza ion ha e hei own ad an ages and
limi a ions. As co ec ly s a ed by Sp ing e al. [9], CVSS is p ima ily designed
CVE P io i isa ion 3
o assess he echnical se e i y o a ulne abili y; bu i is o en misused o
ulne abili y p io i iza ion and isk assessmen . While CVSS measu es se e i y,
e en wi h he inclusion o Tempo al and En i onmen al sco es, i does no assess
isks. Consequen ly, i s e ec i eness o ulne abili y p io i iza ion emains lim-
i ed. Mo eo e , i is no sui able o handling deploymen in complex scena ios,
no can i be used o agg ega e sco es ac oss mul iple ulne abili ies [10]. EPSS,
VPR and pa ially KEV enhance se e i y measu emen h ough he con ibu-
ion o Th ea In elligence. Howe e , hei suppo o mul iple ulne abili ies
emains limi ed, and like CVSS, hey do no accoun o speci ic cha ac e is ics
o he de ice unde es and he sys em in o which i is deployed.
3 Case S udy: Residen ial Ga eway
The case s udy o his wo k conce ns a Residen ial Ga eway (RGW). The RGW
is a commodi y de ice ha p o ides connec ions o domes ic subsc ibe s o
b oadband se ices o he Widea A ea Ne wo k (WAN) p o ided by he In e -
ne Se ice P o ide , which in his case s udy is a elecommunica ion company
(TC). TC p o ides a ious communica ion se ices, including mobile elephony
and esiden ial da a se ices. TC has de ined igo ous secu i y es ing p ocesses
and a isk-based me hodology o manage and main ain he cybe secu i y o i s
in as uc u es. E e y de ice, p io o deploymen in he ield, mus be es ed
wi hin specialized labs o e i y i s ac ual secu i y pos u e.
The RGW is a special kind o de ice om he cybe secu i y poin o iew.
Al hough i is based on a low-cos a chi ec u e, i is a key elemen o he in e -
connec ion (and secu i y) be ween he in e nal LAN o he esiden ial cus ome s
(whe e i is common o ha e IPTV, PC, and o he use de ices) and he In e ne ,
which p o ides a he same ime digi al se ices bu also cybe h ea s and isks.
The pa ch managemen o such de ices is also complex, especially conside ing
ha he numbe o de ices deployed can be se e al million. The e o e, he e i-
cien pa ching o he de ices is a key equi emen , and o his he assessmen o
exploi abili y and se e i y o CVEs a ec ing he RGW is needed o de e mine
p io i ies o pa ching.
The condi ions equi ed o exploi ulne abili ies in a Residen ial Ga eway
can be highly speci ic o ha de ice, po en ially limi ing he impac o he Th ea
In elligence in accu a ely assessing he ac ual isk. The en i onmen in o which
he RGW is deployed is also a key ac o - he ac ha a speci ic ulne abili y is
ac i ely exploi ed in he wild may be i ele an o a Residen ial Ga eway due o
i s pa icula access model, which could p e en ac ual exploi a ion. Con e sely,
de ec ing ha a speci ic de ice has been success ully a ge ed may occu oo la e.
This challenge is especially e iden o RGW de ices, whe e he so wa e o he
de ice con igu a ion is o en cus omized by he Telco ope a o , u he compli-
ca ing adi ional h ea in elligence assessmen s. Mo eo e , in such a si ua ion,
hese solu ions p o ide limi ed assis ance o execu i e managemen in unde -
s anding he eal isk pos u e and how o mi iga e a po en ial u u e secu i y
disas e .
4 S. Taylo e al.
In sho , none o he me hods conside ed a e uly ailo ed o he a ge
de ices. While his is easonable o gene al-pu pose app oaches, mo e special-
ized s a egies could be applied in speci ic use cases o when he a ge de ice
is well known, as in he RGW use case. These s a egies should ely on mo e
de ailed models capable o accu a ely assessing he eal exploi abili y o ulne a-
bili ies and combining hem wi h he e ec i eness and powe o he isk analysis
app oach.
Fig. 1. CVE P io i iza ion App oach
4 App oach
Ou app oach o add essing hese limi a ions is o use isk simula ion o assess
he comp omises, along wi h hei impac s and likelihood (key componen s o
isk assessmen ), po en ially caused by each CVE in he De ice Unde Tes
CVE P io i isa ion 5
(abb e ia ed DUT). The o e all app oach is shown in he p ocess diag am o
Fig. 1 and de ailed s eps o his p ocess a e discussed in he nex subsec ions.
Risk assessmen ypically maps h ea s o consequences, whe e a consequence
has a se e i y ( he deg ee o he damage we e he consequence o occu ) and
a likelihood (how p obable he consequence is). Vulne abili ies a e weaknesses
ha h ea s exploi , and hus isk assessmen enables mapping o ulne abili ies
in CVEs o consequences o impo ance o he s akeholde s unde aking he
analysis.
In his wo k, we ha e used he Spyde isk ool4(Phillips e al [11]), a ool o
isk simula ion ia a knowledge-based modelling app oach. He e he use builds
a model o hei Sys em Unde Tes (SUT) using p ede ined ICT elemen s such
as compu e s, so wa e p ocesses, da a, ne wo ks, ou e s plus he socio- echnical
en i onmen s and ac o s hey ope a e in such as people and physical spaces.
In he Case S udy, a model (shown in Fig. 2) is buil o he RGW unde es
( he DUT), c ucially in i s deploymen en i onmen ( he SUT), which enables
ela ing isks in he deploymen en i onmen o ulne abili ies associa ed wi h
CVEs. The deploymen en i onmen is a domes ic si ua ion con aining ypical
elemen s on he p i a e home ne wo k (e.g. compu e s, TVs, sma de ices),
use s (e.g., he subsc ibe and hei amily), da a (e.g., documen s, music, pho os,
all o which a e likely o be impo an o he subsc ibe and hus need p o ec ing)
plus he connec ion o he WAN p o ided by he ISP and he b idge o he
In e ne . In pa allel, a So wa e Bill o Ma e ials (SBOM) is gene a ed om
he DUT’s bina y i mwa e, which p o ides so wa e packages and e sions, and
using his in o ma ion, CVEs can be de e mined ia lookup. The isk model is
used o e alua e he CVEs associa ed wi h he RGW in simula ion o he e ec s
caused by he CVE unde ealis ic expec ed usage condi ions.
4.1 A ack Pa hs
A key concep om Phillips e al. [11] ha unde pins he app oach desc ibed
he e is ha o a ack pa hs. These a e chains o ulne abili y- h ea -consequence
pa e ns, whe e a ulne abili y (e.g. ep esen ed by a CVE) in a sys em com-
ponen exposes i o a h ea , which leads o a consequence (e.g., deg ada ion
o a key p ope y o a componen ), which may also lead o a new ulne abil-
i y, which may lead o ano he h ea , and so on. The consequences can be
measu ed as isks, which comp ise he se e i y o he consequence occu ing,
which is a subjec i e judgemen and dependen on he s akeholde (s) in ol ed
o a ec ed, and he likelihood, which is de e mined by he po en ial o exploi a-
ion o he ulne abili y, he di icul y o execu ing he h ea , any con ols in
place o manage h ea s, e c. Thus, om his epea ing pa e n o ulne abili y-
h ea -consequence, a ack pa hs can be o med ha link ulne abili ies in one
sys em componen o consequences in i , o o he connec ed en i ies. Via his
mechanism, ou app oach is o e alua e CVEs by de e mining hei simula ed
4h ps://spyde isk.o g
6 S. Taylo e al.
esul ing isk le els, o iden i y which ulne abili ies lead o he highes -le el
isks and hus which CVEs should be p io i ized.
Fig. 2. Residen ial Ga eway ( ou e ) in Con ex
An illus a i e example o an a ack pa h is p o ided in Fig. 2 and Table
1 showing a Residen ial Ga eway (RGW) in a domes ic con ex . The RGW
p o ides: access o he In e ne , a wi ed and wi eless ne wo k, o which a lap op
and a home se e a e connec ed. The home se e s o es sensi i e pe sonal da a
ela ing o he Home owne .
He e, a key consequence is: Loss o Con iden iali y (o low Con iden iali y) a
Sensi i eDa a, which is de ined as: “Disclosu e o da a o unau ho ised pa ies,
o a s a e whe e p e en ion o de ec ion o such a disclosu e canno be ensu ed”.
He e, because he da a is sensi i e, he impac (o se e i y) o he unau ho ized
disclosu e is high, and i s likelihood is calcula ed o be e y high. An A ack
Pa h o his consequence is shown in Table 1.
The able illus a es ha he consequence in one ow leads o he ulne -
abili y in he ow benea h i . He e he oo ulne abili y is he assumed (low)
us wo hiness (TW in he able) o e e yone in he wo ld leading o an in u-
sion in o he Home. This leads o he consequence o he o he Home Se e
and hence o he exposu e o he Sensi i e Da a s o ed wi hin i . This is a i ial
example because he simple con ol o locking he doo o he Home add esses
i (by es ic ing access o us ed indi iduals), bu i se es o desc ibe he link
be ween ulne abili ies, h ea s and consequences in an a ack pa h. Because he
isk model is cons uc ed o he RGW in he domes ic si ua ion in which i is
CVE P io i isa ion 7
Table 1. A ack Pa h o Loss o Con iden iali y o Sensi i e Da a
Vulne abili y Th ea Consequence Dis ance Likelihood
Occupan TW a
Wo ld
Physical in usion
in o p i a e space
Home om Wo ld
Loss o Occupan
TW a Home
5 Ve y High
Loss o Occupan
TW a Home
The o de ice
Home Se e om
Home
Loss o Possession
a Home Se e
3 Ve y High
Loss o Possession
a Home Se e
Physical access o
da a Sensi i eDa a
on s olen hos Home
Se e
Loss o Con idan-
iali y o Sensi i e-
Da a
1 Ve y High
deployed, i ep esen s he ela ionship be ween ulne abili ies in he DUT and
he consequences hey cause in he en i onmen in which he DUT is deployed.
This me hod o a ack pa h analysis he e o e conside s he e ec s o chains
o ulne abili ies and also conside s he ela ionship be ween he DUT and i s
deploymen en i onmen , o e coming limi a ions o cu en app oaches.
4.2 Func ional Decomposi ion & Modelling
Fig. 2 illus a es a model o he RGW in con ex , and o map CVEs o he ou e ,
a unc ional decomposi ion o he co e unc ionali y o he RGW is unde aken.
This en ails examining he co e unc ions o he ou e and building a isk model
o hese co e unc ions, how hey a e con igu ed and mapping his o so wa e
packages om he SBOM. The comple e Spyde isk model o he RGW is shown
in Fig. 3 and i s co e unc ionali y is decomposed as shown in Fig. 4.
A basic esiden ial ga eway has a connec ion o he In e ne , wi ed e he ne
po s and a wi eless access poin . The RGW unde es is based on OpenW 5,
whose ne wo king elies on he Linux ke nel ne wo king subsys em which p o-
ides packe p ocessing and ou ing unc ionali ies. Ke nel modules in e ac wi h
de ice d i e s ha handle WAN, LAN, and WiFI in e aces, o ha dwa e accel-
e a o s. Packe il e ing and ne wo k add ess ansla ion (NAT) a e managed by
he ke nel’s Ne il e amewo k. Use -space se ices and ools such as ppp, dhcp,
w3, and hos apd manage a ious ou e ne wo king unc ionali ies including he
WiFi access poin . Thei beha iou is con igu ed h ough /e c/con ig iles which
can be modi ied ia he uni ied con igu a ion in e ace (LuCI / uh pd) ia a
web b owse .
The o ange connec ions in Fig. 4 depic lows o con ol o managemen , om
managing o managed componen , and each pa h o con igu a ion o manage-
men ep esen s a po en ial a ack pa h, since any exploi able ulne abili y a a
poin on his pa h can a ec he componen s downs eam. Fo example, i he e
is a ulne abili y in uh pd, his can ha e po en ially a - eaching e ec s, since
5h ps://openw .o g
8 S. Taylo e al.
Fig. 3. RGW Spyde isk model
CVE P io i isa ion 9
Fig. 4. RGW Func ional Decomposi ion
