Microsoft’s security team wants Windows defenders to stop relying solely on CVSS scores when triaging Patch Tuesday updates. In a May 12, 2026 note, the Microsoft Security Response Center (MSRC) urged IT administrators to use the full signal stack available in the Security Update Guide—severity ratings, Exploitability Index, and public exploit-code status—to make faster, more accurate patching decisions. The guidance arrives as organizations grapple with an average of 80 to 100 CVEs per Patch Tuesday, making manual prioritization a bottleneck that leaves critical exposures open for days.

The Patch Tuesday Triage Bottleneck

Each second Tuesday of the month, Microsoft releases a flood of security updates covering Windows, Office, Edge, and a sprawling portfolio of cloud and on-premises products. For many teams, the immediate challenge isn’t deploying patches—it’s deciding which ones demand attention within hours versus those that can wait until the next regular maintenance window. Lean security teams often have minutes per CVE to assess risk, and the de facto yardstick has long been the Common Vulnerability Scoring System (CVSS) base score.

But CVSS, originally designed to measure severity in a vendor-agnostic way, doesn’t capture the operational urgency that enterprise defenders need. A 9.8-rated remote code execution flaw in a rarely-used Windows feature might be far less dangerous than a 7.5-rated elevation-of-privilege bug that has actively exploited proof-of-concept code circulating on dark web forums. Relying on CVSS alone creates two costly errors: over-prioritizing noisy but low-impact vulnerabilities and under-prioritizing stealthy, targeted threats.

Microsoft’s May 2026 MSRC note, published alongside the monthly Patch Tuesday release, explicitly calls out this gap. The note—aimed at Windows security operations teams—recommends that triage workflows ingest three additional signals already published in the Security Update Guide for every CVE: Microsoft’s proprietary severity rating, the Exploitability Index, and the public exploit-code status. Together, these form a richer, threat-informed view of real-world risk that can cut the time from release to decision from hours to minutes.

Why CVSS Alone Fails Windows Defenders

CVSS 3.1 and 4.0 scores are calculated from a standardized set of metrics: attack vector, complexity, privileges required, user interaction, and impact on confidentiality, integrity, and availability. While useful for communicating broad severity, the score omits two factors that matter most to defenders: how likely the vulnerability is to be exploited in the wild and whether an adversary already has a working exploit.

Consider a hypothetical CVE with a CVSS score of 9.6—critical. It affects a legacy Windows component that requires local access and administrative privileges, and the attack complexity is high. An attacker would need to chain it with another flaw to gain initial access, making it a second-stage payload. In contrast, a 7.8-rated privilege-escalation vulnerability affecting the Windows kernel that has a publicly available, reliable exploit and is known to be used by ransomware operators is an imminent threat. Teams that blindly sort by CVSS spend time investigating the former while the latter gets queued.

Microsoft’s note acknowledges that CVSS is a “baseline” and recommends using the Security Update Guide’s richer data to build a “run-time context.” This approach mirrors the broader shift toward exploitability-driven vulnerability management, championed by frameworks like FIRST’s EPSS (Exploit Prediction Scoring System) and CISA’s Known Exploited Vulnerabilities catalog.

Decoding the Security Update Guide Signal Stack

The MSRC Security Update Guide (available at portal.msrc.microsoft.com) provides a detailed view of every CVE addressed in Microsoft products. For each vulnerability, defenders can find the following signals, all of which the May 2026 note says should be consulted simultaneously.

1. Microsoft Severity Rating

This is a qualitative label assigned by Microsoft based on the vendor’s internal understanding of the component, attack surface, and potential business impact. The categories—Critical, Important, Moderate, and Low—often align with CVSS tiers but also incorporate Microsoft-specific knowledge that isn’t captured in the public CVSS vector. For instance, a vulnerability in a Windows service that is disabled by default might get a lower severity rating from Microsoft even if CVSS would still consider it Critical because the default configuration greatly reduces exposure.

The severity rating is the fastest triage signal. A Critical-rated update that also has a high Exploitability Index should immediately jump to the top of the queue, while an Important-rated one with no known exploits can be scheduled later. Microsoft has historically recommended that Critical updates be deployed within 24 hours, but the May 2026 note refines that by tying the urgency to the additional signals.

2. Exploitability Index

The Exploitability Index (EI) is Microsoft’s prediction of how likely a vulnerability is to be exploited in the wild within the next 30 days. It uses a scale of 0 to 3:

  • 0 – Exploitation Detected: Active exploitation has already been observed.
  • 1 – Exploitation More Likely: Microsoft’s telemetry and threat intelligence indicate a high probability of exploitation, often due to low attack complexity or the vulnerability’s popularity among threat actors.
  • 2 – Exploitation Less Likely: The vulnerability is unlikely to be exploited in the near term, typically because of mitigating controls or higher attack prerequisites.
  • 3 – Exploitation Unlikely: Usually reserved for vulnerabilities that require significant user interaction or physical access, or where the attack surface is very limited.

The EI is based on Microsoft’s vast sensor network and threat intelligence feeds. It’s not infallible—some CVEs with EI 2 have later been exploited—but it provides a forward-looking risk estimate that CVSS doesn’t. The May 2026 note emphasizes that an EI of 0 or 1 should override any CVSS-based prioritization.

3. Public Exploit-Code Status

This binary flag indicates whether exploit code has been publicly disclosed. If set to Yes, it means that a proof of concept, exploit module (for example, in Metasploit), or full weaponized exploit is available in public repositories, forums, or security research publications. When combined with a high Exploitability Index, it signals that the vulnerability is in the hands of both ethical researchers and malicious actors, dramatically compressing the time to active campaigns.

Defenders should treat any CVE with a public exploit as urgent, even if the current EI is 2 or 3, because the availability of exploit code can accelerate the development of attacks. The MSRC note specifically calls out that teams should monitor this flag after Patch Tuesday, as researchers often release PoCs within days or weeks of a fix. A CVE that started with no public code can swiftly become a priority.

Practical Triage: Combining the Signals

The real power comes from cross-referencing these signals. The May 2026 note offers a simple decision matrix logic that Windows defenders can implement in their automation:

  1. If Exploitability Index is 0 (active exploitation), patch immediately regardless of CVSS or severity rating.
  2. If Severity is Critical and Exploitability Index is 1, deploy within hours.
  3. If Public Exploit-Code is Yes, treat as high priority even if otherwise ratings are moderate.
  4. For all others, schedule based on business impact but ensure patching within standard SLA.

For example, during a typical Patch Tuesday, a team might see a slew of CVEs. Instead of parsing CVSS vectors, they filter the Security Update Guide list by EI 0 first. Those are non-negotiable. Next, they look for Critical severity with EI 1 and any with public exploits. The remaining Important-rated CVEs with EI 2 or 3 can be rolled into the next scheduled maintenance window. This tri-fold signal stack reduces the decision cycle by up to 70%, based on internal Microsoft testing cited in the note.

Automation plays a key role here. Many vulnerability management platforms already ingest MSRC data feeds. The note encourages teams to configure their scanners to pull the Exploitability Index and public exploit flags and to create dynamic risk scores that blend CVSS with these signals. This ensures that the triage happens programmatically, not during a frantic Tuesday morning meeting.

Community Reaction and Operational Impact

Though the windowsforum discussion attached to this article is light on comments, early feedback from Windows security practitioners on other channels suggests broad agreement with the approach. One common pain point is that small and mid-sized businesses often rely on patch management tools that default to CVSS-based prioritization and hide the EI and exploit-code fields. Microsoft’s explicit recommendation may push those vendors to surface the full signal stack.

Another challenge is that the Exploitability Index is dynamic. A CVE assigned EI 2 on Patch Tuesday could move to EI 1 a week later if Microsoft detects new threat activity. Defenders need continuous monitoring, not a one-time triage. The MSRC note advises integrating the Security Update Guide API into daily scans so that any change in EI or public exploit status triggers an alert.

The shift also aligns with the growing deployment of Windows Update for Business and Autopatch, which automate deployment rings but don’t automatically adjust urgency based on exploitability. By combining these signals, organizations can better define the deployment deadline for each ring—forcing immediate installation for actively exploited vulnerabilities while respecting normal bandwidth for lower-risk patches.

Looking Ahead

Microsoft’s May 2026 note is another step in its ongoing campaign to help defenders move from vulnerability management to true risk-based prioritization. With the continued rise of zero-day exploitation and the speed at which Proof-of-Concept code appears post-release, the days of sorting by CVSS alone are numbered. By leveraging the three critical signals—severity, Exploitability Index, and public exploit-code status—Windows defenders can cut through the noise and focus on what actually keeps their environments safe.

For teams that haven’t yet integrated the full Security Update Guide into their workflows, the time to start is now. The data is freely available, and the payoff in reduced exposure window is immediate. Those who wait risk learning the hard way—when a critical vulnerability they deprioritized becomes the entry vector for the next ransomware campaign.