Treating every CVE as equally urgent is how security teams burn out. The signals below are ordered from weakest to strongest, so a finding that is merely mentioned is never confused with one that is weaponised and KEV-listed. Vulnetix computes all seven for every CVE and folds them into a single prioritisation score.
Mention
A CVE is being talked about — social posts, blog write-ups, advisories. Attention, not evidence of exploitation.
Bounty
A bug-bounty submission references the CVE. Program-gated and self-reported, but a sign someone built a working case for it.
Sighting
CrowdSec, CIRCL and Shadowserver report the vulnerability showing up in real attack traffic, scanned IPs and honeypot hits across countries.
Theoretical
Public proof-of-concept code is available (VulnCheck XDB, ExploitDB, GitHub). Exploitation is demonstrated, but not necessarily operationalised.
Weaponised
The exploit ships inside Snort/Suricata rules, nmap NSE scripts, Nuclei templates or Metasploit modules — mature, reliable, and ready for adversarial reuse.
Known exploits
CISA KEV, EU KEV and VulnCheck KEV confirm active exploitation. Not a prediction — a confirmation, with patch deadlines attached.
Predicted
EPSS (exploitation probability, FIRST.org) and Coalition ESS (exploit-availability probability) estimate near-future risk for CVEs that have no observed activity yet.
From signal to decision
A CVE with CVSS 7.5 and EPSS 0.97 is more dangerous than one with CVSS 10.0 and EPSS 0.01. Vulnetix ranks your findings on observed and predicted exploitation — sightings, weaponisation, KEV status, EPSS and Coalition ESS — so remediation effort lands where exploitation is real or imminent, not merely where the severity number is high.