Context Over CVSS: Why Medium, Low, CVEs Matter More Than You Think

The Data Landscape

The latest severity breakdown from NVD shows that in 2024, 14% of CVEs were Critical, 34% High, 50% Medium, and 2% Low, meaning the majority of exposure lies in categories commonly overlooked. Audits confirm this imbalance: in one case, 88% of Critical‑labeled CVEs and 57% of those labeled High were overstated compared to real-world exploitability. The result? Researchers are focused on the wrong part of the vulnerability curve.

Medium and Low CVEs: The Attack Chain Enablers

Contain a reachable Medium CVE in production, and you have more to worry about than a Critical flaw locked behind off‑line code. Low‑scored bugs often don’t earn attention, yet they form the building bricks of impactful exploit chains. Real‑world data shows some Medium and Low CVEs are exploited more frequently than certain High‑scored ones, simply because attackers prioritize reachability and context—above severity metrics.

Case Examples from the Real-World Attack Scene

Pegasus / FORCEDENTRY – Attackers exploited a Medium-rated JBIG2-PDF flaw (CVE-2021-30860), combining it with Apple’s CoreGraphics and sandbox weaknesses to achieve zero-click remote code execution on iPhones. None of the individual CVEs were initially flagged as Critical, yet in concert they delivered one of the most sophisticated spyware attacks in recorded history.

Trident – An exploit chain composed of WebKit memory corruption, a kernel info leak, and kernel memory abuse (CVE-2016-4657, -4655, -4656) achieved persistent jailbreak-level access on iOS devices. Individually rated below Critical, together they bypassed every layer of device defense.

Blastpass – This zero-click exploit used a vulnerable Wallet pass (.pkpass) and an ImageIO buffer overflow (CVE-2023-41064, -41061). Though rated Medium/High, the chaining of these flaws enabled code execution, proving that running CVEs contextually matter far more than their CVSS score.

Tea app breach – A disturbing but non-CVSS example of “vibe-coding” gone wrong: Tea, a viral safety app, stored government-issued ID scans, selfies, and over 1.1 million private messages in an unsecured Firebase database. The app’s backend was left publicly open with no authentication or encryption, allowing attackers (and researchers) to scrape 72,000 images and 1.1 million intimate user messages, many focused on abuse, abortion, or infidelity, on 4chan and other public platforms. This breach highlights how negligent coding and immature development can create devastating outcomes, especially for vulnerable populations apnews.com+12medium.com+12businessinsider.com+12.

Why the Current System Keeps Failing

Critical severity labels create alert fatigue. Developers learn to tune out, especially when many “Criticals” aren’t practically exploitable. Meanwhile, CVEs pile up in NVD’s backlog without severity metadata, offering blind spots in triage workflows. CVSS remains a blunt instrument—useful for uniform scoring but limited in reflecting real-world exploitability or attack context.

A Clear Path Forward for Security Researchers

Shift focus from CVE labels to context: Is it exploitable? Reachable? Chainable? Validate Criticals before raising the alarm, they are often noise. Treat Medium, Low, and development oversights (like in Tea) as potential pivot points in the chain of compromise. Employ probability-based scoring like EPSS to balance severity with attack likelihood. 

Finally and most importantly, incorporate context from one’s own environment to understand true attack likelihood and consequently, risk.

Bottom Line

Severity labels mislead. What matters is whether a flaw, or poorly coded app, is actually exploitable in context. Pegasus, Trident, Blastpass, and the Tea breach all prove the same lesson: Medium and Low CVEs, or trivial backend misconfigurations, can cause real, impactful exploitation. Security must evolve from label-driven triage to attacker reality and system maturity.

References

• Citizen Lab. (2021). FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild.
• Citizen Lab. (2023). Blastpass: NSO Group iPhone Zero-Click Exploit.
• TechRadar Pro. (2025, August 18). Security’s blind spot: The problem with taking CVE scores at face value.
• Yahya, F. (2025). CVE trends (2023–2025): Volumes, severities, and threat evolution. LinkedIn.
• Recorded Future. (2018, July 19). Exploring exploitation of Medium and Low CVSS score vulnerabilities.
• VulnCheck. (2024, September 30). Danger is still lurking in the NVD backlog.
• Tahir. (2025, July 26). Tea App Security Fail: Firebase Leak Reveals Driver’s Licenses & Selfies. Medium.
• Tahir. (2025, three weeks ago). The Private Message Leak: Tea App Breach. Medium.
• Security Bloggers Network. (2025, August 18). The Tea App Hack: How a “Safe” Space Leaked 13,000 ID Photos & 1.1M Messages.
• Business Insider. (2025, July 28). Tea App Private Messages Were Exposed in a Recent Breach.‍
• The Verge. (2025, three weeks ago). Women’s “red flag” app Tea is a privacy nightmare.