In November 2024, attackers exploited two vulnerabilities in Palo Alto Networks firewall devices to gain unauthenticated remote admin access and eventually root privileges across more than 13,000 exposed management interfaces. This campaign, dubbed Operation Lunar Peek, chained CVE-2024-0012 — an authentication bypass — with CVE-2024-9474 — a privilege escalation flaw — to compromise systems despite individual CVSS scores that appeared manageable when assessed in isolation.
Palo Alto Networks initially rated CVE-2024-0012 at 9.3 and CVE-2024-9474 at 6.9 using CVSS v4.0. The National Vulnerability Database (NVD) later assigned scores of 9.8, and 7.2 respectively under CVSS v3.1. Even as the higher scores triggered attention, the 6.9/7.2 rating for the privilege escalation vulnerability fell below many organizations’ patch thresholds because its CVSS vector indicated admin access was required — a condition that the authentication bypass effectively nullified when chained.
“Adversaries circumvent [severity ratings] by chaining vulnerabilities together,” said Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, in an exclusive interview with VentureBeat on April 22, 2026. He criticized the triage logic that treated each CVE as an isolated event: “They just had amnesia from 30 seconds before.” Both vulnerabilities were subsequently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, yet neither score communicated the compound risk of the attack chain.
This incident exemplifies a broader limitation of the Common Vulnerability Scoring System (CVSS): it is designed to evaluate single vulnerabilities in isolation, not the real-world tactics of attackers who combine flaws to achieve catastrophic outcomes. As Chris Gibson, executive director of FIRST — the organization that maintains CVSS — stated to The Register in January 2022, using CVSS base scores alone for prioritization remains “the least apt and accurate” method.
The failure to detect chained threats is one of five critical gaps in current vulnerability triage practices identified by security leaders. In 2025 alone, 48,185 CVEs were disclosed — a 20.6% increase from the previous year — with projections pointing to 70,135 for 2026. This growing volume overwhelms traditional pipelines, especially as the NVD announced on April 15, 2026 that it would prioritize enrichment only for KEV and federal critical software due to a 263% surge in CVE submissions since 2020.
Beyond chaining, adversaries increasingly weaponize patches within days of disclosure. The CrowdStrike 2026 Global Threat Report documented a 42% year-over-year rise in zero-day exploitation before public disclosure, with an average breakout time of 29 minutes and the fastest observed at just 27 seconds. China-nexus actors were noted to weaponize newly patched vulnerabilities within two to six days.
Another growing concern is the stockpiling of old vulnerabilities. Recorded Future’s research on Salt Typhoon revealed that the group accessed senior U.S. Political figures’ communications during the 2024 presidential transition by chaining CVE-2023-20198 and CVE-2023-20273 on Cisco devices — flaws patched in October 2023 but left unapplied for over a year. Sixty-seven percent of vulnerabilities exploited by China-nexus adversaries in 2025 were remote code execution flaws granting immediate system access, yet CVSS contains no mechanism to increase priority based on how long a CVE remains unpatched.
Identity-related risks also fall outside CVSS’s scope. A 2023 help desk social engineering attack against a major enterprise resulted in over $100 million in losses — a breach involving no software vulnerability, no CVE, and no patch. As Meyers noted, “A pro needs a zero day if all you have to do is call the help desk and say I forgot my password.” Agentic AI systems further complicate this landscape by operating with independent credentials and API tokens beyond traditional governance.
Finally, AI-accelerated discovery threatens to overwhelm vulnerability management systems. Anthropic’s Claude Mythos Preview demonstrated autonomous detection of a 27-year-old signed integer overflow in OpenBSD’s TCP SACK implementation, achieved across roughly 1,000 scaffold runs for under $20,000 in compute cost. Meyers warned in his VentureBeat interview that if frontier AI drives a 10x increase in vulnerability discovery, annual volumes could reach 480,000 — far exceeding current pipeline capacities built for tens of thousands.
In response, CrowdStrike launched Project QuiltWorks on April 25, 2026, forming a remediation coalition with Accenture, EY, IBM Cybersecurity Services, Kroll, and OpenAI to address the surge in AI-generated vulnerabilities in production code. The initiative acknowledges that no single organization’s patch workflow can preserve pace when multiple major firms align around a systemic pipeline challenge.
Security directors are advised to take five concrete actions: conduct chain-dependency audits on all KEVs, prioritizing pairs scoring 5.0 or above where privilege escalation typically appears. compress KEV-to-patch SLAs to 72 hours for internet-facing systems; build monthly KEV aging reports tracking disclosure and patch timelines; integrate identity-surface controls — including help desk gaps and agentic AI credentials — into the vulnerability reporting pipeline; and stress-test capacity at 1.5x and 10x current CVE volumes to prepare for AI-driven growth.
As vulnerability discovery accelerates and attack methods evolve, relying solely on CVSS scores — especially in isolation — leaves organizations exposed to chains that appear benign until they are not. The lesson from Operation Lunar Peek is clear: defenders must think like attackers, who do not pause at one flaw.
For official updates on CVE-2024-0012 and CVE-2024-9474, refer to the National Vulnerability Database entries maintained by NIST. Organizations seeking guidance on vulnerability prioritization can consult CISA’s Known Exploited Vulnerabilities catalog and the FIRST EPSS model, which supplements CVSS with real-world exploit likelihood.
What are your thoughts on how organizations should adapt vulnerability management to counter chained threats? Share your perspective in the comments below and help spread awareness by sharing this article with your network.