Not All Low CVSS Scores Are Low Risk
Dave Hall
Briefing: CVE in the KEV Catalog with Low CVSS — Why It Still Matters
CVE‑2016‑3351: A Low‑Scoring Vulnerability with Real‑World Exploits
| Field | Value |
| CVE | CVE‑2016‑3351 |
| Product | Microsoft Internet Explorer |
| CVSS v3.1 | 3.1 (Low) |
| Exploitation | Observed in ransomware campaigns (CryptoWall, Reveton, eCh0raix, Bad Rabbit) |
| CISA KEV Listing | Included due to confirmed exploitation in the wild |
| Impact | Remote attacker can execute code via crafted web content |
Why It’s on the CISA KEV List
CVE‑2016‑3351 is an older Internet Explorer vulnerability with a relatively low CVSS score. Despite that, it has been actively used in real-world attacks — particularly as part of exploit kits tied to ransomware delivery.
This shows why CVSS alone can be misleading. A low score does not mean a low risk.
Key Points:
Theoretical vs. Practical Risk
CVSS scoring reflects potential impact under assumed conditions, not whether attackers actually use it.Used in Ransomware Delivery
This vulnerability was exploited by multiple malware families, including CryptoWall and Bad Rabbit, through exploit kits in the wild.CISA KEV Inclusion Criteria
CISA adds CVEs to the Known Exploited Vulnerabilities (KEV) catalog based on confirmed exploitation, not just score. This vulnerability met the criteria:It has a CVE identifier
It has been actively exploited
There is a known fix or mitigation path
Implications for Vulnerability Management
Do not rely on CVSS alone. This vulnerability is a case study in why that’s dangerous.
Exploitability must factor into prioritization. CISA KEV entries should trigger urgent review regardless of severity score.
Legacy systems remain a real risk. Even if a CVE is years old, if it’s exploitable and present, it’s still a live threat.
Recommended Actions
Verify asset exposure. Are any legacy Internet Explorer versions still in use or accessible?
Apply mitigations or compensating controls. Remove legacy browsers where possible, or isolate and monitor them.
Ensure KEV CVEs are treated as priority. Use a threat-aware prioritization policy that boosts exploited items.
Summary
CVE‑2016‑3351 may not stand out by CVSS score alone, but it has a clear record of real-world abuse. The fact that it remains on CISA’s KEV list underscores the importance of prioritizing based on exploitation activity — not just severity metrics.
If your prioritization policy doesn’t currently factor in KEV or known exploited vulnerabilities, this is a strong reason to update it.
Subscribe to my newsletter
Read articles from Dave Hall directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by