← Latest news 
CVSS triage missed a Palo Alto attack chain scoring two CVEs as manageable then enabling root
Technology
Published on 24 April 2026
Both CVEs looked low risk alone, but together gave root
A CrowdStrike-linked analysis of Operation Lunar Peek shows how CVSS scoring can fail in practice. Attackers chained two Palo Alto CVEs across 13,000 exposed management interfaces, ultimately gaining root. CVSS v4 and v3.1 assigned conflicting, “manageable” ratings that never flagged the combined kill chain, exposing gaps in how teams triage, patch, and report risk.
- Two “manageable” CVSS scores chained to unauthenticated remote admin and root
- CVSS treats vulnerabilities as isolated, but real attacks chain multiple flaws
- Zero-day exploitation is speeding up, shrinking patch windows to days
- Identity gaps and AI-discovered flaws can overwhelm traditional pipelines
Read the full story at Venture Beat
This summarization was done by Beige for a story published on 
Venture Beat