Patch prioritization factors: CVSS score, exploitation in the wild (CISA KEV catalog), asset criticality, exposure (internet-facing), compensating controls availability.
CISA's Known Exploited Vulnerabilities (KEV) catalog = must-patch immediately. CVSS alone is insufficient — a 9.8 CVSS on an internal dev server is lower priority than a 7.0 on an internet-facing payment server.