When it comes to multiple vulnerabilities in the network, it is not enough to consider only the CSVV score. I can name some other factors that should be taken into account: - impact scope of vulnerablities (which parts and how much) - accessablity of the vulnarable objects (internal or external) - the usage of the vulnerable service/device in the network (How many users/devices) For example, a public service with a vulnerability score of 8 may pose a greater risk than a completely internal service with a score of 9.5!

When faced with multiple network vulnerabilities, I would start by assessing their risk impact (CVSS score). I would then first deal with those with high or critical ratings (9.0-10.0), as they pose the greatest threat. Next, I would consider the exploitability of each vulnerability, prioritizing those with active exploits or widely available attack methods, since they are more likely to be targeted and can cause immediate damage if left to chance.

If it bleeds it Leeds. I’d find out the risks that pose the biggest risk to my network and fix those things first. The other things that is going to determine the order of fixing things is does it cause an outage and how long will that outage be. If I can fix something with no outage even if its risk is lower I would probably fix that just to get it off the list. Things that are going to cause outages means talking to the people to outage is going to affect to schedule the outage.

Assess and address internet facing vulnerabilities first, as they tend to be more dangerous, implement MFA whenever possible.