This is textbook example of the type of input you’d apply to an exposure management process:
- Take the CISA list, along with others, and overlay these vulnerabilities atop your attack surface. The resultant list are your most at-risk assets.
- Remove any assets where you have a strong mitigating control in place.
- Patch or otherwise mitigate these vulnerabilities on these assets (really, patch them all, and then consider further mitigations, should the class of attack reappear in the form of another vulnerability down the line).
Note that CISA has produced these lists for three years, but there are related lists (some being the product of CISA’s work combined with other partners). You can find them here: https://www.cisa.gov/search?g=Top%20Routinely%20Exploited%20Vulnerabilities