[フレーム]
You are viewing this page in an unauthorized frame window.

This is a potential security issue, you are being redirected to https://csrc.nist.gov.

You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

    Publications

NIST CSWP 41

Likely Exploited Vulnerabilities: A Proposed Metric for Vulnerability Exploitation Probability

Documentation Topics

Date Published: May 19, 2025

Author(s)

Peter Mell (NIST), Jonathan Spring (CISA)

Abstract

This work presents a proposed security metric to determine the likelihood that a vulnerability has been observed to be exploited. Only a small fraction of the tens of thousands of software and hardware vulnerabilities that are published every year will be exploited. Predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts. Currently, such remediation efforts rely on the Exploit Prediction Scoring System (EPSS), which has known inaccurate values, and Known Exploited Vulnerability (KEV) lists, which may not be comprehensive. The proposed likelihood metric may augment EPSS remediation (correcting some inaccuracies) and KEV lists (enabling measurements of comprehensiveness). However, collaboration with industry is necessary to provide necessary performance measurements.

This work presents a proposed security metric to determine the likelihood that a vulnerability has been observed to be exploited. Only a small fraction of the tens of thousands of software and hardware vulnerabilities that are published every year will be exploited. Predicting which ones is... See full abstract

This work presents a proposed security metric to determine the likelihood that a vulnerability has been observed to be exploited. Only a small fraction of the tens of thousands of software and hardware vulnerabilities that are published every year will be exploited. Predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts. Currently, such remediation efforts rely on the Exploit Prediction Scoring System (EPSS), which has known inaccurate values, and Known Exploited Vulnerability (KEV) lists, which may not be comprehensive. The proposed likelihood metric may augment EPSS remediation (correcting some inaccuracies) and KEV lists (enabling measurements of comprehensiveness). However, collaboration with industry is necessary to provide necessary performance measurements.


Hide full abstract

Keywords

Common Vulnerabilities and Exposures; CVE; Known Exploited Vulnerabilities; KEV; Exploit Prediction Scoring System; EPSS; exploit; Likely Exploited Vulnerabilities; LEV; metrology; prediction; scoring; security; vulnerability
Control Families

None selected

Documentation

Publication:
https://doi.org/10.6028/NIST.CSWP.41
Download URL

Supplemental Material:
None available

Document History:
05/19/25: CSWP 41 (Final)

Topics

Security and Privacy

security measurement, vulnerabilities

AltStyle によって変換されたページ (->オリジナル) /