On May 19, 2025, the U.S. National Institute of Standards and Technology (NIST) unveiled a pioneering security metric aimed at estimating the likelihood of software vulnerabilities being exploited, even in the absence of direct evidence. This initiative, detailed in NIST CSWP 41 titled Likely Exploited Vulnerabilities: A Proposed Metric for Vulnerability Exploitation Probability, was authored by Peter Mell, formerly of NIST, and Jonathan Spring from the Cybersecurity and Infrastructure Security Agency (CISA).
Addressing a Critical Gap in Vulnerability Management
Traditional vulnerability management strategies often fall short in effectively prioritizing threats. Studies indicate that only about 5% of known vulnerabilities are exploited in the wild, yet organizations typically remediate just 16% of these vulnerabilities each month. This discrepancy underscores the need for a more nuanced approach to vulnerability prioritization.
Existing systems like the Exploit Prediction Scoring System (EPSS) and Known Exploited Vulnerabilities (KEV) lists have their limitations. EPSS estimates the likelihood of exploitation within the next 30 days but does not account for past exploitations, leading to potential inaccuracies. On the other hand, KEV lists catalog confirmed exploited vulnerabilities but may not be comprehensive, lacking a metric to measure their coverage. This disconnect between predictive models and confirmed exploitations creates a significant gap in vulnerability management.
Introducing the Likely Exploited Vulnerabilities (LEV) Metric
The LEV metric is designed to bridge this gap by providing a mathematical framework that compounds EPSS scores over time to calculate the cumulative probability of exploitation. The paper introduces two variants: LEV and LEV2.
– LEV Variant: Utilizes EPSS scores as 30-day window predictors, requiring fewer computational resources.
– LEV2 Variant: Treats EPSS scores as daily predictors by dividing them by 30, offering greater responsiveness to changing scores but demanding more processing power.
Both variants provide lower-bound estimates that improve with more data points, enabling organizations to better assess and prioritize vulnerabilities.
Key Capabilities Enabled by LEV
The LEV metric introduces four critical capabilities to vulnerability management:
1. Measurement of Exploited CVEs: Allows organizations to estimate the expected proportion of exploited Common Vulnerabilities and Exposures (CVEs).
2. Assessment of KEV List Comprehensiveness: Provides a method to evaluate the coverage of KEV lists, identifying potential gaps.
3. Identification of High-Risk CVEs: Highlights high-risk CVEs not currently listed in KEV, with empirical data revealing several hundred vulnerabilities with a probability of almost 1.0 that remain unlisted.
4. Composite Prioritization Approach: Combines predictions, known exploitations, and statistical inferences to create more defensible prioritization strategies.
Implications for Cybersecurity Practices
The introduction of the LEV metric represents a significant advancement in the mathematics of vulnerability management. It is designed to complement, rather than replace, existing tools, offering a composite equation that integrates LEV with current approaches. This provides organizations with a more comprehensive view of their vulnerability landscape.
As organizations continue to grapple with an overwhelming number of vulnerabilities and limited remediation resources, the LEV metric offers a promising solution to prioritize efforts more effectively. By focusing on vulnerabilities with a higher likelihood of exploitation, security teams can allocate resources more efficiently, potentially reducing the risk of cyber incidents.
Conclusion
NIST’s development of the LEV metric marks a pivotal step forward in vulnerability management. By addressing the limitations of existing systems and providing a more accurate estimation of exploitation probabilities, the LEV metric empowers organizations to enhance their cybersecurity posture. As this metric is adopted and refined, it is expected to play a crucial role in shaping future vulnerability management strategies.
