NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Likely Exploited Vulnerabilities, A Proposed Metric for Vulnerability Exploitation Probability

Published

Author(s)

Peter Mell, Jonathan M Spring

Abstract

This work presents a proposed security metric to determine the likelihood that a vulnerability has been observed to be exploited. Only a small fraction of the tens of thousands of software and hardware vulnerabilities that are published every year will be exploited. Predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts. Currently, such remediation efforts rely on the Exploit Prediction Scoring System (EPSS), which has known inaccurate values, and Known Exploited Vulnerability (KEV) lists, which may not be comprehensive. The proposed likelihood metric may augment EPSS remediation (correcting some inaccuracies) and KEV lists (enabling measurements of comprehensiveness). However, collaboration with industry is necessary to provide necessary performance measurements.
Citation
NIST Cybersecurity White Papers (CSWP) - 41
Report Number
41
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.CSWP.41
Local Download

Keywords

Common Vulnerabilities and Exposures, CVE, Known Exploited Vulnerabilities, KEV, Exploit Prediction Scoring System, EPSS, Exploit, Likely Exploited Vulnerabilities, LEV, Metrology, Prediction, Scoring, Security, Vulnerability
Information technology and Cybersecurity and privacy

Citation

Mell, P. and Spring, J. (2025), Likely Exploited Vulnerabilities, A Proposed Metric for Vulnerability Exploitation Probability, NIST Cybersecurity White Papers (CSWP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.CSWP.41, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=959845 (Accessed October 9, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created May 19, 2025
Was this page helpful?