NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.
Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.
An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Measuring the Exploitation of Weaknesses in the Wild
Published
Author(s)
Peter Mell, Irena Bojanova, Carlos Eduardo Cardoso Galhardo
Abstract
Identifying the software weaknesses exploited by attacks supports efforts to reduce developer introduction of vulnerabilities and to guide security code review efforts. A weakness is a bug or fault type that can be exploited through an operation that results in a security-relevant error. Ideally, the security community would measure the prevalence of the software weaknesses used in actual exploitation. This work advances that goal by introducing a simple metric that utilizes public data feeds to determine the probability of a weakness being exploited in the wild for any 30-day window. The metric is evaluated on a set of 130 weaknesses that were commonly found in vulnerabilities between April 2021 and March 2024. Our analysis reveals that 92 % of the weaknesses are not being constantly exploited.
Mell, P.
, Bojanova, I.
and Cardoso Galhardo, C.
(2024),
Measuring the Exploitation of Weaknesses in the Wild, IT Professional (IEEE), [online], https://doi.org/10.1109/MITP.2024.3399485, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=957805
(Accessed October 10, 2025)