NIST proposes new metric to gauge exploited vulnerabilities

NIST has introduced a new way to estimate which software vulnerabilities have likely been exploited, and it’s calling on the cybersecurity community to help improve and validate the method.

The new metric, “Likely Exploited Vulnerabilities” (LEV), aims to close a key gap in vulnerability management: identifying which of the thousands of reported flaws each year are actually being used in real-world attacks.

Organizations typically rely on two main tools for this: the Exploit Prediction Scoring System (EPSS), which estimates the chance of future exploitation, and Known Exploited Vulnerability (KEV) lists like the one maintained by CISA. But both have limits. EPSS is predictive and doesn’t account for past exploitation, while KEV lists are confirmed cases but often incomplete.

LEV aims to bridge that gap by calculating the probability that a vulnerability has been exploited in the past, based on historical EPSS data. It’s a statistical estimate, not a confirmation, which is why the whitepaper emphasizes that LEV is meant to augment, not replace, existing methods.

Why this matters

The stakes are high. Remediating vulnerabilities is time-consuming and costly. According to the paper, most companies only manage to patch about 16% of the vulnerabilities affecting their systems each month. Meanwhile, research shows that only about 5% of vulnerabilities are exploited in the wild. Ideally, organizations would spend their limited resources patching that small but dangerous subset, but identifying them has proven difficult.

That’s where LEV comes in. By helping organizations prioritize vulnerabilities that are likely to have already been used in attacks, the metric could make patching efforts more targeted and effective.

The researchers outline four key ways LEV could be used:

1. Estimate how many vulnerabilities have been exploited.
2. Check how complete KEV lists are.
3. Identify high-risk vulnerabilities missing from those lists.
4. Fix blind spots in EPSS, which sometimes underestimates risk for already-exploited bugs.

A matter of policy and trust

For CISOs and policy makers, LEV introduces new ways to measure and justify vulnerability management strategies. It can support compliance, guide operational decisions, and help explain risk posture to boards and regulators.

It also raises important questions: Should agencies expand the scope of their KEV lists based on LEV scores? Should patching guidance start to include “likely exploited” designations, even without hard evidence? These are policy decisions that go beyond NIST’s role, but the metric gives leaders new data to consider.

NIST makes clear that LEV isn’t perfect. It depends on the accuracy of EPSS, which has improved over time but is still far from complete. And it requires making statistical assumptions, such as score independence, that may not always hold true. Perhaps most importantly, the LEV scores are currently unvalidated. There’s no ground truth data to say whether the estimates are actually correct.

Which brings us to the heart of the whitepaper’s call to action: NIST needs partners.

Industry collaboration wanted

To measure how well LEV works, researchers need access to data showing when specific vulnerabilities were first exploited. That data is scarce and sensitive. It’s also usually held by private sector companies such as threat intelligence firms, security vendors, and large enterprises with mature detection capabilities.

NIST is actively seeking collaboration with such partners. Without real-world validation, LEV will remain a promising idea rather than a trusted tool.

If the industry steps up, though, LEV could become an important new metric in the cybersecurity toolbox. It won’t replace expert judgment, threat intel, or existing systems, but it could sharpen them. And in a landscape where patch fatigue is real and resource constraints are constant, that’s no small thing.

What’s next

The LEV code is already available and calculates scores based on public EPSS data. For now, it works best with CVEs published after March 2023, when EPSS version 3, the most accurate to date, was introduced. Scores can be updated daily, and LEV lists can be generated based on whatever probability threshold an organization chooses.

If we can’t say for sure which vulnerabilities have been exploited, we can at least make an informed guess, and that may be enough to drive smarter and more focused action.