NIST Introduces New Security Metric to Identify Likely Exploited Vulnerabilities

On May 19, 2025, the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) published NIST Cybersecurity White Paper 41 (CSWP 41), introducing a proposed metric called Likely Exploited Vulnerabilities (LEV).

This metric aims to estimate the probability that a given software or hardware vulnerability, identified by its Common Vulnerabilities and Exposures (CVE) number, has already been exploited in the wild, even if there is no direct evidence yet.

Currently, organizations rely on two main tools to prioritize vulnerability remediation:

• Exploit Prediction Scoring System (EPSS): Provides a 30-day probability that a vulnerability will be exploited, but does not account for past exploitation.
• Known Exploited Vulnerabilities (KEV) lists: Catalogs vulnerabilities confirmed to be exploited, but may not be comprehensive or timely.

However, both systems have limitations.

EPSS can underestimate the risk for vulnerabilities that have already been exploited, while KEV lists may miss newly exploited or unreported vulnerabilities.

The LEV Metric: Technical Foundations and Equations

The LEV metric is designed to complement, not replace, existing systems.

It uses statistical models and probability theory to combine historical EPSS scores and KEV list data, calculating the cumulative probability that a vulnerability has been exploited at any point in the past.

Key technical features:

• LEV Equation: The primary formula compounds daily or 30-day EPSS scores, using a weight function to reflect the window size. The basic form is: LEV≥1−∏i=1t(1−EPSS(Wi)⋅weighti)\text{LEV} \geq 1 – \prod_{i=1}^{t} (1 – \text{EPSS}(W_i) \cdot \text{weight}_i)LEV≥1−i=1∏t(1−EPSS(Wi)⋅weighti) Where EPSS(Wi)\text{EPSS}(W_i)EPSS(Wi) is the EPSS score for window iii, and weighti\text{weight}_iweighti adjusts for the window’s length.
• Variants:
  • LEV: Optimized for environments with limited computational resources.
  • LEV2: Offers greater granularity but requires more processing power.
• Output Data: For each CVE, the LEV system can provide:
  • Probability of past exploitation
  • Peak EPSS score and date
  • 30-day EPSS score history
  • Affected products (using Common Platform Enumeration, CPE).
• Composite Probability Equation: NIST also proposes a composite approach that merges EPSS predictions, KEV confirmations, and LEV statistical inferences for a more robust prioritization strategy.

Implications for Cybersecurity Operations

The introduction of the LEV metric could be transformative for security operations teams (SecOps) and vulnerability management programs.

By estimating which vulnerabilities are most likely to have been exploited, even before confirmation, organizations can:

• Prioritize Patch Management: Focus limited resources on vulnerabilities with the highest likelihood of exploitation, potentially improving remediation efficiency and reducing risk.
• Assess KEV List Coverage: Measure the comprehensiveness of KEV lists and identify high-risk CVEs not yet included.
• Augment Existing Tools: Correct known blind spots in EPSS and supplement KEV lists, providing a more defensible and data-driven approach to vulnerability prioritization.

However, the LEV metric is not without limitations.

Its accuracy depends on the quality and completeness of EPSS data, and it cannot confirm exploitation—only estimate its likelihood.

NIST is seeking collaboration with industry partners to validate and refine the metric using real-world exploitation datasets.

As cyber threats continue to evolve, the LEV metric represents a significant step forward in vulnerability risk assessment, offering organizations a new tool to stay ahead of attackers and better protect critical systems.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates