The US National Institute of Standards and Technology (NIST) has launched a new metric to assess the likelihood that a vulnerability is being exploited.
In a technical white paper, published on May 19, NIST introduced a new metric called Likely Exploited Vulnerabilities (LEV) to help organizations determine if a product vulnerability has been exploited.
The LEV calculation guides prioritization efforts and builds upon the existing Exploit Prediction Scoring System (EPSS).
EPSS is a data-driven scoring system introduced in 2018 by a team within the Forum of Incident Response and Security Teams (FIRST).
EPSS predicts the likelihood of a vulnerability being exploited within a specific timeframe, typically 30 days. It considers various factors to generate a probability score, indicating the likelihood of exploitation. EPSS v4, its latest version, was released in March 2025.
Likely Exploited Vulnerabilities Metric Explained
LEV enhances EPSS by providing a more nuanced approach to vulnerability exploitation prediction.
Typically, LEV could provide vulnerability management leaders with daily information on each CVE.
“This includes the overall past exploitation probability, but also includes additional supportive data to enable a person to understand a vulnerability’s history concerning exploitation probability,” the NIST white paper reads.
When using LEV, vulnerability managers would receive the following data:
- CVE name, publish date and description
- LEV probability ( i.e. the probability of past observation of exploitation)
- The peak (i.e. maximum) EPSS score among the evaluated 30-day windows
- The date of the peak EPSS score
- The EPSS scores for each of the 30-day windows
- The dates for each window
- The affected products using Common Platform Enumeration (CPE) values
The NIST white paper presents two versions of the LEV equation:
- One that utilizes EPSS scores as intended for 30-day windows
- Another that divides EPSS scores by 30 to create single-day predictions
The latter requires more computational resources and incorporates more EPSS scores, considering changing scores over time.
Complementary to EPSS and KEV lists
According to NIST, LEV can be used in conjunction with EPSS and the Known Exploited Vulnerability (KEV) lists – as provided by the US Cybersecurity and Infrastructure Security Agency (CISA KEV), private sector firms (e.g. VulnCheck KEV) and the open source community (OpenKEV) – to improve vulnerability prioritization.
“This is important because it has been shown empirically that KEV lists are not comprehensive relative to the total set of vulnerabilities. Also, EPSS is, by design, inaccurate for vulnerabilities previously observed to be exploited,” the NIST authors wrote.
However, the standardization agency also noted that LEV has an unknown margin of error, mainly due to the limitations of EPSS, which does not account for past vulnerability exploitation when generating its scores.
Furthermore, vulnerabilities exploited within 30 days will not receive a score bump in subsequent periods.
Despite these limitations, NIST hopes that the white paper will not only provide a valuable tool for organizations but also identify opportunities to improve existing systems used to determine vulnerability exploitation.
Read now: Vulnerability Exploit Assessment Tool EPSS Exposed to Adversarial Attack
