The US National Institute of Standards and Technology (NIST) has unveiled a new tool to help cybersecurity teams better assess whether software vulnerabilities are actively being exploited. The new metric, Likely Exploited Vulnerabilities (LEV), was introduced in a technical white paper published earlier this month.
LEV builds on the Exploit Prediction Scoring System (EPSS), a model developed by the Forum of Incident Response and Security Teams (FIRST) in 2018. While EPSS predicts the likelihood of exploitation over a 30-day period, LEV provides a historical view, offering deeper insights into whether a vulnerability has actually been exploited.
According to NIST, the LEV metric offers a more nuanced approach to prioritizing vulnerabilities by evaluating past exploitation probabilities. This enhancement is particularly useful for vulnerability management leaders, who can now access detailed, daily intelligence on Common Vulnerabilities and Exposures (CVEs).
Each LEV report includes:
-
CVE ID, publish date, and description
-
Probability of past exploitation (LEV score)
-
Peak EPSS score and the date it occurred
-
A breakdown of EPSS scores across multiple 30-day periods
-
Product details via Common Platform Enumeration (CPE)
LEV is calculated using two methods: one applies standard EPSS 30-day scores, and the other refines predictions by breaking those scores into daily estimates.
NIST says that LEV should be used alongside other resources like the Known Exploited Vulnerability (KEV) lists provided by CISA, VulnCheck, and the OpenKEV community. However, it also warns users about LEV’s inherent uncertainties, primarily due to EPSS's limitations, such as its lack of retrospective data integration and the inability to retroactively adjust scores for past exploitation events.