The U.S. National Institute of Standards and Technology (NIST) has unveiled a groundbreaking security metric designed to estimate which software vulnerabilities have likely been exploited, even if organizations don’t yet know it.
Published on May 19, 2025, as NIST CSWP 41, the “Likely Exploited Vulnerabilities: A Proposed Metric for Vulnerability Exploitation Probability” paper by Peter Mell (formerly of NIST) and Jonathan Spring (CISA) addresses a critical gap in vulnerability management.
With studies showing only about 5% of known vulnerabilities are exploited in the wild while organizations typically remediate just 16% per month, this new approach aims to help security teams prioritize their remediation efforts more effectively.
Today’s vulnerability management largely relies on two approaches, both with significant shortcomings.
The Exploit Prediction Scoring System (EPSS) estimates exploitation likelihood in the next 30 days but was “designed to not include past vulnerability exploitation as an input into its model” making it “blind to past exploitation, resulting in inaccurate scores for vulnerabilities that have been previously exploited”.
Meanwhile, Known Exploited Vulnerabilities (KEV) lists catalog confirmed exploited vulnerabilities but “may not be comprehensive, and prior to this research, metrology did not exist to measure their coverage”.
This disconnect between prediction and confirmation creates a critical gap in vulnerability prioritization that the new LEV metric aims to fill.
Likely Exploited Vulnerabilities (LEV) Metric
The Likely Exploited Vulnerabilities (LEV) metric is built on a mathematical foundation that compounds EPSS scores across time to calculate cumulative exploitation probability. The paper introduces two distinct variants: LEV and LEV2.
The base equation, LEV(v, d₀, dₙ) ≥ 1 – ∏(1-epss(v, dᵢ) × weight(dᵢ, dₙ, 30)), uses EPSS scores as 30-day window predictors, requiring fewer computational resources.
The more granular LEV2 variant treats EPSS scores as covering single days by dividing them by 30, offering greater responsiveness to changing scores but demanding significantly more processing power. Both provide lower-bound estimates that improve with more data points.
The LEV metric enables four critical vulnerability management capabilities previously unavailable to security teams.
- First, it allows measurement of the expected proportion of exploited CVEs using the Expected_Exploited() equation.
- Second, it provides the first-ever method to assess the comprehensiveness of KEV lists through the KEV_Exploited() equation.
- Third, it identifies high-risk CVEs not currently on KEV lists, with empirical data showing “several hundred vulnerabilities with a probability of almost 1.0” that remain unlisted.
Finally, it offers a composite approach that combines “predictions, knowns, and statistical inferences” to create more defensible prioritization strategies.
The LEV metric marks a significant advancement in vulnerability management mathematics, designed not to replace but complement existing tools.
“NIST even offers a composite equation” that integrates LEV with current approaches, providing organizations with a more comprehensive view of their vulnerability landscape.
As organizations continue to face an overwhelming number of vulnerabilities with limited remediation resources, this new mathematical approach may finally help close the gap between the 5% of vulnerabilities that matter and the 16% that organizations can typically address.
Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free
