New NIST Metric for Forecasting Likelihood of Vulnerability Exploitation

June 1, 2025HIPAA News0

Patching software to resolve identified vulnerabilities is a never-ending process and is important for cybersecurity; nevertheless, with a lot of vulnerabilities being identified, it is a big concern for security teams to stay abreast of vulnerability management.

In 2024, Common Vulnerabilities and Exposures (CVEs) increased by 39%, adding 40,003 to the National Vulnerability Database. Busy security teams are late in patching all identified exploited vulnerabilities and vulnerabilities that are potentially exploited in the wild, which provides threat actors a chance to perform attacks. Hence, it is necessary to prioritize patches.

Only a few disclosed vulnerabilities are actually exploited; thus, prioritizing patching could help shorten the window of opportunity for attacks. One study shows that attackers exploit only about 5% of vulnerabilities, whereas companies have a 16% monthly remediation rate. If the 16% of patched vulnerabilities cover all 5%, that is good, but that is not so.

When security teams prioritize patching, the probability of vulnerability exploitation must be evaluated using data, including CVSS scores and whether threat actors targeted a particular software solution. The current best resources include the Exploit Prediction Scoring System (EPSS), which could estimate the chances of a vulnerability exploitation in the following 30 days, and Known Exploited Vulnerability (KEV) lists, like the list kept by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Sadly, the EPSS often includes incorrect values, and KEV lists aren’t comprehensive. The errors in the EPSS are foreseeable, instead of random, with errors usually having vulnerabilities previously exploited, and the system typically highlighting those vulnerabilities.

The National Institute of Standards and Technology (NIST) has recently suggested a new metric to aid companies with patch prioritization, which could enhance EPSS remediation by removing some of the inaccuracies and enhancing KEV lists to deal with any probable omissions. The new metric recently published in the NIST Cybersecurity White Paper is called Likely Exploited Vulnerabilities (LEV). NIST mentions that LEV probabilities could help deal with EPSS errors and omissions from KEV lists. Because most vulnerabilities will have somewhat low LEV scores, developing an LEV list of vulnerabilities above a particular threshold, for example 20%, would create a controllable number of vulnerabilities to focus efforts while addressing vulnerabilities on KEV lists.

The LEV list might contain information such as the vulnerability, an explanation, a publication date, the peak EPSS score, a LEV probability, and the impacted items. Although the new LEV system has restrictions, like an unidentified margin of error, it could help companies, including HIPAA-covered entities, focus their security on high-risk vulnerabilities and allow them to enhance their security position.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.