NIST Proposes New Metric To Gauge Exploited Vulnerabilities
HelpNet Security, Monday, May 26th, 2025
NIST has introduced a new way to estimate which software vulnerabilities have likely been exploited, and it's calling on the cybersecurity community to help improve and validate the method.
The new metric, 'Likely Exploited Vulnerabilities' (LEV), aims to close a key gap in vulnerability management: identifying which of the thousands of reported flaws each year are actually being used in real-world attacks.
Organizations typically rely on two main tools for this: the Exploit Prediction Scoring System (EPSS), which estimates the chance of future exploitation, and Known Exploited Vulnerability (KEV) lists like the one maintained by CISA. But both have limits. EPSS is predictive and doesn't account for past exploitation, while KEV lists are confirmed cases but often incomplete.