Vulnerability Management: How LEV Can Help Prioritise Patching

Vulnerability reporting and exploitation is on the rise. Verizon’s annual Data Breach Investigations Report found that 28,000 common vulnerabilities and exposures (CVEs) were registered by the US National Institute of Standards and Technology (NIST) in 2023 and 40,000 in 2024.

This number is on a trajectory to increase again by the end of 2025.

To help vulnerability management leaders prioritise patches among the staggering number of vulnerabilities, the cybersecurity community has developed several metrics over the years.

Until recently, the main actionable metrics included one exploitation-neutral severity score, the Common Vulnerability Scoring System (CVSS), and two exploitation-related tools, the Known Exploited Vulnerabilities (KEV) catalogs – repositories of vulnerabilities observed being exploited in the wild – and the Exploit Prediction Scoring System (EPSS) – a framework to help assess how probable a vulnerability could be exploited in the near future.

In a May 2025 white paper, a team led by Peter Mell, from the US National Institute of Standards and Technology (NIST) and Jonathan Spring, from the US Cybersecurity and Infrastructure Security Agency (CISA), unveiled a new framework, the Likely Exploited Vulnerabilities (LEV) metric.

LEV is a probabilistic score based on EPSS scores to estimate the chance that a CVE has already been exploited in the wild.

This score is calculated based on a complex analysis of multiple data records, including the CVE description, publication date, CVSS score and EPSS scores for each of the 30-day windows.

Typically, an LEV score could provide vulnerability management leaders with daily information on each CVE.

Chris Madden, a distinguished technical security engineer at Yahoo with no affiliation to the developers of LEV, created a resource aimed at understanding and using LEV, which was published as a subset on the Risk-Based Prioritization Guide webpage.

He said that, while EPSS calculates the probability of exploitation in the future, LEV calculates the probability of exploitation in the past.

Therefore, the new metric “fills a gap by looking backward in time, complementing forward-looking and current exploitation data.”

“LEV essentially asks: ‘Given all the historical EPSS scores, what's the probability this vulnerability was exploited at some point in the past?’ Because an EPSS score is a probability (of exploitation in the next 30 days), and there are daily historical EPSS scores available, standard probability theory can be used to determine other probabilities, [such as] the probability for a different number of days - in the future or past,” he explained.

LEV can help determine the likelihood that a vulnerability not listed in any KEV list has been exploited.

Additionally, Madden has identified a few other cases where LEV could be used:

1. When measuring the expected number and proportion of vulnerabilities, as identified by CVE identifiers, that actors have exploited
2. When estimating the comprehensiveness of KEV lists
3. To augment KEV-based vulnerability remediation prioritisation by identifying higher-probability vulnerabilities that may be missing
4. To augment EPSS-based vulnerability remediation prioritisation by identifying vulnerabilities that may be underscored

According to the NIST white paper, LEV should be used in conjunction with EPSS and KEV lists to improve vulnerability prioritisation.

“This is important because it has been shown empirically that KEV lists are not comprehensive relative to the total set of vulnerabilities. Also, EPSS is, by design, inaccurate for vulnerabilities previously observed to be exploited,” the NIST authors wrote.

However, the standardisation agency also noted that LEV has an unknown margin of error, mainly due to the limitations of EPSS, which does not account for past vulnerability exploitation when generating its scores.

Additionally, Madden has identified a few concerns and limitations of LEV, which include:

• Misunderstanding of EPSS: There might be confusion about how EPSS scores are used in LEV, potentially leading to incorrect interpretations
• EPSS Scores as Lower Bounds: LEV treats EPSS scores as minimum probabilities, which could underestimate the actual likelihood of exploitation if the scores are not perfectly accurate
• Independent Events Assumption: LEV assumes that exploitation events are independent, but in reality, vulnerabilities might be related or dependent, affecting the accuracy of the probability calculations
• Probability Errors: The mathematical model in LEV might not account for all real-world dependencies, leading to potential inaccuracies in exploitation probability estimates

Despite these limitations, NIST hopes that the white paper will not only provide a valuable tool for organisations but also identify opportunities to improve existing systems used to determine vulnerability exploitation.

Speaking to Infosecurity during Infosecurity Europe 2025, Darren Kingsnorth, head of threat intelligence & analytics at Admiral Group, welcomed this new initiative.

“EPSS and LEV are helping people to build narratives and prioritise patches with much more substantial and contextual data than when we only had CVSS scores,” he said.

Patrick Garrity, a security researcher & evangelist at VulnCheck, also attended Infosecurity Europe 2025. Asked about LEV, he was much more sceptical about the new metric’s usefulness.

“I think the LEV was built partly because of the lack of transparency of people behind the EPSS scoring system,” he said.

“We now have several versions of CVSS, several versions of EPSS and now LEV as well. It would be good if we introduced more coordination and improved on existing systems instead of creating new ones,” Garrity added.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?