Introduction
The US National Institute of Standards and Technology (NIST) [3] [4] [6] [7] [8] [9] [10], in partnership with the Cybersecurity and Infrastructure Security Agency (CISA) [3] [7] [8], has introduced the Likely Exploited Vulnerabilities (LEV) metric [1] [2] [3] [4] [5] [6] [7] [8]. This tool is designed to predict the likelihood of software and hardware vulnerabilities being exploited in real-world scenarios, thereby aiding security teams in prioritizing their remediation efforts.
Description
The US National Institute of Standards and Technology (NIST) [3] [4] [6] [7] [8] [9] [10], in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) [7] [8], has developed a metric known as Likely Exploited Vulnerabilities (LEV) to predict the likelihood of software and hardware vulnerabilities being exploited in real-world attacks [9]. This data-driven approach [7], spearheaded by researchers Peter Mell (NIST) and Jonathan Spring (CISA), aims to assist security teams in prioritizing vulnerabilities for remediation [10], given that only a small fraction of the numerous vulnerabilities published annually are actually exploited [10]. By providing statistical estimates of exploitation probabilities based on historical data, LEV enhances the efficiency and cost-effectiveness of vulnerability remediation efforts [9].
LEV quantitatively assesses whether specific vulnerabilities (Common Vulnerabilities and Exposures, CVEs) are likely to be exploited based on past data. Unlike traditional vulnerability management systems that rely solely on Common Vulnerability Scoring System (CVSS) scores, which measure severity without predicting exploitation likelihood [7], LEV employs historical exploitation data, probability models [6] [7], and predictive analytics to improve decision-making in threat intelligence [7]. It accumulates time-series scores from the Exploit Prediction Scoring System (EPSS) to statistically estimate the likelihood of a CVE being exploited, even for those not included in CISA’s Known Exploited Vulnerabilities Catalog (KEV). This comprehensive approach allows vulnerability managers to monitor exploitation trends and gain deeper insights into each vulnerability’s history [6].
Key features of LEV include daily updates for exploitation probability assessments [7], detailed information on each CVE—including the CVE name [8], publish date [1] [3], description [3], LEV probability [1] [3] [4] [6] [7], peak EPSS score [3] [4] [6] [8], and historical EPSS scores over 30-day intervals [6]. This metric is designed to enhance the accuracy of CISA’s KEV lists by identifying high-risk vulnerabilities that may not be included due to reporting delays [7]. Research indicates that only about 5% of known vulnerabilities are exploited in the wild [4], while organizations typically manage to patch only 16% of vulnerabilities each month [4]. LEV refines EPSS predictions by incorporating historical exploitation data [7], thus improving predictive accuracy [7].
The LEV equation [8] [9] [10], implemented in Python [10], has two versions [8], with the latter requiring more computational resources and incorporating more EPSS scores over time [8]. However, LEV faces challenges such as data gaps due to reliance on historical exploit reports [7], computational complexity in its single-day probability model [7], and the need for industry collaboration to enhance data accuracy and exploit correlation methodologies [7]. Specific vulnerabilities [1] [4] [6] [8] [9], such as CVE-2023-1730 and CVE-2023-29373 [4], have been analyzed [4], revealing significant discrepancies between LEV probabilities and EPSS scores [4]. NIST has acknowledged the limitations of LEV [2], including an unknown margin of error due to its dependence on EPSS data [6], which does not adjust scores for vulnerabilities exploited in the preceding 30 days [6].
To validate the effectiveness of LEV through real-world performance measurements [4], NIST is actively seeking collaboration with industry partners [4], emphasizing the need for rigorous testing to establish LEV as a reliable tool in vulnerability management [4]. Organizations are encouraged to integrate LEV into their vulnerability management workflows [7], monitor LEV probabilities daily to identify high-risk vulnerabilities [7], and use LEV alongside EPSS and KEV lists for comprehensive tracking and remediation planning [7]. Ultimately, NIST aims for this metric to serve as a valuable resource for organizations and to identify opportunities for improving existing vulnerability exploitation assessment systems [8], thereby creating a modern cyber defense framework that combines scoring predictions with observational evidence from threat intelligence.
Conclusion
The introduction of the LEV metric represents a significant advancement in vulnerability management, offering a more nuanced approach to predicting exploitation likelihood. By integrating historical data and predictive analytics, LEV enhances the prioritization of vulnerabilities, thereby improving remediation efforts. Despite challenges such as data gaps and computational complexity, ongoing collaboration with industry partners is expected to refine and validate LEV’s effectiveness. As organizations adopt this tool, it promises to bolster cyber defense strategies, providing a comprehensive framework that combines predictive scoring with real-world threat intelligence.
References
[1] https://www.helpnetsecurity.com/2025/05/26/nist-likely-exploited-vulnerabilities/
[2] https://thenimblenerd.com/article/nists-new-lev-metric-a-game-changer-or-just-another-acronym-in-cybersecurity/
[3] https://ciso2ciso.com/nist-introduces-new-metric-to-measure-likelihood-of-vulnerability-exploits-source-www-infosecurity-magazine-com/
[4] https://intruceptlabs.com/2025/05/nist-cisa-proposed-metric-for-vulnerability-exploitation-probability/
[5] https://www.redseal.net/cyber-news-roundup-for-may-23-2025/
[6] https://cybermaterial.com/nist-launches-new-metric-to-track/
[7] https://thecyberthrone.in/2025/05/26/nists-new-approach-lev-to-vulnerability-prioritization/
[8] https://www.infosecurity-magazine.com/news/nist-metric-lev-likelihood/
[9] https://securityboulevard.com/2025/05/cybersecurity-snapshot-ai-data-security-best-practices-released-while-new-framework-seeks-to-help-it-pros-gain-cyber-skills/
[10] https://www.tenable.com/blog/cybersecurity-snapshot-ai-data-security-best-practices-05-23-2025
