A newly proposed tool from NIST tries to improve how organizations prioritize software patching in the face of rising threats.
What happened
The National Institute of Standards and Technology (NIST) has introduced a new metric designed to improve vulnerability prioritization: Likely Exploited Vulnerabilities (LEV). Announced in a May 2025 cybersecurity white paper, LEV tries to supplement existing tools like the Exploit Prediction Scoring System (EPSS) and Known Exploited Vulnerability (KEV) lists, both of which are currently used by security teams to gauge the risk that threat actors will target a vulnerability.
Going deeper
Vulnerability management has become increasingly difficult as the number of known software vulnerabilities grows. In 2024 alone, 40,003 CVEs were added to the National Vulnerability Database, a 39% increase over the previous year. Yet, research suggests that only about 5% of vulnerabilities are ever exploited. The challenge lies in identifying which of those are likely to be targeted, so teams can patch them first.
Existing systems like EPSS offer 30-day exploitation predictions but have known limitations. They tend to undervalue vulnerabilities that have already been exploited. KEV lists, like the one maintained by CISA, are useful but incomplete.
NIST’s proposed LEV metric would provide a probability score that helps organizations zero in on the most at-risk vulnerabilities. The LEV list would include key details such as vulnerability descriptions, publication dates, EPSS peak scores, affected products, and the new LEV probability. A LEV threshold (e.g., 20%) would help limit the list to a manageable number of vulnerabilities.
What was said
NIST’s white paper states that LEV is not a replacement but rather a complement to EPSS and KEV tools. It’s designed to help correct for predictable gaps in EPSS scoring and offer organizations a clearer way to focus remediation efforts.
While LEV’s exact margin of error is still unknown, NIST acknowledges its limitations but argues that the metric can help improve patching strategies by filtering out low-risk vulnerabilities and spotlighting those more likely to be used in attacks.
The big picture
Organizations are dealing with a growing volume of CVEs, making it difficult to prioritize response efforts. Tools like LEV offer a way to identify which vulnerabilities are most likely to be exploited, helping security teams focus on the highest-risk issues. Although not a comprehensive solution, LEV can add value when combined with existing security systems by narrowing response gaps and limiting the time attackers have to act.
FAQs
How is LEV different from EPSS?
LEV provides a broader exploitation probability estimate and is meant to correct some known inaccuracies in EPSS, especially regarding already-exploited vulnerabilities.
Will LEV replace current tools like KEV or EPSS?
No. NIST envisions LEV as a supplemental tool to enhance, not replace, EPSS and KEV in patch prioritization efforts.
How can organizations use the LEV threshold practically?
By setting a LEV probability cutoff, such as 20%, security teams can generate a focused list of high-risk vulnerabilities to address more efficiently.
What kind of data will the LEV list include?
The LEV list will include each vulnerability’s description, publication date, LEV probability, EPSS peak score, date of that peak, and affected products.
Are there concerns about relying on LEV?
Yes. While promising, the LEV model’s margin of error is currently unknown, and it should be used alongside other risk assessment tools to ensure balanced security decisions.
Farah Amod
