Efficacy of EPSS in High Severity CVEs found in KEV

TL;DR

This paper evaluates the effectiveness of the Exploit Prediction Scoring System (EPSS) in predicting exploitation of high severity CVEs listed in the CISA KEV catalog, highlighting its strengths and areas for enhancement.

Contribution

It provides an empirical assessment of EPSS's predictive performance on high severity CVEs, focusing on real-world exploitation data and exploitability factors.

Findings

EPSS shows moderate predictive capability for high severity CVEs.

Exploits with higher simplicity and availability correlate with actual exploitation.

The study identifies specific areas where EPSS can be improved for better prediction.

Abstract

The Exploit Prediction Scoring System (EPSS) is designed to assess the probability of a vulnerability being exploited in the next 30 days relative to other vulnerabilities. The latest version, based on a research paper published in arXiv, assists defenders in deciding which vulnerabilities to prioritize for remediation. This study evaluates EPSS's ability to predict exploitation before vulnerabilities are actively compromised, focusing on high severity CVEs that are known to have been exploited and included in the CISA KEV catalog. By analyzing EPSS score history, the availability and simplicity of exploits, the system's purpose, its value as a target for Threat Actors (TAs), this paper examines EPSS's potential and identifies areas for improvement.