Measuring the Exploitation of Weaknesses in the Wild
Peter Mell, Irena Bojanova, Carlos Galhardo
TL;DR
Measuring exploitation of software weaknesses in the wild is challenging due to data gaps. The authors define PECWE, a simple aggregation over CVEs mapped to a CWE and its children using EPSS scores to estimate a 30-day exploitation probability: $PECWE(x,d) = 1 - \prod_{\forall y \in S_x} (1-EPSS(y,d))$. They apply this metric weekly from Apr 2021 to Mar 2024 to 132 CWE data points (130 View-1003 CWEs plus two special designators). The key findings are that only about 8% of CWEs are exploited consistently in every 30-day window, and 92% are not always exploited, with strong but non-linear ties to the number of CVEs; PECWE reveals temporal exploitation patterns beyond raw CVE counts. The work demonstrates that PECWE provides a valuable exploitation-risk signal to guide secure-coding education, code reviews, and vulnerability mitigation prioritization, complementing CVE frequency-based measures rather than replacing them.
Abstract
Identifying the software weaknesses exploited by attacks supports efforts to reduce developer introduction of vulnerabilities and to guide security code review efforts. A weakness is a bug or fault type that can be exploited through an operation that results in a security-relevant error. Ideally, the security community would measure the prevalence of the software weaknesses used in actual exploitation. This work advances that goal by introducing a simple metric that utilizes public data feeds to determine the probability of a weakness being exploited in the wild for any 30-day window. The metric is evaluated on a set of 130 weaknesses that were commonly found in vulnerabilities between April 2021 and March 2024. Our analysis reveals that 92 % of the weaknesses are not being constantly exploited.