Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Efficacy of EPSS in High Severity CVEs found in KEV

Rianna Parla

TL;DR

This study evaluates EPSS's ability to predict exploitation before vulnerabilities are actively compromised, focusing on high severity CVEs that are known to have been exploited and included in the CISA KEV catalog.

Abstract

The Exploit Prediction Scoring System (EPSS) is designed to assess the probability of a vulnerability being exploited in the next 30 days relative to other vulnerabilities. The latest version, based on a research paper published in arXiv, assists defenders in deciding which vulnerabilities to prioritize for remediation. This study evaluates EPSS's ability to predict exploitation before vulnerabilities are actively compromised, focusing on high severity CVEs that are known to have been exploited and included in the CISA KEV catalog. By analyzing EPSS score history, the availability and simplicity of exploits, the system's purpose, its value as a target for Threat Actors (TAs), this paper examines EPSS's potential and identifies areas for improvement.

Efficacy of EPSS in High Severity CVEs found in KEV

TL;DR

This study evaluates EPSS's ability to predict exploitation before vulnerabilities are actively compromised, focusing on high severity CVEs that are known to have been exploited and included in the CISA KEV catalog.

Abstract

The Exploit Prediction Scoring System (EPSS) is designed to assess the probability of a vulnerability being exploited in the next 30 days relative to other vulnerabilities. The latest version, based on a research paper published in arXiv, assists defenders in deciding which vulnerabilities to prioritize for remediation. This study evaluates EPSS's ability to predict exploitation before vulnerabilities are actively compromised, focusing on high severity CVEs that are known to have been exploited and included in the CISA KEV catalog. By analyzing EPSS score history, the availability and simplicity of exploits, the system's purpose, its value as a target for Threat Actors (TAs), this paper examines EPSS's potential and identifies areas for improvement.

Paper Structure

This paper contains 30 sections, 18 figures, 1 table.

Table of Contents

  1. What is EPSS, CVSS, and CVE?
  2. What is CISA KEV?
  3. Why is prioritizing vulnerabilities important?
  4. Why study this topic?
  5. EPSS system overview
  6. How are EPSS scores calculated?
  7. Presence in CISA KEV
  8. Expectations of EPSS prediction
  9. Remote Access Technologies as High Value Targets
  10. CVE-2023-3519 (remote access technology)
  11. CVE-2023-4966 (remote access technology)
  12. CVE-2023-7028 (supply chain software)
  13. CVE-2023-22515 & CVE-2023-22518 (productivity software)
  14. CVE-2023-22527 (productivity software)
  15. CVE-2023-27997 (remote access, perimeter security)
  16. ...and 15 more sections

Figures (18)

  • Figure 1: CVE-2023-3519 EPSS Details
  • Figure 2: CVE-2023-4966 EPSS Details
  • Figure 3: CVE-2023-7028 EPSS Details
  • Figure 4: CVE-2023-22515 EPSS Details
  • Figure 5: CVE-2023-22518 EPSS Details
  • ...and 13 more figures