Exploit Prediction Scoring System (EPSS)

The Exploit Prediction Scoring System (EPSS) is a probabilistic model, maintained by FIRST (Forum of Incident Response and Security Teams), that estimates the likelihood that a specific CVE will be actively exploited in the wild within the next 30 days. The model is trained on a large dataset of CVE characteristics and observed exploitation telemetry from multiple sources, including Shadowserver, GreyNoise, and commercial threat intelligence providers. EPSS scores are expressed as a percentage probability (0.0 to 1.0) and are updated daily. A CVE with an EPSS score of 0.95 has a 95% estimated probability of being exploited within 30 days; a CVE with a score of 0.01 is very unlikely to be exploited in that window.

CVSS and EPSS answer different questions. CVSS answers: 'If this vulnerability is exploited, how bad could it be?' — it measures severity based on technical characteristics. EPSS answers: 'How likely is it that this vulnerability will be exploited in the next 30 days?' — it measures exploitation probability based on observed threat intelligence.

Using CVSS alone for prioritisation leads to over-prioritisation of theoretical risks: only approximately 5% of all CVEs are ever exploited in the wild. A manufacturer prioritising solely by CVSS score invests remediation effort in many vulnerabilities that pose minimal real-world risk. EPSS dramatically sharpens prioritisation by surfacing the small subset of CVEs that attract active attacker attention. Combined, CVSS (severity) and EPSS (likelihood) provide a risk-informed prioritisation framework — the foundation of risk-based vulnerability management.

For manufacturers subject to CRA obligations, EPSS provides a practical mechanism for demonstrating that vulnerability prioritisation is risk-informed rather than arbitrary. Specifically:

• Triage prioritisation: EPSS can be used alongside CVSS to rank vulnerabilities — elevating lower-CVSS vulnerabilities that have high exploitation probability, and deprioritising high-CVSS vulnerabilities with negligible exploitation likelihood.
• SLA adjustment: When an EPSS score spikes for a vulnerability affecting the product (for example, when exploitation tools are published), the manufacturer can escalate its remediation priority even before CISA KEV inclusion is confirmed.
• Risk-based 'not affected' decisions: Using EPSS to justify why a very low-probability-of-exploitation CVE in a non-reachable code path is deprioritised provides a defensible, data-driven record for MSA review.
• SBOM-based monitoring: Automated daily checks of EPSS scores for all CVEs affecting components in the product's SBOM enable proactive monitoring.

EPSS has important limitations that manufacturers should understand:

• It measures population-level exploitation probability, not the specific risk to a given deployment. A CVE exploited in one environment will raise EPSS even if the manufacturer's specific product version is not the target.
• Low EPSS does not mean no risk: A newly published critical vulnerability may have a low initial EPSS score simply because no exploitation data is yet available. EPSS scores for new CVEs typically rise rapidly if exploitation occurs.
• EPSS v3.0+ is the current model: Earlier versions had significantly different score distributions. Manufacturers using historical EPSS data should verify which model version the scores were generated by.
• EPSS does not replace CVSS: Severity matters independently of exploitation probability. A critical vulnerability that is not yet exploited should still be patched promptly, even if EPSS is temporarily low.