In the ever-evolving world of cybersecurity, vulnerabilities are an inevitable reality. Each year, thousands of new vulnerabilities are disclosed, creating an overwhelming challenge for organizations: Which vulnerabilities should be prioritized?

Traditionally, severity scores like the Common Vulnerability Scoring System (CVSS) have guided us, but these scores don’t always reflect the likelihood of exploitation. That’s where the Exploit Prediction Scoring System (EPSS) steps in, offering a new dimension of vulnerability management.

What Is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model designed to predict the likelihood that a vulnerability will be exploited in the wild. Unlike CVSS, which focuses on the technical severity of a vulnerability, EPSS focuses on real-world risk. It combines data from sources like exploit databases, malware repositories, and vulnerability disclosure platforms to calculate:

• EPSS Score: The probability of exploitation, expressed as a percentage (e.g., 5% or 80%).
• EPSS Percentile: A comparative rank that shows where a vulnerability stands relative to others. For example:
• A CVE in the 90th percentile is more likely to be exploited than 90% of all other vulnerabilities in the database.
• A CVE in the 10th percentile poses relatively low risk of exploitation.

Both the score and percentile give a clearer picture of how urgent and impactful a vulnerability might be in the real world.

How EPSS Changes Over Time

EPSS is not static—it evolves as new data becomes available. Here’s how:

• Data Sources Are Dynamic: EPSS uses real-time feeds from exploit repositories, vulnerability disclosure platforms, malware analysis systems, and other sources. As new exploits are identified, EPSS scores for related vulnerabilities may rise.
• Temporal Patterns: Some vulnerabilities become more exploitable over time as attackers develop proof-of-concept (PoC) exploits or weaponized tools. Conversely, other vulnerabilities may see their EPSS scores drop as patches are widely deployed or mitigations are applied.
• Community Collaboration: EPSS is maintained by the Forum of Incident Response and Security Teams (FIRST), a non-profit group that continuously refines the model to account for new exploit patterns and attacker behaviors.

For example, a CVE with a low EPSS score today might have its score increase dramatically tomorrow if a PoC exploit is released.

Famous Examples of EPSS in Action

To understand the practical importance of EPSS, let’s look at a few high-profile vulnerabilities. Follow the links to read our annotated CVE reports

CVE-2021-44228 (Log4Shell)

• CVSS Score: 10.0 (Critical).
• EPSS Score: ~85%.
• EPSS Percentile: 99th.

Log4Shell affected the widely used Apache Log4j library, making exploitation extremely likely. EPSS correctly identified this vulnerability as high-risk based on the rapid release of PoC exploits and its widespread impact. Organizations that prioritized this CVE avoided significant damage.

CVE-2017-0144 (EternalBlue)

• CVSS Score: 8.1 (High).
• EPSS Score: ~92%.
• EPSS Percentile: 99th.

EternalBlue targeted Microsoft’s SMB protocol and was famously exploited by WannaCry and NotPetya ransomware attacks. EPSS highlighted its exploitability long before it became a household name in cybersecurity.

Why Does EPSS Matter?

Most organizations operate with limited resources, making it impossible to patch every single vulnerability. EPSS helps bridge the gap between vulnerability severity and actual risk by focusing on exploitation likelihood.

Here’s why EPSS is a game-changer:

• Efficient Resource Allocation: Instead of patching all high-severity vulnerabilities, organizations can focus on those most likely to be exploited.
• Proactive Defense: By addressing high-EPSS vulnerabilities first, businesses can stay ahead of attackers targeting low-hanging fruit.
• Complementary to CVSS: EPSS doesn’t replace CVSS but adds another layer of prioritization, offering a more holistic view of the threat landscape.

BaseFortify’s Use of EPSS

At BaseFortify.eu, we’ve integrated EPSS score and percentile into our CVE Reports to help our users focus on vulnerabilities that matter most. By combining CVSS and EPSS, you get the complete picture—what’s severe and what’s exploitable. By going to the CVE Reports page you can quickly filter those reports that show a recent change. Our CVE Reports are publicly available for anyone to read. However, some features are locked and require registration, which is for free. Registered users can quickly filter CVE reports based on attack surface and thus quickly navigate through the deluge of cybersecurity information. So register today!

Final Thoughts

Cybersecurity is all about staying one step ahead. EPSS empowers organizations to focus on what matters most: vulnerabilities likely to be exploited by attackers. By integrating EPSS into your strategy, you can move from reactive to proactive defense.

At BaseFortify.eu, we’re committed to helping organizations like yours navigate the complexities of vulnerability management. Explore our new EPSS-powered features today and take the first step toward a smarter, more secure future.