Full Report
Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have developed a new security metric to determine the likelihood that a vulnerability has been exploited. In a paper published this week, Peter Mell, formerly of NIST, and CISA’s Jonathan Spring outlined their vulnerability exploit metric that augments the work of the Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog. Mell and Spring cited studies that have found that only 5% of vulnerabilities have been observed to be exploited in the wild, while the monthly vulnerability remediation rate for companies is 16%. “The remediation rate is so low because it is expensive for companies to address vulnerabilities,” they wrote. “...This situation would not be a problem if the 16% were to cover the 5%, but metrology is lacking to accurately make that calculation. Thus, predicting which vulnerabilities will be exploited is critically important for the efficiency and cost-effectiveness of enterprise vulnerability remediation efforts.” Vulnerability Exploit Metric Builds on EPSS Mell and Spring noted known shortcomings in EPSS and the CISA KEV catalog. EPSS “has known inaccurate values,” they wrote, while KEV is likely not comprehensive. Their proposed likelihood metric could help augment EPSS remediation by correcting some inaccuracies, and could build on the KEV catalog by “enabling measurements of comprehensiveness.” EPSS provides probabilities that a vulnerability will be observed to be exploited in the wild within the next 30 days, the NIST and CISA researchers said. “However, its probabilities are known to be inaccurate for vulnerabilities that have been previously observed to be exploited,” they wrote. “... Fortunately, the probabilities are not randomly inaccurate; they underestimate the true probability.” Mell and Spring call their formula Likely Exploited Vulnerabilities (LEV) probabilities. LEV probabilities have at least four use cases, they said. These include: Measuring the expected number and proportion of vulnerabilities that actors have exploited Estimating the comprehensiveness of the KEV catalog Augmenting KEV-based vulnerability remediation prioritization by “identifying higher probability vulnerabilities that may be missing” Augmenting EPSS-based vulnerability remediation prioritization by “identifying vulnerabilities that may be underscored.” Results: Hundreds of Vulnerabilities with High Probability of Exploitation The paper listed two vulnerabilities where LEV and EPSS probabilities differed. For CVE-2023-1730, a SQL injection vulnerability in the SupportCandy WordPress plugin before 3.1.5, the LEV probability was 0.70, while the peak EPSS score was 0.16. For CVE-2023-29373, a Microsoft ODBC Driver Remote Code Execution vulnerability, the LEV probability was 0.54350, while the peak EPSS probability was 0.08. Their work also identified several hundred vulnerabilities with a probability approaching 1.0. “Interestingly, many of these vulnerabilities are not included in tested KEV lists,” Mell and Spring wrote. “... This is one reason that LEV lists cannot replace KEV lists. LEV cannot identify which of the many low probability vulnerabilities will be exploited, it can only help compute how many of them are expected to be exploited. KEV lists identify the exact ones that have been exploited.” Mell and Spring said they’re looking for industry partners to collaborate with to obtain performance measurements of the LEV metric.
Analysis Summary
Based on the provided context, the article primarily discusses a research effort by CISA and NIST into developing a metric called Likely Exploited Vulnerabilities (LEV) probabilities to better estimate the likelihood of vulnerability exploitation, rather than detailing a specific, patchable vulnerability.
However, the article does mention two specific CVEs within its discussion of the LEV metric results.
# Vulnerability: Discrepancies in Exploit Likelihood Metrics (LEV vs. EPSS)
## CVE Details
- CVE ID: CVE-2023-1730
- CVSS Score: N/A (Not explicitly provided)
- CWE: SQL injection (Inferred from description)
- CVE ID: CVE-2023-29373
- CVSS Score: N/A (Not explicitly provided)
- CWE: Remote Code Execution (Inferred from description)
## Affected Systems
| CVE ID | Product | Versions | Configurations |
| :--- | :--- | :--- | :--- |
| **CVE-2023-1730** | SupportCandy WordPress plugin | Before 3.1.5 | N/A |
| **CVE-2023-29373** | Microsoft ODBC Driver | N/A | Associated with Remote Code Execution |
## Vulnerability Description
The article does not provide the core technical details of the vulnerabilities themselves, but rather compares their estimated exploitation likelihood using the new LEV metric against the existing EPSS score.
- **CVE-2023-1730** is described as a **SQL injection** vulnerability within the SupportCandy WordPress plugin.
- **CVE-2023-29373** is described as a **Remote Code Execution** vulnerability in the Microsoft ODBC Driver.
## Exploitation
The data provided focuses on the *probability* calculated by the LEV metric versus the EPSS score regarding exploitation:
| CVE ID | LEV Probability | Peak EPSS Score |
| :--- | :--- | :--- |
| **CVE-2023-1730** | 0.70 | 0.16 |
| **CVE-2023-29373** | 0.54350 | 0.08 |
- Status: The article implies these are vulnerabilities that *may* be exploited or are being analyzed for their likelihood of exploitation, as they serve as examples illustrating the LEV metric calculation.
- Complexity: N/A (No direct assessment provided)
- Attack Vector: N/A (No direct assessment provided, though SQLi and RCE typically allow Network or Adjacent access)
## Impact
The primary focus is on vulnerability management prioritization, not the specific security impact (CIA triad) of these two flaws.
## Remediation
### Patches
- **CVE-2023-1730:** Patched in **SupportCandy WordPress plugin version 3.1.5** and later.
- **CVE-2023-29373:** Patch status is not specified, only the existence of the flaw.
### Workarounds
- No specific workarounds are mentioned in the context provided.
## Detection
- The article discusses the **Likely Exploited Vulnerabilities (LEV)** probability method developed by CISA and NIST to help organizations prioritize remediation, especially for vulnerabilities scoring highly on LEV but perhaps lower on established metrics like EPSS or those not yet in CISA's Known Exploited Vulnerabilities (KEV) catalog.
## References
- Primary research discussion source: [hXXps://thecyberexpress.com/cisa-nist-vulnerability-exploit-metric/](hXXps://thecyberexpress.com/cisa-nist-vulnerability-exploit-metric/)
- Related to CVE-2023-1730 (inferred): [hXXps://thecyberexpress.com/what-is-sql-injection/](hXXps://thecyberexpress.com/what-is-sql-injection/)