Full Report
A Morphisec researcher showed how an attacker could manipulate FIRST’s Exploit Prediction Scoring System (EPSS) using AI
Analysis Summary
# Vulnerability: Adversarial Manipulation of EPSS Scoring Model
## CVE Details
- CVE ID: N/A (This describes a flaw in the EPSS *scoring framework*, not a traditional software vulnerability identified by a CVE.)
- CVSS Score: N/A
- CWE: N/A (Related to Data Poisoning/Model Manipulation in Machine Learning)
## Affected Systems
- Products: Exploit Prediction Scoring System (EPSS) framework (maintained by FIRST SIG)
- Versions: The tested version/implementation of the EPSS model relying on feature ingestion mechanisms.
- Configurations: Any deployment or reliance on the EPSS model for vulnerability prioritization based on feature inputs.
## Vulnerability Description
The Exploit Prediction Scoring System (EPSS), which uses an XGBoost machine learning model trained on 1477 features to predict exploitation probability, is susceptible to adversarial manipulation. A user can subtly inject artificial data points that correlate with high exploitation risk—specifically by artificially inflating scores related to **social media mentions** and **public code availability**—to manipulate the model's output probability score for any given CVE.
The proof-of-concept demonstrated this by artificially generating tweets and creating a non-functional GitHub repository for the vulnerability CVE-2017-1235, which subsequently raised its EPSS score and percentile ranking.
## Exploitation
- Status: Proof-of-Concept available (Demonstrated by Morphisec researcher Ido Ikar)
- Complexity: Low (Manipulation involved generating fake social media content and a placeholder code repository.)
- Attack Vector: Network (Injection of data signals into the feature pipeline)
## Impact
- Confidentiality: Negligible (This affects scoring priority, not direct system access.)
- Integrity: Medium (Integrity of the prioritization decision-making process is compromised, potentially leading organizations to misallocate resources.)
- Availability: Negligible (This affects resource allocation strategy, not system uptime.)
## Remediation
### Patches
- No specific patch is available as this is a systemic finding regarding the feature ingestion logic of the EPSS model itself. FIRST/EPSS needs to implement stronger validation or weighting for input features.
### Workarounds
- Organizations relying on EPSS should **not treat scores in isolation**.
- **Complement EPSS with other metrics and risk assessment procedures.**
- **Investigate significant, sudden changes in EPSS scores** to determine if the shift is legitimate or potentially manipulated.
- Cross-reference model outputs with multiple data points.
## Detection
- Indicators of Compromise: Sudden, unexplained increases in the social media mention count or public repository presence for CVEs that previously had minimal external activity.
- Detection Methods and Tools: Continuous monitoring of EPSS scores coupled with manual verification of the underlying feature data driving the score changes.
## References
- Vendor Advisories: N/A (Advisory published by Morphisec on December 18)
- Relevant links:
- Morphisec blog post detailing the findings (Search for "Morphisec EPSS adversarial attack")