Skip to main content

Likely Exploited Vulnerabilities (LEV)

LEV is a proposed NIST metric (CSWP 41) that estimates, from a CVE’s EPSS history, the cumulative probability the vulnerability has ever been exploited — a conservative lower bound.

Likely Exploited Vulnerabilities (LEV) is a metric proposed by NIST in Cybersecurity White Paper 41 (May 2025). Where EPSS looks forward — the probability of exploitation in the next 30 days — LEV looks backward: it derives, from a CVE's EPSS time series, the cumulative probability that the vulnerability has ever been exploited in the wild.

How It Works

LEV composes a CVE's daily EPSS probabilities over its lifetime into one conservative, lower-bound estimate of historical exploitation. NIST also defines a composite: take the maximum of EPSS, KEV membership, and LEV, so the strongest available exploitation signal wins rather than being diluted. One of LEV's stated purposes is to estimate how comprehensive the KEV catalog is — a high LEV on a CVE absent from KEV flags a likely gap.

Why It Matters

KEV only lists exploitation someone confirmed; plenty of exploitation goes unrecorded. LEV gives defenders a principled way to escalate vulnerabilities that were probably exploited without waiting for confirmation. It remains probabilistic — NIST describes it as proposed, with validation ongoing — so rigorous scoring treats LEV as strong probabilistic evidence, not as confirmed exploitation: it can raise priority, but only KEV should trigger hard overrides.

Related Terms

LEV is derived from EPSS and backstops KEV's incompleteness; evidence-weighted scores like RiskScore use it in the likelihood term.