# Exploitability ## Exploitability Given we found an issue with a CVE, we should first know if it is reachable (as seen above). But even when reachable, **what is the likelihood to be exploited?** We’re continuously drowning in CVEs — including many high-severity CVEs — but **the majority aren’t actually exploitable**. This, of course, can make it difficult to prioritize vulnerabilities as well as to estimate remediation efforts. CVEs provide a “metric” for such exploitability (based on CVSS). **CVSS** scores vulnerabilities based on their characteristics and potential impacts but **don't consider real-world threat data**. Conversely, **EPSS** forecasts rely on up-to-the-minute **risk intelligence** from the CVE repository and **empirical data** about **real-world system attacks**. While CVSS measures the inherent (theoretical) severity of vulnerabilities, EPSS predicts the likelihood of exploitation based on empirical data.

In this context, although Xygeni scores the severity of a CVE issue based on CVSS, the **Exploitability criteria adds a more reliable criteria to the funnel**, thus filtering out those issues with low exploitability likelihood. {% hint style="info" %} ***Exploitability*** should be considered as a main criteria for **vulnerability prioritization** (see [Prioritization Funnels](https://docs.xygeni.io/introduction-to-xygeni/prioritization-funnels)) {% endhint %} You can view the EPSS Score associated with a vulnerability in the Vulnerability Details section.