Exploitability

Given we found an issue with a CVE, we should first know if it is reachable (as seen above). But even being reachable, what is the likelihood to be exploited ?

We’re continuously drowning in CVEs — including many high-severity CVEs — but the majority aren’t actually exploitable.

This, of course, can make it difficult to prioritize vulnerabilities as well as to estimate remediation efforts.

CVEs provide a “metric” for such exploitability (based on CVSS). CVSS scores vulnerabilities based on their characteristics and potential impacts but don't consider real-world threat data.

Conversely, EPSS forecasts rely on up-to-the-minute risk intelligence from the CVE repository and empirical data about real-world system attacks.

While CVSS measures the inherent (theoretical) severity of vulnerabilities, EPSS predicts the likelihood of exploitation based on empirical data.

In this context, although Xygeni scores the severity of a CVE issue based on CVSS, the Exploitability criteria add a more reliable criteria to the funnel, thus filtering out those issue with low exploitability likelihood.

Exploitability should be considered as a main criteria for vulnerability prioritization (see Prioritization Funnels)

You can view the EPSS Score associated to a vulnerability in the Vulnerability Details section.

PreviousReachability NextOSS Auto-Remediation

Last updated 1 month ago