Skip to content
BLOG

What are Likely Exploited Vulnerabilities?

Meredith Kreisa headshot
Meredith Kreisa|June 11, 2025
Security grey
Security grey
Sections

Likely Exploited Vulnerabilities (LEV) is a proposed metric created by NIST and CISA that estimates whether a common vulnerability and exposure (CVE) may already be exploited in the wild. Intended to augment the Exploit Prediction Scoring System (EPSS) and Known Exploited Vulnerabilities (KEV) lists, LEV focuses on historical data to help organizations identify which vulnerabilities require urgent action now. 

We’ll dive into what you should know about this proposed metric, how it could improve your vulnerability management and exposure management, and what you can do to better prioritize vulnerabilities today ... before that “low-priority” CVE becomes your next high-priority headache. 

What would the Likely Exploited Vulnerabilities (LEV) metric look at?

The proposed Likely Exploited Vulnerabilities (LEV) metric would use historical attack data and cyber threat intelligence to assess how likely it is that a CVE has been or is being exploited in the wild — even if not yet confirmed in CISA KEV. It bridges the gap between KEV's confirmed Known Exploited Vulnerabilities catalog and EPSS's short-term predictions by offering a probabilistic view of the real-world exploitation risk.

Translation for the overworked and under-caffeinated: LEV helps you spot the CVEs that are quietly wreaking havoc before they get their KEV badge. 

What is the Exploit Prediction Scoring System (EPSS)? 

EPSS predicts the likelihood of active exploitation over the next 30 days. However, EPSS may not fully capture the current or historical exploitation landscape, potentially even missing a known exploited vulnerability. Plus, it relies on publicly available data, meaning it may miss zero-day exploits or vulnerabilities not widely disclosed. 

What are Known Exploited Vulnerabilities (KEV)?

KEVs are security vulnerabilities in software or hardware that are actively exploited in the wild. These are not hypothetical or theoretical flaws — they are real-world threats with confirmed exploitation.

How does LEV improve vulnerability management? 

Here’s how LEV could help you manage vulnerabilities without losing your inner sense of calm (or your weekend): 

  • Prioritize real threats: Vulnerabilities with high LEV scores are more likely to have been exploited, so they should be patched first. 

  • Focus resources: Teams can direct limited time and staff toward the vulnerabilities most likely to be exploited. 

  • Complement other tools: LEV works alongside EPSS and KEV lists to offer a more complete risk picture. 

By highlighting actively exploited vulnerabilities and helping identify those that pose a significant risk, LEV could strengthen your overall application security posture. LEV can also help you quickly mitigate critical vulnerabilities that could otherwise expose sensitive data to a remote attacker or malicious actor. Combined with vulnerability scanning and other threat intelligence tools, LEV might help your team focus on what matters most — reducing the chance of exploitation. 

How do you implement LEV in vulnerability workflows? 

To use LEV effectively in your organization: 

  • Add LEV scores to your tools: Integrate LEV data into your existing vulnerability management dashboards or ticketing systems. No need to add more dashboards to your life — just make the ones you have a little smarter. 

  • Review LEV data regularly: Stay updated on score changes and new vulnerabilities with high LEV scores. 

  • Train your team: Help your security team get comfy with LEV so they can prioritize patches like pros — not just guess-and-stress. 

How can you better prioritize vulnerabilities immediately? 

If you're using PDQ Connect, you're already ahead of the game (and probably sleeping better). The product uses a unique PDQ risk score that takes into account the likelihood of real-world exploitation (among other factors) — essentially doing what LEV and other metrics aim to do but in real time. 

ConnectIcon CTA

Centralize your Windows device management

Gain real-time visibility, deploy software, remediate vulnerabilities, schedule reports, automate maintenance tasks, and access remote devices from one easy-to-use platform.

Start a free trial

Most alternative solutions don’t assess the likelihood of exploitation, making Connect a standout for teams that need to act fast on live vulnerability intelligence. The PDQ risk score can help you prioritize more accurately and close critical gaps faster. 

The Likely Exploited Vulnerabilities metric could add critical context to vulnerability management. By focusing on whether a vulnerability has likely already been used in an attack, LEV could help organizations make faster, more informed patching decisions and strengthen their overall cybersecurity posture. 

But why wait for a potentially slow, bureaucratic rollout of LEV when PDQ Connect already serves up real-time insights? Try Connect free for 14 days and let your patching plan finally stop playing catch-up and become a threat actor’s worst nightmare. 

Meredith Kreisa headshot
Meredith Kreisa

Meredith gets her kicks diving into the depths of IT lore and checking her internet speed incessantly. When she's not spending quality time behind a computer screen, she's probably curled up under a blanket, silently contemplating the efficacy of napping.

Related articles

Illustration of broken computer with bandaid

Patch Tuesday June 2025

SECURITY

Illustration of computer desk and monitor with PDQ logo

5 best Lansweeper alternatives

GENERAL IT

Illustration of computer desk and monitor with PDQ logo

7 best Automox alternatives

PRODUCT