Efficacy of EPSS in High Severity CVEs found in KEV

The Exploit Prediction Scoring System (EPSS) is designed to assess the probability of a vulnerability being exploited in the next 30 days relative to other vulnerabilities. The latest version, based on a research paper published in arXiv, assists defenders in deciding which vulnerabilities to prioritize for remediation. This study evaluates EPSS's ability to predict exploitation before vulnerabilities are actively compromised, focusing on high severity CVEs that are known to have been exploited and included in the CISA KEV catalog. By analyzing EPSS score history, the availability and simplicity of exploits, the system's purpose, its value as a target for Threat Actors (TAs), this paper examines EPSS's potential and identifies areas for improvement.