CVE Risk Prioritization: NVD + EPSS Visual Analytics

Cindy Alvarado
Written By

Cindy Alvarado

Co-Presenters: Individual Presentation

College: Hennings College of Science Mathematics and Technology

Major: BS.COMPUTER/SCI

Faculty Research Mentor: Huang, Ching-Yu  

Abstract:

"Every year, organizations face thousands of new vulnerabilities, and they must determine which vulnerabilities should be remediated first. Thus, this study outlines how reproducible analytics pipelines can support an analytical use case by unifying the National Vulnerability Database (NVD) CVE records (2021-2025) and the Exploit Prediction Scoring System (EPSS) vulnerability estimates for use in evidence-based prioritization of CVEs for vulnerability management across a multi-agency environment. This study will approximate various input data sources into MariaDB (CVE metadata/CVSS v3.1 metrics), then join those two into a unified risk assessment dataset with CVE ID and EPSS score information for approximately 5 years (2021-2025) for over 200,000 vulnerabilities.The resulting dataset is analyzed through an interactive dashboard featuring various graphs that provide five core visualizations with year-based filtering. These visualizatitions : (1) map technical severity (CVSS) against exploitation likelihood (EPSS) using a risk matrix; (2) summarize average EPSS by severity level; (3) tracks monthly vulnerability trends; (4) displays the frequency and exploitability of weakness severity (CWE); and (5) displays a ranked list of weaknesses to patch based on both EPSS and CVSS.Analysis of 35,312 CVEs from 2025 reveals that there is no strong correlation between CVSS severity score and likelihood of exploitation. While the average EPSS score for critical severity vulnerabilities is 24 times that of low-severity vulnerabilities (0.530% vs. 0.022%), 86% of critical severity vulnerabilities have EPSS scores below 1%, meaning they are unlikely to be exploited immediately despite having a very high technical impact exploitability. Furthermore, the dashboard contained 105 vulnerabilities rated as high priority that require immediate action (CVSS >= 7.0 AND EPSS >= 50%); thus, the use of a combination of severity and exploitability enabled stakeholders to prioritize risk based on the data more accurately. Additionally, this type of research produces a reproducible vulnerability management framework that can be expanded for multi-year trend analyses."

Previous

Access vs Ownership: Understanding Why Consumers Stream, Subscribe, or Collect Media
Next

Importance of Progressive Rehabilitation Program after ACL Surgery in a Female Basketball Player: A Case Study