Blog HackRTU

‹ Regresar

EPSS and SSVC: prioritization of vulnerabilities

 

CNA

 

 

In today's blog post, we will refer to two terms that are particularly relevant for prioritising vulnerabilities in any environment, but with a focus on industrial environments.

First, EPSS, or Exploit Prediction Scoring System, refers to a statistical model developed by the organisation FIRST (Forum of Incident Response and Security Teams). This model allows you to answer the question: What is the probability that this vulnerability will be exploited in the next 30 days? In an industrial environment, where prioritising activities is paramount, this system allows cybersecurity managers to categorise and establish a response model for vulnerabilities according to the likelihood of a vulnerability being exploited.

On the other hand, there is SSVC, or Stakeholder-Specific Vulnerability Categorization. In this case, SSVC is a decision-making methodology created in collaboration between the SEI (Software Engineering Institute) and the CISA (Cybersecurity and Infrastructure Security Agency). This methodology provides a decision tree in which the different parties involved can choose the characteristics/factors of the vulnerability, i.e., those responsible can determine the risk (to a certain extent) and the need to act on a vulnerability in their environment, taking these factors into account.

Throughout this article, we will take a closer look at each term in summary form, a specific case related to vulnerability prioritisation, and the different platforms available for each one.

 

EPSS, COMPLEX BUT EFFECTIVE

The EPSS, created in 2019 by FIRST and presented at Blackhat that same year, provides cybersecurity managers with the ability to efficiently analyse the exploitation of vulnerabilities based on published CVE. The EPSS model provides a score between 0 and 1 (0% to 100%) where the higher the score, the greater the likelihood of exploitation. EPSS is currently in version 4, released on 17 March 2025.

 

This model is closely related to the CVSS (Common Vulnerability Scoring System), although they have different characteristics and present results using two different approaches. The EPSS focuses on providing a threat level (the likelihood of a vulnerability being exploited on a scale of 1 to 30 days), while the CVSS indicates the fundamental properties of a vulnerability, a numerical classification based on theoretical impact and exploitation conditions.

FIRST provides a public API for querying the EPSS value and also has a list of different open-source tools for calculating the EPSS value.

Since one of our researchers detected and published several vulnerabilities in industrial devices, we will use one of them, specifically CVE-2025-41362, as an example to calculate the EPSS using the tool.

Using the FIRST API, we enter the following call:

https://api.first.org/data/v1/epss?cve=CVE-2025-41362

Which gives us the following answer:

{"status":"OK","status-code":200,"version":"1.0","access":"public","total":1,"offset":0,"limit":100,"data":[{"cve":"CVE-2025-41362","epss":"0.000700000","percentile":"0.217070000","date":"2025-08-25"}]}

The response provides us with the EPSS value, which is 0.0007 or 0.07%, a very low level, indicating that the probability of CVE-2025-41362 being exploited in the next 30 days is almost zero. Likewise, the percentile indicates the percentage of published vulnerabilities with an EPSS value equal to or less than this, providing a clear reference for the CVE-2025-41362 vulnerability in relation to other published vulnerabilities.

To provide a little more context to the generic probability of exploitation of vulnerabilities, the following graph from FIRST is presented, which shows how most vulnerabilities are below the line indicating the need for prioritisation.

It should be noted that this model uses machine learning to calculate the probability of exploitation, analysing a large amount of information from different relevant databases to provide the final result. Since this analysis is performed daily, the model is also updated daily. For example, as of today, 26 August 2025, the EPSS value of CVE-2025-41362 is 0.07%. if tomorrow a functional PoC (Proof of Concept) of the exploit were published on GitHub, the EPSS would be recalculated, and its value would increase. This provides great value to the model and to vulnerability management systems that use EPSS for prioritisation.

At HackRTU we use this model in our services to provide not only theoretical information about vulnerabilities (CVSS), but also up-to-date information on the likelihood that a vulnerability detected in an industrial device could be exploited in the coming days.

 

SSVC, A GOOD METHODOLOGY FOR PRIORITISING VULNERABILITIES

The Stakeholder-Specific Vulnerability Categorisation (SSVC) methodology was created, as mentioned above, in 2019 in collaboration between the SEI and CISA. This methodology allows the criticality of vulnerabilities to be analysed, taking into account the state of exploitation, the security impacts and the prevalence of the affected device/system/software. In short, this methodology allows cybersecurity managers and analysts, integrators, manufacturers, and incident response teams to categorise the prioritisation of vulnerabilities using a decision tree.

Unlike EPSS or CVSS, SSVC is not a statistical model or a theoretical score, but rather, as mentioned above, a decision categorisation methodology that uses trees to assign a prioritisation of action with respect to a vulnerability.

The EPSS differs from other models or scoring systems in that it helps you decide what to do with that vulnerability based on your role in the company or with respect to the vulnerability itself. There are four possible decisions regarding the outcome of the decision tree

• TRACK: No immediate action is required; the organisation or person responsible should monitor the vulnerability and reassess it if new information emerges. The recommendation to correct or mitigate the vulnerability follows standard deadlines.
• TRACK*: Similar to the previous one, but with specific characteristics that involve more comprehensive monitoring of the vulnerability. The recommendation to correct or mitigate the vulnerability also follows standard deadlines.
• ATTEND: This result requires greater attention, involvement and supervision on the part of those responsible. This type of result in the decision tree often implies the need for a specialised team to address the vulnerability, notify those responsible for the asset and attempt to mitigate or resolve the vulnerability within a short period of time.
• ACT: Finally, take action. This result requires attention from both asset supervisors and those responsible for the organisation. The need to act is imperative, and the vulnerability must be addressed as quickly as possible.

 

In addition, CISA, in its guide on Stakeholder-Specific Vulnerability Categorisation, compiles the possible outcomes and responses that we should apply in the decision tree, i.e. the decision points in the tree. Within these decisions, there are two key points:

• Mission Prevalence:
  • Minimal: The affected asset is not critical.
  • Support: The asset supports important processes but is not essential.
  • Essential: Its loss would affect the organisation's main/critical operations.
• Public Well-being Impact:
  • Minimal: Exploitation would have minor consequences, with no significant impact on society or public safety.
  • Material: Exploitation would have a tangible impact on services or users, with potential effects on safety, the economy or quality of life.
  • Irreversible: Exploitation of the vulnerability could cause serious and permanent damage to public safety, health, the environment or critical infrastructure.

 

The latest version of the methodology, SSVC 2.1, finally implemented a calculator available on the CISA website, thus simplifying the ‘tree’ decision-making process. As an example, we will use this calculator to obtain the risk value associated with vulnerability CVE-2025-41362 reported by one of our researchers at HackRTU.

It should be noted that certain generic and random decisions have been selected, as there is no context for the device's situation in order to obtain a true result.

The CISA calculator not only provides you with a graphical decision tree, but also provides information on vulnerability, the SSVC vector, the role of the person who performed the analysis, and an explanation/definition of the results obtained.

As can be seen in the image above, the result of the decision is TRACK, which means that possible updates on exploits in databases such as KEV or in specific projects such as the ICS Advisory Project KEV affecting the vulnerability should be monitored. The appearance of an exploit or a change in the functions/relevance of the asset within the organisation's production could lead to a change in the final decision of the SSVC.

At HackRTU, we believe that the use of both the EPSS model and the SSVC methodology are vital aspects for the proper management of vulnerabilities in industrial environments based on the specific characteristics of each organisation. Therefore, in our analyses, these parameters are taken into account to provide results tailored to each client.

 

 

HACKRTU TEAM