![Symbol-Deep Green.png]](https://support.ethiack.com/hs-fs/hubfs/Symbol-Deep%20Green.png?height=40&name=Symbol-Deep%20Green.png){kind=small}
Understanding KEV and EPSS in Findings
When reviewing vulnerabilities in Ethiack, you may see references to KEV and EPSS. These risk indicators help you understand whether a vulnerability has been exploited and how likely it is to be exploited soon.
Known Exploited Vulnerabilities (KEV)
What it is:
The KEV catalog is maintained by CISA (Cybersecurity and Infrastructure Security Agency). It lists vulnerabilities that are confirmed to be exploited in real attacks.
How we show it:
- RED ICON ~ In the Known Exploited Vulnerability (KEV) catalogue!: This vulnerability is confirmed by CISA as being exploited. It should be a high priority for remediation.
- GREY ICON ~ Not in the Known Exploited Vulnerability (KEV) catalogue.: This finding is not on CISA’s exploited list. This does not guarantee safety — it just means no public confirmation of active exploitation, or it may not be a vulnerability.
What it means for you:
If a vulnerability is listed in KEV, it’s proven dangerous in the real world. Address these issues as quickly as possible.
Exploit Prediction Scoring System (EPSS)
What it is:
EPSS estimates the likelihood that a vulnerability will be exploited in the next 30 days, shown as a percentage. The higher the percentage, the higher the predicted risk of exploitation.
How we show it:
- A crosshair icon next to a finding shows its risk category.
- The icon colour reflects the predicted risk:
- Green ICON – Low (< 3%): Unlikely to be exploited in the next 30 days
- Orange ICON – Medium (3–10%): Moderate probability of exploitation
- Red ICON – High (> 10%): High probability of exploitation — should be prioritized
- Grey ICON - N/A: No EPSS score is available. This means:
- The finding is not a vulnerability, or
- EPSS has not assigned a score for this vulnerability yet.
What it means for you:
EPSS helps you prioritise vulnerabilities that are more likely to be exploited soon.