EPSS, the Exploit Prediction Scoring System, is a daily estimate of the probability that a vulnerability will be exploited in the wild over the next 30 days. An EPSS probability score is given on a scale of 0% to 100%, where the higher the EPSS score, the higher the probability of exploitation in the wild.

EPSS probability score & rank

Only around 5% of all vulnerabilities are ever exploited in the wild. This can make it hard to interpret EPSS scores, since seemingly low probability scores will have a high rank. About 88% of vulnerabilities have an EPSS probability score of 10% or lower. An EPSS probability of 25% puts the vulnerability in the 95th percentile, and a probability of 50% is in the 98th percentile (ref).

The distribution of EPSS scores can help convey this information more intuitively.

Exploitability label

In Minimus, vulnerabilities with an EPSS score above 60% are labeled as Likely to be exploited.

If a CVE is both on the CISA KEV list and also has a high EPSS score, it will only show the active exploit label.