Greetings from Las Vegas! Today, I had the privilege and pleasure to grace the Black Hat stage and talk all about vulnerability scoring systems like CVSS, EPSS, SSVC, and other systems for determining software vulnerability “threatiness.”
While there is a lot to dissect within the whole talk and paper, I wanted to take a minute to zoom into one of the findings about scoring systems that I think is super interesting — so interesting, in fact, that we’re launching a fun little widget today so you can play along at home: EPSS Pulse.
During the course of my research, I noticed something interesting about EPSS: while there are loads of high-scoring vulnerabilities, what may be more interesting and relevant are those CVE-identified vulnerabilities that have seen recent, dramatic shifts in their EPSS scores.
Take for example, CVE-2015-3306 for ProFTP. It’s a ten year old vulnerability that’s been hovering around a 94% score since I started looking. That’s a pretty high score…critical even! But, it’s stable, and almost certainly already remediated by everyone who cares about the security of their ProFTP install. So, in the end, kind of boring.
Compare this to CVE-2025-54309 for CrushFTP. Pretty recent, and when it was published, it had an extremely low EPSS score of less than 0.1%. Totally ignorable! But then, on July 23, it leapt up to 74.4%. That seems like something worth paying attention to, and a reason to kick off a quick OSINT investigation to see if we can find out why this vulnerability is suddenly hot.
So, wouldn’t it be cool to be able to quickly and easily check to see what today’s EPSS fast movers are? While I wrote some shell scripting to do just that, the team here at runZero put together EPSS Pulse, the whiz-bang web app that does all the comparison work automatically, without a bunch of typing and grepping. Oh, and it’s quite pretty:
The part I really like about this tool is that you can see, at a glance, not only the recent big-movers, but also a snapshot of their recent history. Does today’s hot vuln have a habit of bouncing between two dramatically different scores, or did it creep up for a little while, or did it just jump yesterday after languishing in obscurity? This is a great bit of context that can quickly sketch out the shape of a suddenly-interesting vulnerability and decide if it’s worth following up.
All that said, I do worry that this is just another exercise in omen-checking. After all, EPSS pulls in signal data from all sorts of sources, and some of those sources are proprietary and opaque, so the “why” of a recent jump can still be a little mysterious. Scrying these reasons are still on you, the intrepid OSINT investigator, to figure out. But, EPSS Pulse can give you a handy starting place in measuring these score changes, so this seems like a pretty decent tool to help you figure out which vulnerabilities to chase today. Give it a whirl for a few days, and let me know what you think!
