Black Hat USA 2025 | Vulnerability Haruspicy: Picking Out Risk Signals From Scoring System Entrails

The talk at Black Hat USA 2025 explored the limits of traditional vulnerability scoring, focusing on CVSS, the emerging EPSS exploit‑prediction model, and newer frameworks such as Pipeline VSS and AI‑VSS. Todd used the ancient haruspex analogy to illustrate how analysts often read omens from raw data, sometimes over‑interpreting statistical noise.

He highlighted that CVSS scores consistently gravitate around the 7‑point range, forming a fractal‑like distribution across days, months, and years. The vector string—access vector, complexity, privileges, user interaction, scope, and impact—contains the actionable insight, while the aggregate number masks nuance. EPSS, built on machine‑learning feeds, now estimates roughly ten thousand CVEs could be exploited within the next thirty days, far exceeding the few thousand actively exploited bugs tracked by platforms like SYSV and VulnDB.

Concrete examples included a Red Hat GRUB bug that only matters if a logged‑in user manipulates the bootloader, and the observation that many high CVSS scores arise from network‑accessible, low‑privilege vectors that are less useful to attackers. He also introduced Pipeline VSS, which tailors attack vectors to code‑repository exposure, and AI‑VSS, which adds a societal‑impact dimension for machine‑learning models.

The implication is clear: security teams should move beyond blanket CVSS thresholds, incorporate vector analysis, and blend EPSS probabilities into patch‑prioritization. Doing so aligns remediation effort with real‑world exploitation risk and prepares organizations for the evolving landscape of AI‑driven vulnerabilities.