Saved in:
| Main Authors: | , , , , , , , , |
|---|---|
| Format: | Preprint |
| Published: |
2025
|
| Subjects: | |
| Online Access: | https://arxiv.org/abs/2509.17832 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1866914050887122944 |
|---|---|
| author | Shen, Xiangmin Cheng, Wenyuan Chen, Yan Li, Zhenyuan Gu, Yuqiao Wang, Lingzhi Zhao, Wencheng Sun, Dawei Wang, Jiashui |
| author_facet | Shen, Xiangmin Cheng, Wenyuan Chen, Yan Li, Zhenyuan Gu, Yuqiao Wang, Lingzhi Zhao, Wencheng Sun, Dawei Wang, Jiashui |
| contents | Security practitioners face growing challenges in exploit assessment, as public vulnerability repositories are increasingly populated with inconsistent and low-quality exploit artifacts. Existing scoring systems, such as CVSS and EPSS, offer limited support for this task. They either rely on theoretical metrics or produce opaque probability estimates without assessing whether usable exploit code exists. In practice, security teams often resort to manual triage of exploit repositories, which is time-consuming, error-prone, and difficult to scale. We present AEAS, an automated system designed to assess and prioritize actionable exploits through static analysis. AEAS analyzes both exploit code and associated documentation to extract a structured set of features reflecting exploit availability, functionality, and setup complexity. It then computes an actionability score for each exploit and produces ranked exploit recommendations. We evaluate AEAS on a dataset of over 5,000 vulnerabilities derived from 600+ real-world applications frequently encountered by red teams. Manual validation and expert review on representative subsets show that AEAS achieves a 100% top-3 success rate in recommending functional exploits and shows strong alignment with expert-validated rankings. These results demonstrate the effectiveness of AEAS in supporting exploit-driven vulnerability prioritization. |
| format | Preprint |
| id |
arxiv_https___arxiv_org_abs_2509_17832 |
| institution | arXiv |
| publishDate | 2025 |
| record_format | arxiv |
| spellingShingle | AEAS: Actionable Exploit Assessment System Shen, Xiangmin Cheng, Wenyuan Chen, Yan Li, Zhenyuan Gu, Yuqiao Wang, Lingzhi Zhao, Wencheng Sun, Dawei Wang, Jiashui Cryptography and Security Security practitioners face growing challenges in exploit assessment, as public vulnerability repositories are increasingly populated with inconsistent and low-quality exploit artifacts. Existing scoring systems, such as CVSS and EPSS, offer limited support for this task. They either rely on theoretical metrics or produce opaque probability estimates without assessing whether usable exploit code exists. In practice, security teams often resort to manual triage of exploit repositories, which is time-consuming, error-prone, and difficult to scale. We present AEAS, an automated system designed to assess and prioritize actionable exploits through static analysis. AEAS analyzes both exploit code and associated documentation to extract a structured set of features reflecting exploit availability, functionality, and setup complexity. It then computes an actionability score for each exploit and produces ranked exploit recommendations. We evaluate AEAS on a dataset of over 5,000 vulnerabilities derived from 600+ real-world applications frequently encountered by red teams. Manual validation and expert review on representative subsets show that AEAS achieves a 100% top-3 success rate in recommending functional exploits and shows strong alignment with expert-validated rankings. These results demonstrate the effectiveness of AEAS in supporting exploit-driven vulnerability prioritization. |
| title | AEAS: Actionable Exploit Assessment System |
| topic | Cryptography and Security |
| url | https://arxiv.org/abs/2509.17832 |