CVSS — Common Vulnerability Scoring System

The Common Vulnerability Scoring System (CVSS) is an open, standardized framework for assessing the severity of software security vulnerabilities. Maintained by FIRST, CVSS assigns a numerical score from 0.0 to 10.0 based on factors including how easily the vulnerability can be exploited, the impact on confidentiality, integrity, and availability, and the environmental context of the affected organization.

CVSS Score Ranges

• Critical (9.0-10.0): Vulnerabilities that can be exploited remotely with no authentication, typically resulting in full system compromise
• High (7.0-8.9): Serious vulnerabilities with significant impact that may require some conditions for exploitation
• Medium (4.0-6.9): Vulnerabilities with moderate impact or requiring specific conditions such as user interaction
• Low (0.1-3.9): Vulnerabilities with limited impact and difficult exploitation conditions

CVSS Metric Groups

CVSS v4.0 (the current version) evaluates vulnerabilities across multiple metric groups. The Base metrics capture the intrinsic characteristics of the vulnerability that remain constant across environments. The Threat metrics reflect the current state of exploit techniques and code availability. The Environmental metrics allow organizations to customize the score based on their specific infrastructure and business context. This layered approach enables both universal scoring and organization-specific risk assessment.

CVSS in Incident Response

During an incident, CVSS scores help prioritize which vulnerabilities to address first when the attacker exploited a known CVE. After an incident, CVSS scores drive vulnerability remediation prioritization in the after-action review recommendations. However, CVSS alone is insufficient for incident prioritization -- a medium-severity vulnerability that is actively being exploited in your environment is more urgent than a critical-severity vulnerability with no known exploit. Organizations should combine CVSS with threat intelligence context for prioritization decisions.

Limitations of CVSS

CVSS provides a useful baseline for vulnerability comparison but has known limitations. The Base score does not account for whether a vulnerability is actively exploited. It does not consider the business value of the affected system. And the scoring can be inconsistent between different analysts evaluating the same vulnerability. Use CVSS as one input into a risk-based prioritization model rather than as the sole decision criterion.