Understanding CVSS Scores

Master the Common Vulnerability Scoring System and learn how to effectively prioritize security vulnerabilities

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS provides a standardized way to assess vulnerability severity through a numerical score ranging from 0.0 to 10.0.

Developed by the Forum of Incident Response and Security Teams (FIRST), CVSS helps organizations prioritize vulnerability remediation efforts by providing consistent, comparable severity ratings.

Severity Ratings

None0.0

No vulnerability or informational only

Low0.1 - 3.9

Minimal impact, difficult to exploit

Medium4.0 - 6.9

Moderate impact, some complexity required

High7.0 - 8.9

Significant impact, relatively easy to exploit

Critical9.0 - 10.0

Severe impact, trivial to exploit, requires immediate action

CVSS v3.1 Metrics

Base Metrics (Inherent Qualities)

Attack Vector (AV)

How the vulnerability can be exploited

Network (N)Adjacent (A)Local (L)Physical (P)
Attack Complexity (AC)

Difficulty of exploiting the vulnerability

Low (L) - Easy to exploitHigh (H) - Difficult to exploit
Privileges Required (PR)

Authentication level needed to exploit

None (N)Low (L)High (H)
User Interaction (UI)

Whether user action is required

None (N) - No user action neededRequired (R) - User must take action
Scope (S)

Whether impact extends beyond the vulnerable component

Unchanged (U)Changed (C)
Impact Metrics (CIA Triad)
Confidentiality Impact (C)

Information disclosure potential

Integrity Impact (I)

Data modification potential

Availability Impact (A)

Service disruption potential

Each rated as: None (N), Low (L), or High (H)

Temporal Metrics (Current Exploit State)

These optional metrics change over time and refine the base score:

  • Exploit Code Maturity: Availability of working exploit code
  • Remediation Level: Availability of patches or workarounds
  • Report Confidence: Degree of confidence in the vulnerability details

Environmental Metrics (Organization-Specific)

Organizations can customize the score based on their specific environment:

  • Security requirements for affected systems
  • Modified Base Metrics based on local conditions
  • Business impact considerations

Using CVSS Effectively

CVSS is Not Everything

While CVSS provides valuable standardized severity ratings, it should not be the only factor in prioritization decisions. Consider:

  • Whether the vulnerability is actively being exploited
  • Your specific system configuration and exposure
  • Business criticality of affected systems
  • Compensating controls in place

Best Practices

  • ✓ Use CVSS as a starting point for prioritization
  • ✓ Combine with threat intelligence
  • ✓ Consider your environment's specifics
  • ✓ Update environmental scores for your context
  • ✓ Monitor temporal metrics as they change

Common Pitfalls

  • ✗ Focusing only on Critical/High scores
  • ✗ Ignoring temporal and environmental factors
  • ✗ Not considering exploit availability
  • ✗ Treating all 9.8 vulnerabilities the same
  • ✗ Neglecting context-specific risks

CVSS Version Evolution

CVSS v2.0 (2007)

Initial standardized scoring system with base, temporal, and environmental metrics

CVSS v3.0 / v3.1 (2015/2019)

Current industry standard - Added Scope metric, refined calculations, improved accuracy

CVSS v4.0 (2023)

Latest version - Enhanced granularity, Supplemental Metrics, better threat assessment

Ready to explore vulnerabilities and their CVSS scores?

Search CVE Database