CVSS Score

Key Takeaways

• CVSS (Common Vulnerability Scoring System) rates vulnerability severity on a 0-10 scale, with higher scores indicating more dangerous vulnerabilities
• The scoring considers factors like attack complexity, privileges required, user interaction needed, and potential impact on confidentiality, integrity, and availability
• CVSS provides a standardized way to communicate vulnerability severity, but scores don’t account for your specific environment or actual exploitability
• A CVSS 9.8 “critical” vulnerability in software you don’t use poses less risk than a CVSS 5.0 “medium” issue in your critical payment processing system
• Organizations should use CVSS as one input among many when prioritizing remediation, not as the sole decision factor

What Is CVSS Score?

CVSS (Common Vulnerability Scoring System) is a standardized framework that rates the severity of security vulnerabilities on a scale from 0 to 10. Higher scores indicate more dangerous vulnerabilities. The system provides consistent severity ratings that security teams can use to prioritize remediation efforts.

Scores are calculated using multiple factors: How complex is exploitation? What privileges does an attacker need? Does it require user interaction? What’s the potential impact on confidentiality, integrity, and availability? The formula combines these factors into a single numerical score.

CVSS Severity Ranges

Critical (9.0-10.0)

Vulnerabilities that are easily exploitable and would have severe impact. These typically allow remote code execution with no authentication required.

High (7.0-8.9)

Serious vulnerabilities that are relatively easy to exploit or have significant impact, but might require some privileges or user interaction.

Medium (4.0-6.9)

Vulnerabilities with moderate impact or exploitation difficulty. These might require specific conditions or have limited scope.

Low (0.1-3.9)

Issues with minimal impact or high exploitation difficulty. These are often information disclosures or issues requiring extensive access.

Why CVSS Doesn’t Tell the Full Story

Environment Context Missing

CVSS rates vulnerabilities in isolation, not considering your specific environment. A critical vulnerability in software you don’t use poses zero risk. A medium vulnerability in your authentication system poses serious risk.

Actual Exploitability

CVSS indicates theoretical exploitability, not whether the vulnerability is actually exploitable in your environment. Network segmentation, security controls, and configuration might prevent exploitation even when vulnerable software exists.

Exploit Availability

Some CVSS 9+ vulnerabilities lack public exploits, while some CVSS 5 issues have widely available exploitation tools. CVSS doesn’t account for whether attackers can actually exploit the vulnerability.

Business Impact

CVSS considers technical impact, not business impact. A medium-severity issue affecting your primary revenue-generating application matters more than a critical vulnerability in a development tool.

Using CVSS Effectively

One Input Among Many

Use CVSS scores as one factor in prioritization alongside exploit availability, asset criticality, exposure to internet, and actual exploitability in your environment.

Validation Over Scoring

Rather than purely prioritizing by CVSS score, validate which vulnerabilities are actually exploitable in your specific environment. This provides realistic risk assessment.

Context-Aware Prioritization

Combine CVSS scores with business context, threat intelligence, and asset criticality. A lower-scored vulnerability in a critical system might warrant faster remediation than a high-scored issue in an isolated development environment.

---

FAQ