When a vulnerability is discovered, one of the first questions security teams ask is: "How bad is it?" The Common Vulnerability Scoring System (CVSS) provides a standardized answer, assigning each vulnerability a numerical score that represents its severity.
What is CVSS?
CVSS (Common Vulnerability Scoring System) is an open framework for communicating the characteristics and severity of software vulnerabilities. It produces a numerical score ranging from 0.0 to 10.0, with higher scores indicating more severe vulnerabilities.
Current version: CVSS 3.1 (released June 2019), with CVSS 4.0 released in November 2023.
Maintained by: FIRST (Forum of Incident Response and Security Teams), a non-profit organization.
Purpose:
- Provide consistent severity ratings
- Enable vulnerability prioritization
- Support risk-based decision making
- Facilitate communication between security teams
CVSS Severity Ratings
CVSS scores map to qualitative severity ratings:
| Score Range | Severity Rating | Description |
|---|---|---|
| 0.0 | None | No impact |
| 0.1 - 3.9 | Low | Minimal risk, limited impact |
| 4.0 - 6.9 | Medium | Moderate risk, some impact |
| 7.0 - 8.9 | High | Serious risk, significant impact |
| 9.0 - 10.0 | Critical | Severe risk, catastrophic impact |
Real-world examples:
- Critical (10.0): Heartbleed (CVE-2014-0160) - remote code execution, no authentication needed
- High (7.5): Many SQL injection vulnerabilities
- Medium (5.5): Local privilege escalation requiring user interaction
- Low (3.1): Information disclosure with minimal impact
The Three CVSS Metric Groups
CVSS scores are calculated using three metric groups:
1. Base Metrics (Required)
These reflect the intrinsic characteristics of a vulnerability that don't change over time or across environments.
Attack Vector (AV)
How can the vulnerability be exploited?
- Network (N) – Remotely exploitable (highest severity)
- Adjacent (A) – Requires local network access
- Local (L) – Requires local access to system
- Physical (P) – Requires physical access (lowest severity)
Attack Complexity (AC)
How difficult is exploitation?
- Low (L) – Easy to exploit repeatedly
- High (H) – Requires special conditions or preparation
Privileges Required (PR)
What access level does attacker need?
- None (N) – No authentication needed (highest severity)
- Low (L) – Basic user privileges required
- High (H) – Administrative privileges required (lowest severity)
User Interaction (UI)
Does exploitation require user action?
- None (N) – No user interaction needed (highest severity)
- Required (R) – User must perform some action (lowest severity)
Scope (S)
Can the vulnerability affect resources beyond its security authority?
- Unchanged (U) – Impact limited to vulnerable component
- Changed (C) – Impact extends to other components (highest severity)
Impact Metrics (CIA Triad)
Confidentiality (C):
- High (H) – Total information disclosure
- Low (L) – Some information disclosed
- None (N) – No confidentiality impact
Integrity (I):
- High (H) – Total compromise of system integrity
- Low (L) – Some modification possible
- None (N) – No integrity impact
Availability (A):
- High (H) – Total denial of service
- Low (L) – Reduced performance
- None (N) – No availability impact
2. Temporal Metrics (Optional)
These reflect characteristics that may change over time:
Exploit Code Maturity (E):
- Not Defined (X) – No information
- High (H) – Functional exploit exists
- Functional (F) – Proof of concept available
- Proof-of-Concept (P) – Theoretical only
- Unproven (U) – No known exploit
Remediation Level (RL):
- Official Fix (O) – Vendor patch available
- Temporary Fix (T) – Unofficial or workaround
- Workaround (W) – Only workarounds available
- Unavailable (U) – No fix available
Report Confidence (RC):
- Confirmed (C) – Verified by vendor
- Reasonable (R) – Likely real
- Unknown (U) – Unconfirmed
3. Environmental Metrics (Optional)
These reflect characteristics specific to your environment. Organizations can adjust scores based on their context.
Modified Base Metrics: Organizations can override base metrics if they don't apply to their environment.
Example: A network-exploitable vulnerability (Base AV:N) might be modified to local (MAV:L) if the affected system is air-gapped.
Security Requirements:
- Confidentiality/Integrity/Availability Requirements (CR/IR/AR)
- High (H) – Critical to organization
- Medium (M) – Important but not critical
- Low (L) – Minimal importance
CVSS Vector Strings
CVSS scores are expressed as vector strings showing how metrics were calculated:
Example:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Breaking it down:
CVSS:3.1– CVSS version 3.1AV:N– Network attack vectorAC:L– Low attack complexityPR:N– No privileges requiredUI:N– No user interactionS:U– Unchanged scopeC:H– High confidentiality impactI:H– High integrity impactA:H– High availability impact
Score: This configuration yields a Critical 9.8 score.
How CVSS Scores are Calculated
CVSS uses a complex formula combining metric values:
Base Score Calculation
-
Impact Sub-Score (ISS)
- Calculated from C, I, A impact metrics
- Formula varies based on Scope
-
Exploitability Sub-Score (ESS)
- Calculated from AV, AC, PR, UI
- Represents ease of exploitation
-
Base Score
- Combines Impact and Exploitability
- Rounds up to one decimal place
The math is complex, which is why calculators exist. Our CVE Lookup tool includes a CVSS calculator.
Using CVSS Scores Effectively
What CVSS Does Well
✅ Standardization – Everyone uses the same scale ✅ Technical accuracy – Captures vulnerability characteristics ✅ Repeatability – Same inputs = same score ✅ Documentation – Vector string shows reasoning
What CVSS Doesn't Do
❌ Doesn't consider exploit availability (Base Score only) ❌ Doesn't consider business context ❌ Doesn't factor in compensating controls ❌ Doesn't assess actual risk to your organization
Best Practices for CVSS
1. Don't rely on CVSS alone Use it as ONE input in your risk assessment:
- CVSS Base Score – Technical severity
- Exploit status – Is it being exploited?
- Asset criticality – How important is the affected system?
- Compensating controls – What protections exist?
- Business impact – What happens if exploited?
2. Use Temporal metrics Adjust scores based on exploit availability and patch status:
- CVE with public exploit? Higher priority
- Vendor patch available? Can lower priority
- Actively exploited in wild? Immediate priority
3. Apply Environmental metrics Customize scores for your environment:
- Internet-facing system? Higher impact
- Air-gapped network? Lower exploitability
- Mission-critical system? Higher importance
4. Prioritize Critical and High first
- Critical (9.0-10.0): Patch immediately (< 24 hours)
- High (7.0-8.9): Patch urgently (< 7 days)
- Medium (4.0-6.9): Patch soon (< 30 days)
- Low (0.1-3.9): Patch eventually (risk-based)
5. Consider EPSS scores The Exploit Prediction Scoring System (EPSS) estimates the probability a vulnerability will be exploited. Use alongside CVSS:
- High CVSS + High EPSS = Top priority
- High CVSS + Low EPSS = Important but less urgent
- Low CVSS + High EPSS = May still need attention
CVSS Limitations and Criticisms
Over-Scoring
Some argue CVSS inflates scores, leading to "vulnerability fatigue" as teams are overwhelmed by high scores.
Under-Scoring
Conversely, some critical vulnerabilities receive moderate scores due to technical complexity metrics, even though they're exploited widely.
Missing Context
CVSS doesn't account for:
- Whether a vulnerability affects your specific configuration
- Real-world exploit difficulty
- Attacker motivation
- Compensating security controls
Temporal Gap
Base CVSS scores appear before exploits are developed, meaning scores don't reflect rapidly changing threat landscapes.
CVSS Alternatives and Complements
SSVC (Stakeholder-Specific Vulnerability Categorization)
- Decision tree approach
- Focuses on actionability
- Considers exploitation status and impact
EPSS (Exploit Prediction Scoring System)
- Predicts likelihood of exploitation
- Uses machine learning
- Updates daily based on threat data
VPR (Vulnerability Priority Rating)
- Tenable's proprietary system
- Combines CVSS with threat intelligence
- Focuses on likelihood of exploitation
KEV (Known Exploited Vulnerabilities)
- CISA's catalog of actively exploited CVEs
- Mandates patching for federal agencies
- Strong signal for prioritization
Practical Example
Vulnerability: Remote code execution in web application
CVSS Metrics:
- AV:N (network exploitable)
- AC:L (easy to exploit)
- PR:N (no auth needed)
- UI:N (no user interaction)
- S:U (unchanged scope)
- C:H (full data access)
- I:H (can modify data)
- A:H (can crash service)
Base Score: 9.8 (Critical)
Temporal Adjustment:
- E:F (functional exploit available) → reduces to 9.5
- RL:O (official patch available) → reduces to 9.2
Environmental Adjustment:
- System is internal-only (MAV:A) → reduces to 8.1 (High)
- Web app isn't mission-critical (CR:M, IR:M, AR:M) → reduces to 7.6
Final Environmental Score: 7.6 (High) – Still important but not top priority if internet-facing critical systems have vulnerabilities.
Conclusion
CVSS provides a valuable standardized framework for communicating vulnerability severity. When used properly—as one input among many in a risk-based prioritization process—it helps security teams make informed decisions about where to focus remediation efforts.
Key takeaways:
- CVSS scores range from 0.0 to 10.0
- Base metrics are required; Temporal and Environmental are optional
- Don't use CVSS scores alone—consider exploit availability and business context
- Adjust scores using Temporal and Environmental metrics for your situation
- Combine CVSS with other data sources like EPSS and KEV for best results
Need to calculate CVSS scores? Our CVE Lookup tool includes a built-in CVSS calculator and shows scores for all NVD vulnerabilities.
