π Part of the Vulnerability Management Complete Guide: CVE, CVSS & Patch Prioritization series.
When a vulnerability is discovered, one of the first questions security teams ask is: "How bad is it?" The Common Vulnerability Scoring System (CVSS) provides a standardized answer, assigning each vulnerability a numerical score that represents its severity.
CVSS v3.1 Calculator
Calculate CVSS v3.1 vulnerability scores with Base, Temporal, and Environmental metrics. Generate vector strings and severity ratings.
Open the full CVSS v3.1 Calculator tool βWhat is CVSS?
CVSS (Common Vulnerability Scoring System) is an open framework for communicating the characteristics and severity of software vulnerabilities. It produces a numerical score ranging from 0.0 to 10.0, with higher scores indicating more severe vulnerabilities.
Current version: CVSS 3.1 (released June 2019), with CVSS 4.0 released in November 2023.
Maintained by: FIRST (Forum of Incident Response and Security Teams), a non-profit organization.
Purpose:
- Provide consistent severity ratings
- Enable vulnerability prioritization
- Support risk-based decision making
- Facilitate communication between security teams
CVSS Severity Ratings
CVSS scores map to qualitative severity ratings:
| Score Range | Severity Rating | Description |
|---|---|---|
| 0.0 | None | No impact |
| 0.1 - 3.9 | Low | Minimal risk, limited impact |
| 4.0 - 6.9 | Medium | Moderate risk, some impact |
| 7.0 - 8.9 | High | Serious risk, significant impact |
| 9.0 - 10.0 | Critical | Severe risk, catastrophic impact |
Real-world examples:
- Critical (10.0): Heartbleed (CVE-2014-0160) - remote code execution, no authentication needed
- High (7.5): Many SQL injection vulnerabilities
- Medium (5.5): Local privilege escalation requiring user interaction
- Low (3.1): Information disclosure with minimal impact
The Three CVSS Metric Groups
CVSS scores are calculated using three metric groups:
1. Base Metrics (Required)
These reflect the intrinsic characteristics of a vulnerability that don't change over time or across environments.
Attack Vector (AV)
How can the vulnerability be exploited?
- Network (N) β Remotely exploitable (highest severity)
- Adjacent (A) β Requires local network access
- Local (L) β Requires local access to system
- Physical (P) β Requires physical access (lowest severity)
Attack Complexity (AC)
How difficult is exploitation?
- Low (L) β Easy to exploit repeatedly
- High (H) β Requires special conditions or preparation
Privileges Required (PR)
What access level does attacker need?
- None (N) β No authentication needed (highest severity)
- Low (L) β Basic user privileges required
- High (H) β Administrative privileges required (lowest severity)
User Interaction (UI)
Does exploitation require user action?
- None (N) β No user interaction needed (highest severity)
- Required (R) β User must perform some action (lowest severity)
Scope (S)
Can the vulnerability affect resources beyond its security authority?
- Unchanged (U) β Impact limited to vulnerable component
- Changed (C) β Impact extends to other components (highest severity)
Impact Metrics (CIA Triad)
Confidentiality (C):
- High (H) β Total information disclosure
- Low (L) β Some information disclosed
- None (N) β No confidentiality impact
Integrity (I):
- High (H) β Total compromise of system integrity
- Low (L) β Some modification possible
- None (N) β No integrity impact
Availability (A):
- High (H) β Total denial of service
- Low (L) β Reduced performance
- None (N) β No availability impact
2. Temporal Metrics (Optional)
These reflect characteristics that may change over time:
Exploit Code Maturity (E):
- Not Defined (X) β No information
- High (H) β Functional exploit exists
- Functional (F) β Proof of concept available
- Proof-of-Concept (P) β Theoretical only
- Unproven (U) β No known exploit
Remediation Level (RL):
- Official Fix (O) β Vendor patch available
- Temporary Fix (T) β Unofficial or workaround
- Workaround (W) β Only workarounds available
- Unavailable (U) β No fix available
Report Confidence (RC):
- Confirmed (C) β Verified by vendor
- Reasonable (R) β Likely real
- Unknown (U) β Unconfirmed
3. Environmental Metrics (Optional)
These reflect characteristics specific to your environment. Organizations can adjust scores based on their context.
Modified Base Metrics: Organizations can override base metrics if they don't apply to their environment.
Example: A network-exploitable vulnerability (Base AV:N) might be modified to local (MAV:L) if the affected system is air-gapped.
Security Requirements:
- Confidentiality/Integrity/Availability Requirements (CR/IR/AR)
- High (H) β Critical to organization
- Medium (M) β Important but not critical
- Low (L) β Minimal importance
CVSS Vector Strings
CVSS scores are expressed as vector strings showing how metrics were calculated:
Example:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Breaking it down:
CVSS:3.1β CVSS version 3.1AV:Nβ Network attack vectorAC:Lβ Low attack complexityPR:Nβ No privileges requiredUI:Nβ No user interactionS:Uβ Unchanged scopeC:Hβ High confidentiality impactI:Hβ High integrity impactA:Hβ High availability impact
Score: This configuration yields a Critical 9.8 score.
How CVSS Scores are Calculated
CVSS uses a complex formula combining metric values:
Base Score Calculation
-
Impact Sub-Score (ISS)
- Calculated from C, I, A impact metrics
- Formula varies based on Scope
-
Exploitability Sub-Score (ESS)
- Calculated from AV, AC, PR, UI
- Represents ease of exploitation
-
Base Score
- Combines Impact and Exploitability
- Rounds up to one decimal place
The math is complex, which is why calculators exist. Our CVE Lookup tool includes a CVSS calculator.
Using CVSS Scores Effectively
What CVSS Does Well
β Standardization β Everyone uses the same scale β Technical accuracy β Captures vulnerability characteristics β Repeatability β Same inputs = same score β Documentation β Vector string shows reasoning
What CVSS Doesn't Do
β Doesn't consider exploit availability (Base Score only) β Doesn't consider business context β Doesn't factor in compensating controls β Doesn't assess actual risk to your organization
Best Practices for CVSS
1. Don't rely on CVSS alone Use it as ONE input in your risk assessment:
- CVSS Base Score β Technical severity
- Exploit status β Is it being exploited?
- Asset criticality β How important is the affected system?
- Compensating controls β What protections exist?
- Business impact β What happens if exploited?
2. Use Temporal metrics Adjust scores based on exploit availability and patch status:
- CVE with public exploit? Higher priority
- Vendor patch available? Can lower priority
- Actively exploited in wild? Immediate priority
3. Apply Environmental metrics Customize scores for your environment:
- Internet-facing system? Higher impact
- Air-gapped network? Lower exploitability
- Mission-critical system? Higher importance
4. Prioritize Critical and High first
- Critical (9.0-10.0): Patch immediately (< 24 hours)
- High (7.0-8.9): Patch urgently (< 7 days)
- Medium (4.0-6.9): Patch soon (< 30 days)
- Low (0.1-3.9): Patch eventually (risk-based)
5. Consider EPSS scores The Exploit Prediction Scoring System (EPSS) estimates the probability a vulnerability will be exploited. Use alongside CVSS:
- High CVSS + High EPSS = Top priority
- High CVSS + Low EPSS = Important but less urgent
- Low CVSS + High EPSS = May still need attention
CVSS Limitations and Criticisms
Over-Scoring
Some argue CVSS inflates scores, leading to "vulnerability fatigue" as teams are overwhelmed by high scores.
Under-Scoring
Conversely, some critical vulnerabilities receive moderate scores due to technical complexity metrics, even though they're exploited widely.
Missing Context
CVSS doesn't account for:
- Whether a vulnerability affects your specific configuration
- Real-world exploit difficulty
- Attacker motivation
- Compensating security controls
Temporal Gap
Base CVSS scores appear before exploits are developed, meaning scores don't reflect rapidly changing threat landscapes.
CVSS Alternatives and Complements
SSVC (Stakeholder-Specific Vulnerability Categorization)
- Decision tree approach
- Focuses on actionability
- Considers exploitation status and impact
EPSS (Exploit Prediction Scoring System)
- Predicts likelihood of exploitation
- Uses machine learning
- Updates daily based on threat data
VPR (Vulnerability Priority Rating)
- Tenable's proprietary system
- Combines CVSS with threat intelligence
- Focuses on likelihood of exploitation
KEV (Known Exploited Vulnerabilities)
- CISA's catalog of actively exploited CVEs
- Mandates patching for federal agencies
- Strong signal for prioritization
Practical Example
Vulnerability: Remote code execution in web application
CVSS Metrics:
- AV:N (network exploitable)
- AC:L (easy to exploit)
- PR:N (no auth needed)
- UI:N (no user interaction)
- S:U (unchanged scope)
- C:H (full data access)
- I:H (can modify data)
- A:H (can crash service)
Base Score: 9.8 (Critical)
Temporal Adjustment:
- E:F (functional exploit available) β reduces to 9.5
- RL:O (official patch available) β reduces to 9.2
Environmental Adjustment:
- System is internal-only (MAV:A) β reduces to 8.1 (High)
- Web app isn't mission-critical (CR:M, IR:M, AR:M) β reduces to 7.6
Final Environmental Score: 7.6 (High) β Still important but not top priority if internet-facing critical systems have vulnerabilities.
Conclusion
CVSS provides a valuable standardized framework for communicating vulnerability severity. When used properlyβas one input among many in a risk-based prioritization processβit helps security teams make informed decisions about where to focus remediation efforts.
Key takeaways:
- CVSS scores range from 0.0 to 10.0
- Base metrics are required; Temporal and Environmental are optional
- Don't use CVSS scores aloneβconsider exploit availability and business context
- Adjust scores using Temporal and Environmental metrics for your situation
- Combine CVSS with other data sources like EPSS and KEV for best results
Need to calculate CVSS scores? Our CVE Lookup tool includes a built-in CVSS calculator and shows scores for all NVD vulnerabilities.