Overview of CVSS and Its Purpose
In the rapidly evolving landscape of cybersecurity, accurately assessing the severity of vulnerabilities is critical for organizations seeking to protect their assets and prioritize response efforts. The CVSS (Common Vulnerability Scoring System) is a standardized framework used to evaluate the severity of software vulnerabilities by providing a numerical score which is assigned to a severity rating and is widely used by security professionals, vendors, and government agencies.
CVSS scores help support developers and security teams in prioritizing remediation efforts based on risk. These scores range from 0 to 10, where zero (0) indicates no severity and ten (10) indicates a critical severity.
CVSS Score | Severity |
0 | None |
0.1-3.9 | Low |
4.0-6.9 | Medium |
7.0-8.9 | High |
9.0-10.0 | Critical |
Brief History of CVSS
CVSS version 1 (CVSSv1) was released to the public by the U.S. National Infrastructure Advisory Council (NAIC) in February 2005; however, since the initial draft had not undergone peer review and exhibited significant issues, NAIC chose the Forum of Incident Response and Security Teams (FIRST) to take over the version development. Feedback from organizations and vendors resulted in FIRST developing and launching CVSS version 2 (CVSSv2) in June 2007, which included more detailed metric groups and improved definitions.
In June 2015, CVSS version 3.0 (CVSSv3.0) was published; CVSSv3.0 introduced a new key metrics as well as standardized the scoring formula while maintaining the 0-10 scale. In June of 2019, FIRST released CVSS version 3.1 (CVSSv3.1) which focused on enhancing definitions and guidance rather than metric changes.
The most recent version of the CVSS is version 4.0 (CVSSv4), which was released in November 2023. This update introduced several key enhancements. The Temporal metric was replaced by the Threat Metrics to better reflect real-world scenarios, and the Scope vector was removed. Supplemental Metric were added for more nuance, such as safety and recovery.
The Structure of CVSS v3.1
CVSS v3.1 is composed of three metric groups: Base Metrics, Temporal Metrics, and Environmental Metrics.
Base Metrics: The Technical Foundation
The Base Metrics are mandatory and reflect the technical characteristics of a vulnerability. These metrics are designed to be consistent over time and provide a standardized way to assess how a vulnerability can be exploited and what its potential impact might be.
The Base Metrics include:
- Exploitability Metrics: Measures the vulnerable components.
- Attack Vector (AV): Describes how an attacker can exploit the vulnerability.
- Attack Complexity (AC): Indicates how easy or difficult the exploit is to carry out.
- Privileges Required (PR): Assesses whether the attacker needs prior access to the system.
- User Interaction (UI): Determines if a victim must take some action for the exploit to succeed.
- Scope (S): Reflects whether a vulnerability affects resources beyond the initial scope of security.
- Impact Metrics: Measures the impact of successful exploitation.
- Confidentiality (C): Loss of data privacy.
- Integrity (I): Compromised data.
- Availability (A): Loss of access to systems/data.
Combined, these metrics produce the Base Score and quantifies the overall severity of the vulnerability.
Temporal Metrics: Evolving Vulnerability Factors
The Temporal Metrics account for characteristics of the vulnerability that can change over time and are useful for evaluating the current threat landscape. These include the Exploit Code Maturity (E), which reflects the likelihood of the vulnerability being exploited based on the availability of an exploit code. The Remediation Level (RL) describes the availability and effectiveness of a fix, and the Report Confidence (RC) indicates the credibility of the vulnerability. Together, these metrics adjust the Base Score to reflect current exploitability and confidence levels, enabling better prioritization.
Environmental Metrics: Customization by Context
The Environmental Metrics allow organizations to customize the CVSS score according to the context of their specific environment. This includes the Security Requirements (CR, IR, AR), which assesses how critical confidentiality, integrity, and availability are in the user’s environment, as well as the Modified Base Metrics, which allows changes to base metric values based on environmental factors. This group of metrics also adjusts the Base Score by considering how a vulnerability impacts the user’s organizations, infrastructure, or data.
Calculations of CVSS v3.1
The CVSS v3.1 score is calculated by combining two main sub scores: Exploitability and Impact. The Exploitability sub score is calculated by using the formula 8.22 x AV x AC x PR x UI, where the metrics are assigned numeric values based on severity. The Impact sub score is calculated by using the formula 1 – [(1 – C) x (1 – I) x (1 – A)]. If the Scope is Unchanged, the Impact is multiplied by 6.42; if the Scope is Changed, a more complex formula is applied to adjust the score. The final Base Score is then calculated by taking the sum of the Exploitability and Impact sub scores (with adjustments if Scope is Changed). The score should be capped at 10 and rounded up to the nearest 0.1.
The Temporal Score is calculated by multiplying the Base Score by the Exploit Code Maturity, Remediation Level and Report Confidence and then rounding up: Roundup (Base Score x E x RL x RC). The Environmental Score further customizes the severity rating using modified values specific to an organization’s context by calculating the Modified Impact Sub-Score (MISS). MISS measures adjusted impact based on the importance of confidentiality, integrity, and availability. It computes the Modified Impact, with different formulas depending on whether the Modified Scope is Unchanged or Changed. The Modified Exploitability is calculated similarly to the original exploitability but uses modified metrics: 8.22 x Modified AV x Modified AC x Modified PR x Modified UI. The Environmental Score is derived by taking the sum of the Modified Impact and Modified Exploitability, capped at 10. If Scope is Changed, a 1.08 multiplier is applied before the final calculation and if the Modified Impact is zero or less, the Environmental Score is set to 0.
The Structure of CVSS v4.0
CVSS v4.0 is composed of four metric groups: Base Metrics, Environmental Metrics, Threat Metrics and Supplemental Metrics, the latter two of which are new additions.
The Base Metrics in CVSS v4 removes the Scope metric and adds the Attack Requirements (AT) which indicates specific environmental conditions that must be present for the exploitation to occur.
Threat Metrics: Real-World Exploitation
The Threat Metrics group introduces a new element: Exploit Maturity (E). Exploit Maturity describes how easily and widely a vulnerability is exploited. This metric helps security professionals distinguish whether a vulnerability is a theoretical risk or a live threat, a capability CVSS v3.1 did not provide.
Environmental Metrics: Organizational Context
CVSS v4 allows users to customize the score based on their specific systems or organizational priorities. Metrics here include the Modified Base Metrics, which adjusts the Base Metrics to match the real-world implementation of a system, and Security Requirements, which emphasizes which impact area (C,I,A) is most important to the organization.
This level of customization makes CVSS v4.0 much more adaptable to a wide range of industries, including healthcare, finance, and industrial control systems, where risk tolerances and operational requirements vary.
Supplemental Metrics: Additional Insight
Supplemental Metrics do not affect the CVSS numeric score but provide valuable, qualitative information. These include Safety (S), which assesses whether exploitation could lead to physical harm or safety risks, and Automatable (AU), which evaluates the ease with which an exploit can be executed using scripts or tools. Recovery (R) reflects how easily affected systems can be restored, while Value Density (V) indicates how much sensitive data or value is concentrated in the affected system. Vulnerability Response Effort (RE) helps organizations plan and prioritize their response efforts based on the level of effort required rather than severity alone. Finally, Provider Urgency (U) allows vendors to communicate the urgency of applying a fix. Together, these metrics help organizations gain a more comprehensive understanding of the potential consequences of a vulnerability beyond just its technical severity.
Calculations of CVSS v4.0
The development of the CVSS v4.0 scoring system involves a structured, data-driven approach to ensure consistency, expert input, and backward compatibility. First, the CVSS Special Interest Group (SIG) combined 15 million possible CVSS-BTE (Base, Threat, Environmental metrics) vectors into 270 equivalence sets (metric groups) to make expert analysis manageable. Experts can then compare these sets to determine relative severity, using pairwise comparisons, which are then processed using the Elo rating system to create a severity ranking of the vector groups. The Elo algorithm used to rank severities is the same as the algorithm used by the International Chess Federation to rank chess players from best to worst.
The SIG requested input from industry experts to define the boundaries between qualitative severity levels (low, medium, high, critical) in a way that aligns with the CVSS v3.x score ranges. These ranked vector groups within each severity categories are then mapped to the corresponding numerical score ranges using agglomerative hierarchical clustering. The SIG also introduced a score adjustment mechanism to meet the design goal that any single metric change results in at least a 0.1 point difference in score. This allows slight variations within vector groups based on ordered metric values (AV:N > AV:A > AV:L >AV:P), ensuring that similar but not identical vectors have slightly different scores.
Advantages of CVSS v4.0
CVSS v4.0 brings a range of improvements over its predecessor, offering several key advantages that enhance vulnerability assessment and prioritization. One of the most significant improvements is greater accuracy, achieved through the inclusion of Attack Requirements and Threat Metrics. These additions enable a more precise understanding of a vulnerability’s exploitability and urgency. CVSS v4.0 also introduces real-world context awareness, helping organizations focus their efforts on vulnerabilities that pose immediate threats. The framework’s environmental flexibility allows scores to be tailored to an organization’s specific context, increasing the relevancy of the assessment and improving prioritization decisions. Furthermore, the addition of Supplemental Metrics provides valuable contextual information, particularly benefiting complex environments such as those in industries with strict operational or safety requirements.
Disadvantages and Challenges of CVSS v4.0
Despite its advancements, CVSS v4.0 introduces several complexities and limitations that may present challenges for users. With the introduction of more metrics and score types, CVSS v4.0 can be more difficult to learn and apply, particularly for smaller organizations or less experienced users. Additionally, the flexibility intended to support contextual scoring may lead to inconsistencies across organizations. This means that two different teams might assign very different scores to the same vulnerability, making it harder to perform reliable cross-organizational comparisons. Another limitation is that the Supplemental Metrics, while informative, do not contribute to the actual score. As a result, organizations may inadvertently overlook important qualitative factors when prioritizing vulnerabilities. Finally, although CVSS v4.0 maintains a similar scoring range to v3.1, the inclusion of new metrics and revised interpretation methods limits backward compatibility. This can cause discrepancies when comparing scores across versions and may require existing tools to be updated or reconfigured.
Applicability for FedRAMP
The most recent version of the FedRAMP Vulnerability Scanning Requirements, dated 15 Feb 2024, does not reference CVSS v4. Instead, it specifies that the CVSSv3 base score from the latest NVD release must be used as the original risk rating for any identified vulnerability. If a CVSS v3 score is not available, a CVSSv2 score may be used. In cases where no CVSS score is provided, the native scanner’s base risk score can be used as an alternative.
Conclusion
CVSS v3.1 | CVSS v4.0 |
Score-base severity of vulnerabilities | More flexible and context-aware scoring |
Base, Temporal, Environmental | Base, Threat, Environmental, Supplemental |
Score is calculated via equations | Score is calculated via a lookup table |
Widely adopted | Not yet fully integrated |
CVSS v4.0 represents a significant evolution in vulnerability scoring. It moves beyond a rigid, one-size-fits-all approach to offer a flexible, context-aware framework that better reflects the realities of modern cybersecurity threats. Its enhancements, such as real-world threat integrations, environmental customization, and detailed supplemental metrics, make it a more powerful tool for risk assessment.
However, these benefits come with trade-offs; CVSS v4.0 is more complex and potentially harder to implement consistently. Organizations must balance the improved precision and relevance against the additional time and expertise needed to apply it correctly.
Ultimately, CVSS v4.0 is not a simple, perfect solution, but when used in combination with other risk assessment practices, it serves as a valuable component of a comprehensive cybersecurity strategy.
What can Fortreum do for you?
Let us know how Fortreum can help you navigate the changing currents of cybersecurity. For more information, visit the Fortreum website or follow the company on LinkedIn at LinkedIn.com/company/fortreum.
Should you have questions about your FedRAMP, CMMC, cloud and cybersecurity readiness, please reach out to us at Info@fortreum.com or Contact Us at https://fortreum.com/contact/
