Common Vulnerability Scoring System (CVSS): A Complete Guide to Vulnerability Scoring & Prioritization

Understanding and managing vulnerabilities is critical for all organizations. One of the most widely recognized frameworks for evaluating and prioritizing vulnerabilities is the Common Vulnerability Scoring System (CVSS). This guide covers everything you need to know about the CVSS, including how vulnerability scoring works, how CVSS scores are calculated, what each metric group measures, and the advantages and limitations of the system. In a companion post, we explore how to extend your scoring and prioritization beyond CVSS with a threat-based approach to prioritize actions.

What Is the Common Vulnerability Scoring System (CVSS)?

The Common Vulnerability Scoring System (CVSS) is a standardized, open framework used to assess the severity of software security vulnerabilities on a scale of 0 to 10. Maintained by the Forum of Incident Response and Security Teams (FIRST), CVSS provides a universal language for vulnerability scoring that helps security teams, developers, and decision-makers prioritize remediation based on consistent, repeatable criteria.

CVSS was developed and is maintained by FIRST (Forum of Incident Response and Security Teams). It is widely adopted across industries ranging from software development to government cybersecurity operations. The current version, CVSS v4.0, was released in 2023 and introduces refinements to improve scoring accuracy and contextual relevance.

An Explanation of the CVSS Three Metric Groups

CVSS structures its vulnerability scoring around three primary metric groups: Base, Temporal, and Environmental. Each group captures different characteristics of a vulnerability, and together they produce a composite score that reflects overall severity.

Base Metrics: The Foundation of Every CVSS Score

Base metrics represent the intrinsic characteristics of a vulnerability that remain constant regardless of time or environment. They form the core of every CVSS score and are divided into two subgroups: Exploitability and Impact.

Exploitability metrics include the following:

• Attack Vector (AV): Defines how the vulnerability can be exploited, whether via network, adjacent network, local access, or physical access. Network-based vectors typically receive higher scores.
• Attack Complexity (AC): Measures how difficult it is for an attacker to exploit the vulnerability. Lower complexity means higher risk.
• Privileges Required (PR): Specifies the level of access an attacker needs before exploitation including none, low, or high.
• User Interaction (UI): Indicates whether successful exploitation requires a victim to perform an action, such as clicking a malicious link.

Impact metrics include the following:

• Confidentiality (C): Measures the potential impact on the confidentiality of information, such as unauthorized access to sensitive data.
• Integrity (I): Assesses the potential for unauthorized modification of data or systems.
• Availability (A): Evaluates the impact on system availability, including denial-of-service conditions.

Temporal Metrics: How Vulnerability Scores Change Over Time

Temporal metrics adjust the base score to reflect factors that evolve after a vulnerability is first disclosed. These metrics help refine vulnerability scoring as new information becomes available:

• Exploit Code Maturity (E): Reflects the current state of exploit development. A proof-of-concept exploit raises the score; the absence of known exploits lowers it.
• Remediation Level (RL): Indicates whether an official fix, temporary workaround, or no remediation is available.
• Report Confidence (RC): Gauges the reliability and completeness of the vulnerability report itself.

Environmental Metrics: Customizing CVSS Scores for Your Specific Organization

Environmental metrics allow organizations to tailor the Common Vulnerability Scoring System output to their specific context and needs. This is where vulnerability scoring becomes the most actionable:

• Modified Base Metrics: Adjust the Base metrics to reflect mitigating controls, compensating measures, or unique network configurations already in place.
• Security Requirements (CR, IR, AR): Weight the importance of confidentiality, integrity, and availability based on the criticality of the affected asset to your business operations.

How are CVSS Scores Calculated?

CVSS scores are calculated using a mathematical formula that combines values from each applicable metric group. The overall score is a combination of the Base, Temporal, and Environmental scores, each contributing to a composite score that reflects the vulnerability severity. While the exact formula is complex, FIRST provides a free online CVSS calculator that automates the process. Most vulnerability scanners and management platforms also compute CVSS scores automatically.

Advantages and Limitations of Using CVSS

One of the greatest strengths of the Common Vulnerability Scoring System is its standardization. CVSS provides a consistent, quantifiable method for assessing vulnerability severity that works across the entire cybersecurity industry. Because it is widely adopted (used by the National Vulnerability Database (NVD), major vulnerability scanners, and thousands of organizations worldwide), it creates a common language for communicating risk and enabling understanding between security teams, developers, and executive leadership. Its granular metrics, which span exploitability, impact, temporal, and environmental dimensions, enable nuanced analysis of each vulnerability rather than a simple binary judgment. This level of detail helps organizations prioritize remediation efforts and allocate security resources where they will have the greatest impact.

However, CVSS also has notable drawbacks that security teams should understand. One significant limitation is that the system is static by design. Base scores do not automatically adapt to the evolving threat landscape or account for the sophistication of real-world threat actors.

With an inflexibility to change based on the current landscape, CVSS scores can be mis-prioritized. A vulnerability with a high CVSS score may not be actively exploited in the wild, while a lower-scored vulnerability could pose a far more immediate danger. The score itself also lacks actionability. It tells you how severe a vulnerability is, but not how to fix it, which means security professionals must still perform additional analysis and decision-making. Finally, without Temporal and Environmental adjustments, CVSS vulnerability scoring may not reflect the specific risk posture of your organization, creating a context gap between the generic score and your actual exposure.

Despite these challenges, CVSS remains a valuable tool in the cybersecurity domain, provided its limitations are understood and supplemented.

How Does CVSS Compare to Other Vulnerability Scoring Frameworks?

While CVSS is the most widely recognized vulnerability scoring framework, modern security programs increasingly use it alongside complementary systems that address its blind spots. The Exploit Prediction Scoring System (EPSS) is one such complement. Rather than measuring theoretical severity, EPSS predicts the probability that a vulnerability will actually be exploited in the wild within the next 30 days, adding a real-world likelihood dimension that CVSS alone does not capture.

Another approach is the Stakeholder-Specific Vulnerability Categorization (SSVC), a decision-tree framework developed by CISA and Carnegie Mellon University. SSVC shifts the focus from numerical scores to action-oriented decisions, prioritizing vulnerabilities based on their current exploitation status, technical impact, and relevance to an organization’s specific mission. Organizations also look to the CISA Known Exploited Vulnerabilities (KEV) Catalog, a curated and continuously updated list of vulnerabilities that are confirmed to be actively exploited. The KEV catalog is often used to override or supplement CVSS-based prioritization, and if a vulnerability appears on this list, it warrants immediate attention regardless of its CVSS score.

For the most effective vulnerability management, organizations should treat CVSS vulnerability scoring as a strong foundation and layer in threat intelligence from frameworks like EPSS, SSVC, and the KEV catalog to ensure remediation priorities reflect real-world risk rather than theoretical severity alone.

Conclusion: Using the Common Vulnerability Scoring System Effectively

The Common Vulnerability Scoring System (CVSS) remains one of the most important tools in cybersecurity for assessing and prioritizing security vulnerabilities. By understanding how CVSS vulnerability scoring works, including its metric groups, calculation methods, severity ratings, and known limitations, organizations can build a more effective vulnerability management program.

For the best results, use CVSS as a starting point and supplement it with threat intelligence, asset context, and frameworks like EPSS and SSVC to ensure your remediation priorities reflect real-world risk.

Ready to strengthen your vulnerability management? Contact us today to learn more about how the CVSS is used for vulnerability prioritization within our Vulnerability Risk Scoring and Reporting solution.