The National Infrastructure Advisory Council (NIAC) Common Vulnerability Scoring System (CVSS) is an industry standard that measures vulnerability severity and assigns a numerical score to aid prioritization for remediation and penetration testing. The Forum of Incident Response and Security Teams (FIRST) oversees these guidelines and provides extensive documentation on them, but we’ll give a quick overview of the metrics to help you get the lay of the land.
Note 1: There are several versions of CVSS floating around the internet. This article focuses primarily on v4.0 (the way of the future), but CVSS v3.1 is still widely used, including by PDQ Detect and PDQ Connect. The main difference between v3.1 and v4.0 is that what v3.1 called "temporal metrics" is now called "threat metrics." CVSS v4.0 also added a supplemental metric group and increased the granularity by adding an Attack Requirements (AT) base metric.
Just keep in mind that exact details vary depending on which CVSS version you’re looking at.
Note 2: CVSS uses a lot of abbreviations to identify its vast array of metrics. We’re including them here, but please don’t let the alphabet soup bog you down.
Base metrics
Base metrics focus on the intrinsic security vulnerability characteristics that are consistent regardless of the time, place, and environment. These values are typically assigned by an analyst or the vendor. The base metrics break down into two categories: exploitability and impact.
CVSS v4.0 base score severity levels
Low | 0–3.9 |
Medium | 4–6.9 |
High | 7–8.9 |
Critical | 9–10 |
Exploitability metrics
Exploitability metrics relate to how easy it would be for a threat actor to exploit a software vulnerability assuming they have knowledge of the target.
Attack Vector (AV)
The Attack Vector metric indicates the context of possible exploitation. The severity is higher if a known vulnerability can be exploited remotely.
Attack Complexity (AC)
Attack Complexity looks at the steps an attacker would need to take to bypass security and exploit the vulnerability.
Attack Requirements (AT)
The Attack Requirements metric tracks the unique deployment and execution conditions of a target system — by-products when the system is deployed and run — that could facilitate or hinder an attack. If an attack requires special conditions and an attacker can't overcome them, their likelihood of success diminishes.
Privileges Required (PR)
Privileges Required addresses the privileges an attacker needs before exploiting the vulnerability.
User Interaction (UI)
As the name suggests, User Interaction focuses on whether a user must participate (and how actively) for an attacker to successfully compromise a vulnerable system.
Impact metrics
Impact metrics focus on the direct expected effects if threat actors successfully exploit a vulnerability. Each impact metric subcategory also breaks down into two sub-subcategories based on whether the impacted system is the vulnerable system itself or a subsequent system.
Confidentiality Impact (VC/SC)
The Confidentiality Impact metric assesses how a successfully exploited vulnerability may impact information confidentiality on the target system.
Integrity Impact (VI/SI)
This metric focuses on how an exploited vulnerability could affect the trustworthiness of information.
Availability Impact (VA/SA)
This Availability metric addresses whether or not the impacted system will remain available if an attacker successfully exploits a vulnerability.
Threat metrics
Threat metrics are organizationally assigned and cover factors that may change with time. While threat metric assessment is not essential, it can make results more relevant to the point in time.
Exploit Maturity (E)
Formerly known as Exploit Code Maturity, Exploit Maturity looks at how likely it is that a vulnerability will be exploited in its current state based on exploit code availability and techniques, along with whether it is already being actively exploited.
Environmental metrics
Environmental metrics are organizationally assigned and refer to vulnerability characteristics relevant in a specific environment. It’s not essential to measure environmental metrics, but it can make results more specific and readily applicable.
Confidentiality, Integrity, and Availability Requirement (CR, IR, AR)
These customizable metrics essentially allow you to weigh the importance of confidentiality, integrity, and availability based on your business needs.
Modified base metrics
Modified base metrics allow you to adjust the base metrics (exploitability and impact metrics) to suit your environment. Note that you can also assign a Safety metric if human safety may be affected by availability or integrity issues in subsequent systems.
The modified CVSS base metric options break down as follows:
Modified Attack Vector (MAV)
Modified Attack Complexity (MAC)
Modified Attack Requirements (MAT)
Modified Privileges Required (MPR)
Modified User Interaction (MUI)
Modified Vulnerable System Confidentiality (MVC)
Modified Vulnerable System Integrity (MVI)
Modified Vulnerable System Availability (MVA)
Modified Subsequent System Confidentiality (MSC)
Modified Subsequent System Integrity (MSI)
Modified Subsequent System Integrity: Safety (MSI: S)
Modified Subsequent System Availability (MSA)
Modified Subsequent System Availability: Safety (MSA: S)
Supplemental metrics
Supplemental metrics provide specific context and measure extra attributes of a cybersecurity vulnerability. They allow users to apply local severity values based on their unique risk analysis, though they do not affect the overall vulnerability score.
Safety (S)
In addition to indicating safety concerns within a modified base metric, you can also use the Safety supplemental metric if a human could face harm as a result of an exploited vulnerability.
Automatable (AU)
This CVSS metric measures whether a threat actor could automate the exploitation of a vulnerability across targets.
Provider Urgency (U)
Provider Urgency is a supplemental metric that vendors can add to reflect how pressing they consider the vulnerability.
Recovery (R)
The Recovery metric measures how easy it is to recover services once a system has been compromised.
Value Density (V)
Value Density assesses how many resources an attacker may control after exploiting a single vulnerable component.
Vulnerability Response Effort (RE)
The Vulnerability Response Effort metric focuses on how challenging it would be for a consumer to respond to the potential impacts of a vulnerability.
CVSS FAQs
What’s the difference between CVSS and CVE?
CVSS scoring measures vulnerability severity, whereas Common Vulnerabilities and Exposures (CVE) is a database that provides summaries of and identifiers for vulnerabilities. CVE also feeds vulnerability information to the National Vulnerability Database (NVD), which then enriches and publishes the information.
Simply put, CVSS provides a quantitative analysis, while CVE and NVD offer qualitative analyses.
What are the different types of CVSS scores?
While the CVSS base score (CVSS-B) is most widely known, inputting additional information creates more customized options: CVSS base and threat (CVSS-BT); CVSS base and environmental (CVSS-BE); and CVSS base, threat, and environmental (CVSS-BTE).
How can I calculate a CVSS score?
The easiest way to calculate a CVSS score that’s custom to your unique environment is by using NVD’s CVSS calculator or FIRST’s CVSS calculator. However, if you’re looking for a more general base score, you probably won’t need to do any calculations — NVD provides the CVSS base score for each of its documented vulnerabilities.
Automate the tedious steps of vulnerability management with PDQ Connect: our end-to-end patch management solution. Let PDQ Connect inventory your software and flag vulnerabilities that you can patch in just one click. And should something go wrong with a patch (which would totally not be Microsoft’s fault, of course), use PDQ Connect’s built-in remote desktop control and access feature to get things back up and running again. Try PDQ Connect free for 14 days.
