How CVSS v4.0 works: characterizing and scoring vulnerabilities

The Common Vulnerability Scoring System (CVSS) provides software developers, testers, and security and IT professionals with a standardized way to assess vulnerabilities. You can use CVSS to assess the threat level of each vulnerability and then prioritize mitigation accordingly.

This article explains how the CVSS works, reviews its components, and describes why using a standardized process helps organizations assess vulnerabilities consistently.

A software vulnerability is any weakness in the codebase that can be exploited. Vulnerabilities can result from a variety of coding mistakes, including faulty logic, inadequate validation mechanisms, or lack of protection against buffer overflows. Attackers can exploit these weaknesses to gain unauthorized access, execute arbitrary code, or disrupt system operations.

Why use a standardized scoring system?

With thousands of vulnerabilities disclosed each year, organizations need a way to prioritize which ones to address first. A standardized scoring system like CVSS helps teams:

• Compare vulnerabilities objectively
• Prioritize patching and mitigation efforts
• Communicate risk to stakeholders

CVSS is maintained by the Forum of Incident Response and Security Teams (FIRST) and is widely used by organizations and vulnerability databases, including the National Vulnerability Database (NVD).

CVSS v3.x metric groups

CVSS v3.x included three main metric groups:

1. Base metrics: Intrinsic characteristics of a vulnerability that are constant over time and across user environments.
2. Temporal metrics: Characteristics that change over time, but not among user environments.
3. Environmental metrics: Characteristics that are relevant and unique to a particular user’s environment.

What’s new in CVSS v4.0?

The CVSS v4.0 update, released in late 2023, brings several significant changes and improvements over previous versions (v3.0/v3.1). Here’s what’s new and what’s changed:

1. Expanded metric groups

• Base metrics now include more granular distinctions, such as the new Attack Requirements (AT) metric and improved definitions for Privileges Required and User Interaction.
• Threat metrics are a new, optional metric group for capturing real-world exploitation and threat intelligence, helping to prioritize vulnerabilities based on active exploitation.
• Supplemental metrics, provide additional context—such as safety, automation, and recovery—to tailor scoring for specific industries or use cases.

2. Refined scoring and terminology

• Attack Vector (AV) introduced a clearer distinction between network, adjacent, local, and physical vectors, with improved definitions.
• Attack Requirements (AT) is introduced to capture conditions that must exist for successful exploitation, but are outside the attacker’s control.
• Privileges Required (PR) and User Interaction (UI) have been clarified and expanded to reflect modern attack scenarios.
• The scope is now called “vulnerable system,” providing more precise language about what is affected.

3. Greater flexibility and customization

• Modular scoring allows organizations to use the base, threat, and supplemental metrics independently or together.
• Industry-specific extensions let sectors like healthcare, automotive, or critical infrastructure apply more tailored scoring.

4. Improved guidance and usability

• Clearer documentation: The new specification now includes better examples and more detailed guidance to reduce ambiguity in scoring.
• Backwards compatibility: CVSS v4.0 scores are not directly comparable to v3.x scores, but the new system was designed to coexist during the transition period.

How the CVSS scoring process works (v4.0)

1. Assess the base metrics
   • Evaluate the exploitability and impact of the vulnerability using the updated metric definitions.
2. Incorporate threat metrics (optional)
   • If there’s intelligence about active exploitation, adjust the score accordingly to reflect real-world risk.
3. Add environmental and supplemental metrics
   • Tailor the score to your organization’s environment and industry-specific requirements.
4. Calculate the final score
   • The CVSS calculator (now updated for v4.0) combines the selected metrics to produce a score between 0.0 (no risk) and 10.0 (critical risk).

Example of a CVSS v4.0 score

Suppose a newly discovered vulnerability allows remote code execution over the network with no privileges required and no user interaction. Under CVSS v4.0, you would:

• Assign the appropriate base metrics (e.g., Network, Low complexity, No privileges, No user interaction).
• If there is evidence of active exploitation, use the threat metric to increase the urgency.
• Add any environmental or supplemental metrics relevant to your organization.

The resulting score helps you prioritize remediation efforts based on both the technical details and the real-world threat landscape.

Why the update matters

The improvements in CVSS v4.0 reflect the changing nature of software vulnerabilities and the need for more nuanced, actionable risk assessments. By incorporating real-world threat intelligence and industry-specific context, organizations can make better-informed decisions about vulnerability management.

Key takeaways:

• CVSS v4.0 provides more accurate, flexible, and actionable vulnerability scoring.
• New metric groups allow for customization and real-world prioritization.
• Organizations should transition to CVSS v4.0 for a more comprehensive approach to vulnerability risk management.

For more information and to access the latest CVSS v4.0 calculator and documentation, visit the FIRST CVSS v4.0 page.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.