Every CVE comes with a CVSS (Common Vulnerability Scoring System) score, but many IT professionals don't fully understand what these numbers represent or how to use them for prioritization. Let's break it down.
What Is CVSS?
CVSS is a standardized framework for rating the severity of security vulnerabilities. The current version (CVSS v3.1, with v4.0 gaining adoption) produces a score from 0.0 to 10.0, where higher means more severe.
The Severity Scale
| Score Range | Severity | What It Means |
|---|---|---|
| 9.0 - 10.0 | Critical | Remote code execution, no auth needed, full system compromise likely |
| 7.0 - 8.9 | High | Significant impact, may require some conditions to exploit |
| 4.0 - 6.9 | Medium | Moderate impact, usually requires local access or user interaction |
| 0.1 - 3.9 | Low | Limited impact, difficult to exploit, or minimal consequences |
CVSS Metrics Explained
A CVSS score is calculated from several metrics. Understanding these helps you assess how relevant a CVE is to your environment.
Attack Vector (AV)
- Network (N): Exploitable remotely over the network (most dangerous)
- Adjacent (A): Requires same network segment (e.g., local WiFi)
- Local (L): Requires local system access
- Physical (P): Requires physical access to the machine
A Network attack vector means anyone on the internet could potentially exploit this. If your server is internet-facing, pay close attention to these.
Attack Complexity (AC)
- Low (L): No special conditions needed—exploit works reliably
- High (H): Requires specific conditions (race conditions, specific configurations, etc.)
Privileges Required (PR)
- None (N): No authentication needed (most dangerous)
- Low (L): Requires basic user access
- High (H): Requires admin/root privileges
User Interaction (UI)
- None (N): No user action needed—exploit is fully automated
- Required (R): Victim must click a link, open a file, etc.
Why CVSS Alone Isn't Enough
CVSS scores have a significant limitation: they measure theoretical severity, not actual risk. A CVSS 10.0 vulnerability in software you don't use poses zero risk to you. Meanwhile, a CVSS 7.0 in your internet-facing web server could be actively exploited right now.
Complement CVSS with:
- EPSS (Exploit Prediction Scoring System): Predicts the probability of exploitation in the next 30 days. A CVE with CVSS 7.0 and EPSS 0.95 is far more urgent than CVSS 9.0 with EPSS 0.01.
- CISA KEV: The Known Exploited Vulnerabilities catalog lists CVEs that are confirmed to be actively exploited in the wild. If a CVE is on this list, treat it as a top priority regardless of CVSS score.
- Your own context: Is the affected software internet-facing? Is it running in production? Do you have compensating controls?
Practical Prioritization Framework
Here's a real-world approach that combines multiple signals:
- Patch immediately (within 24h): CISA KEV entries + any CVSS Critical with Network attack vector
- Patch this week: CVSS High + EPSS > 0.5, or any CVE with a public exploit
- Patch within 30 days: CVSS High with Low EPSS, or CVSS Medium on internet-facing systems
- Patch in regular maintenance: Everything else
Pro tip: On FixTheCVE, every CVE page shows the CVSS score, EPSS probability, CISA KEV status, and available patches in one view. Browse CVEs to see this in action.
CVSS v4.0: What's New?
CVSS v4.0 introduced several improvements:
- Better granularity: More metric combinations for more accurate scores
- Supplemental metrics: New categories like Safety, Automatable, and Recovery
- Multiple score types: Base, Threat, Environmental, and Supplemental scores
- Reduced "score inflation": Fewer CVEs cluster at Critical, giving better differentiation
Understanding CVSS is essential, but it's just one tool in your vulnerability management toolkit. The best approach combines CVSS severity with real-world exploitability data and your own infrastructure context. Set up free CVE monitoring to get this complete picture for your specific systems.