CVSS (Common Vulnerability Scoring System)

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is an industry-standard framework used to assess and communicate the severity of security vulnerabilities. CVSS provides a numerical score that reflects the potential impact of a vulnerability, helping organizations prioritize their remediation efforts based on cyber risk. The system is widely used by security professionals, vulnerability management teams, and cyber risk analysts to ensure consistency in evaluating and responding to cybersecurity threats.

CVSS scoring provides a standardized way to measure the severity of vulnerabilities, helping organizations focus on the most pressing threats. By incorporating base, temporal, and environmental factors, it offers flexibility in risk assessment while maintaining consistency across the cybersecurity landscape.

Understanding CVSS is essential for vulnerability management, as it helps organizations prioritize threats efficiently, reduce exposure, and allocate resources where they are needed most.

What Information Does CVSS Provide?

CVSS offers a structured methodology to assess vulnerabilities by analyzing their exploitability, impact, and environmental factors. It provides a score ranging from 0 to 10, where higher scores indicate more severe vulnerabilities. The system is composed of three primary metric groups:

  • Base Metrics: Evaluate the inherent characteristics of a vulnerability, including attack vector, complexity, and impact on confidentiality, integrity, and availability.
  • Temporal Metrics: Account for factors that may change over time, such as exploitability maturity and remediation levels.
  • Environmental Metrics: Allow organizations to adjust scores based on their specific infrastructure and risk tolerance.

What is a CVSS Score?

A CVSS score quantifies the severity of a vulnerability, guiding security teams in prioritizing patches and mitigations. The score falls into predefined ranges:

  • 0.0 – None
  • 0.1 – 3.9 – Low
  • 4.0 – 6.9 – Medium
  • 7.0 – 8.9 – High
  • 9.0 – 10.0 – Critical

How the Common Vulnerability Scoring System works

The Common Vulnerability Scoring System was launched in 2005 to provide an open and universal standard to rate the severity of software vulnerabilities. A CVSS score is based on the damage that could be accomplished by attackers if they successfully exploit a given vulnerability. Scores are assigned to vulnerabilities that have been added to the list of Common Vulnerabilities and Exposures (CVE) and entered into the National Vulnerability Database (NVD).

While the CVE rating, or CVSS scores, from the Common Vulnerability Scoring System can be a helpful data point in the vulnerability management lifecycle, there are several reasons that CVSS scores alone can’t provide a full picture of the risk associated with each vulnerability.

  • A lag in rating time. While many CVSS scores are assigned quickly, some take far longer. Certain vulnerabilities may not be assessed for days or even weeks. During this lag, security teams have no idea about the risk that a newly discovered vulnerability represents.
  • Ratings rarely change. Ratings on the Common Vulnerability Scoring System are seldomly revised, even though a certain vulnerability may become much more widely exploited by cybercriminals in the time after its initial publication. 
  • No probability assessment. CVSS scores are based solely on the potential damage that a vulnerability exploit could cause – the scores do not reflect the likelihood that threat actors will attempt to exploit a vulnerability. As a result, vulnerabilities with high CVSS scores may be extremely unlikely to be used in an attack, while vulnerabilities with a low severity rating may be used frequently by cybercriminals in coordinated attacks.

To protect their organizations more effectively, security teams need a better way to understand the risk associated with each vulnerability and prioritize remediation. That’s where Cybersixgill can help.

CVSS vs. VRR

CVSS is often compared to Vulnerability Risk Rating (VRR), another approach to evaluating vulnerabilities. While CVSS provides a standardized, publicly available scoring method, VRR is typically proprietary and incorporates additional business and contextual risk factors. Organizations that use VRR often integrate CVSS scores but refine prioritization with their own intelligence and threat modeling.

CVE vs. CVSS

The Common Vulnerabilities and Exposures (CVE) system is a catalog of known vulnerabilities, each assigned a unique identifier. CVSS, on the other hand, provides a methodology for scoring the severity of these vulnerabilities. While CVE identifies a flaw, CVSS quantifies its potential impact, helping security teams assess the urgency of remediation efforts.

How to Map CVE to CVSS

Mapping a CVE to a CVSS score involves evaluating the vulnerability’s attributes against the CVSS scoring framework. National Vulnerability Database (NVD) and other security advisories often provide CVSS scores for CVEs. Organizations can refine these scores using environmental metrics to reflect their unique risk exposure.

CVSS 3 vs. CVSS 4

CVSS has evolved to improve accuracy in vulnerability assessment. The transition from CVSS 3 to CVSS 4 introduced several refinements:

  • Enhanced granularity in attack complexity and exploitability metrics
  • Improved representation of supply chain and cloud vulnerabilities
  • Additional environmental considerations, such as asset importance and automation
  • More detailed scoring to aid organizations in better prioritizing remediation efforts

The challenges of the Common Vulnerability Scoring System

Vulnerability exploitation has recently become the most common vector for cyberattacks – serving as the initial means of infiltration for 1/3 of all cyber attacks in 2021. With nearly 200,000 vulnerabilities already identified and ~50 new CVEs released each day, security teams must prioritize remediation, focusing first on the vulnerabilities that represent the greatest risk.

Traditionally, security teams have relied on the Common Vulnerability Scoring System (CVSS) when prioritizing vulnerabilities for remediation. CVSS is a free and open industry standard that assesses the severity of a vulnerability should it be exploited. But CVSS scores offer only a partial view of risk. They don’t take into account the likelihood that a vulnerability is about to be exploited, and the scores rarely change even though the risk associated with vulnerabilities may significantly increase or decrease over time.

For security teams that want a more accurate, real-time assessment of the risk associated with vulnerabilities, Cybersixgill offers DVE Intelligence. By providing a real-time score based on the likelihood that a vulnerability will be exploited in the next 90 days, DVE Intelligence delivers a more detailed and accurate assessment than the Common Vulnerability Scoring System, helping to simplify and enhance vulnerability prioritization.

Why Dark Web Monitoring is Essential

The dark web is the go-to channel for threat actors as they seek to anonymously communicate, collaborate and acquire the tools and data they need to carry out attacks. As they interact, these cyber criminals leave footprints that can point to their future plans. It’s common for evidence of planned cybercrimes to appear on the dark web long before they can be found by conventional threat intelligence tools, including telemetry-based solutions.

To help security teams stay ahead of the threat curve, Bitsight monitors and tracks activity on a broad array of sources.

  • Underground markets. Marketplaces on the dark web are where cyber criminals buy and sell exploit code kits and other malicious tools that can be used to exploit vulnerabilities for attacks.
  • Underground forums. Forums on the deep and dark web are a common meeting ground for discussions about recently discovered vulnerabilities. This is where cybercriminals share exploit codes and occasionally plan joint attack campaigns.
  • Paste sites. Threat actors share large amounts of text on these sites that often include things such as exploit codes, Metasploit tools and information about various CVEs.
  • Code repositories. Proof-of-concept (POC) exploit codes are published daily on GitHub and labeled “for educational purposes only.” These POC codes often attract a great deal of interest from threat actors’ intent on exploiting them.
  • Social media. Tracking the discourse of threat actors on Twitter, Telegram and other social media platforms can provide early warning about plans to exploit newly discovered vulnerabilities.
  • Blogs, technical feeds, cybersecurity websites. Monitoring these sites can help security professionals understand how common vulnerabilities and exposures (CVEs) have already been weaponized, an indication that they are likely to be exploited again.

Protecting from Threats with Cyber Threat Intelligence

To improve the effectiveness of their patching cadences, cybersecurity teams need real-time insight into risk throughout the lifecycle of a vulnerability. Bitsight delivers real-time threat intelligence from the dark web to help organizations stay ahead of cyber threats. With access to over 1,000 underground forums and marketplaces, it collects and analyzes more than 7 million intelligence items daily. Tracking 700+ APT groups, 4,000+ malware types, and 95 million threat actors, it provides security teams with rapid, context-rich insights. By enriching data with context, Bitsight enables proactive threat detection and mitigation within minutes of collection.

Bitsight’s cyber threat intelligence solution helps protect your supply chain from threats through:

  • Generative AI: Aimed at simplifying complex threat data, and drawing from comprehensive collection of real-time threat intelligence, IQ delivers AI-generated analysis, high-quality finished reporting and 24/7 assistance.
  • Vulnerability intelligence: Dynamic Vulnerability Exploit (DVE) Intelligence is an end-to-end solution that spans the entire CVE lifecycle, streamlining vulnerability analysis, prioritization, management and remediation.
  • Identity intelligence: Discover and manage compromised identity credentials–typically originating from Malware stealer logs–and set prioritization preferences to better safeguard priority assets and proactively remediate threats as they surface. 
  • Attack surface intelligence: Continuously identify, classify, and monitor unknown networked assets to mitigate organizational risk. Leverage real-time asset discovery and context-rich threat intelligence across the deep, dark, and clear web for early threat detection.
  • Ransomware & malware intelligence: Gain comprehensive, real-time ransomware threat intelligence from OSINT and the clear, deep, and dark web, including insights into ransomware groups’ activities, TTPs, vulnerabilities, targeted sectors, and remediation strategies.
  • Brand & phishing intelligence: Detect real-time mentions of your brand across the cybercriminal underground. Receive early alerts regarding threat actor activity and discussions related to your company assets, products, management and credentials. 
  • Threat Intelligence Services (DRPS): Elite Intelligence Services are tailored to meet the needs of your organization, delivering the insight you need to take action and reduce your threat exposure.