Understanding CVSS Scores: Assessing Vulnerabilities from Vulnerability Scans
Cybersecurity software flags hundreds of issues daily. CVSS scores range from 0.0 to 10.0—but what makes one vulnerability critical and another low priority? Let's dive into CVSS scoring.
Software Engineer
Schild Technologies
Understanding CVSS Scores: Assessing Vulnerabilities from Vulnerability Scans
Vulnerability scanning identifies exploitable weaknesses that threaten system security. The Common Vulnerability Scoring System (CVSS) provides the standardized framework security teams use worldwide to assess severity and prioritize remediation efforts. Maintained by FIRST (Forum of Incident Response and Security Teams), CVSS translates complex technical characteristics into numerical scores. This guide walks through CVSS scoring using common vulnerabilities from routine scans.
Understanding the CVSS framework
The Common Vulnerability Scoring System, maintained by FIRST (Forum of Incident Response and Security Teams), uses a formula to produce numerical scores from 0.0 to 10.0, with higher scores indicating greater severity. CVSS version 3.1, the current standard, evaluates vulnerabilities across three metric groups:
Base metrics measure the intrinsic characteristics of a vulnerability that remain constant over time and across environments. These include:
- Attack Vector (AV): Can the vulnerability be exploited remotely (Network), from an adjacent network (Adjacent), locally (Local), or only with physical access (Physical)?
- Attack Complexity (AC): How difficult is exploitation? Low complexity vulnerabilities work reliably, while high complexity requires specific conditions.
- Privileges Required (PR): Does exploitation require authentication? If so, what privilege level?
- User Interaction (UI): Must a user take some action for exploitation to succeed?
- Scope (S): Can successful exploitation affect resources beyond the vulnerable component?
- Confidentiality impact (C): How much data exposure occurs?
- Integrity impact (I): Can attackers modify system data or files?
- Availability impact (A): Does exploitation cause denial of service?
Temporal metrics reflect characteristics that change over time, such as exploit availability and patch status. These are optional but valuable for practical risk assessment.
Environmental metrics are also optional, and allow organizations to customize scores based on their specific environment, considering factors like system importance and existing security controls.
CVSS severity ratings
CVSS scores map to severity ratings that guide prioritization. Higher scores indicate greater adverse impact if exploited:
- Critical (9.0-10.0): Vulnerabilities with severe impact that are typically remotely exploitable without authentication
- High (7.0-8.9): Significant vulnerabilities that may require some preconditions or have slightly reduced impact
- Medium (4.0-6.9): Vulnerabilities with moderate impact or those requiring specific conditions to exploit
- Low (0.1-3.9): Vulnerabilities with minimal impact or those requiring significant access or preconditions
- None (0.0): No vulnerability present
Vector strings
Scores are commonly expressed as vector strings—standardized notation that encodes all metrics producing a vulnerability's score. They appear in vulnerability databases, cybersecurity software reports, security advisories, and compliance documentation.
Format
- CVSS:3.1 - The CVSS version being used
- Metric codes - Two-letter abbreviations for each metric (AV, AC, PR, etc.)
- Values - Single-letter ratings after each colon (N=None, L=Low, H=High, etc.)
The metrics encoded:
- AV = Attack Vector (N=Network, A=Adjacent, L=Local, P=Physical)
- AC = Attack Complexity (L=Low, H=High)
- PR = Privileges Required (N=None, L=Low, H=High)
- UI = User Interaction (N=None, R=Required)
- S = Scope (U=Unchanged, C=Changed)
- C = Confidentiality impact (N=None, L=Low, H=High)
- I = Integrity impact (N=None, L=Low, H=High)
- A = Availability impact (N=None, L=Low, H=High)
Examples
Let's examine vulnerabilities that commonly appear during network and application vulnerability scans, analyzing their CVSS scores and what those scores mean in practice.
Critical severity vulnerabilities
Example 1: Remote Code Execution in Apache Log4j (CVE-2021-44228) - CVSS 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
The Log4Shell vulnerability achieved the rare perfect score of 10.0 because:
- Attack Vector: Network - Exploitable from anywhere on the internet
- Attack Complexity: Low - Reliable exploitation with widely available tools
- Privileges Required: None - No authentication needed
- User Interaction: None - Automatic exploitation without user involvement
- Scope: Changed - Can affect systems beyond the vulnerable component
- Impact: High across all three categories (Confidentiality, Integrity, Availability)
Real-world context: Found in cybersecurity software as "Apache Log4j Remote Code Execution Vulnerability." Any Java application using vulnerable Log4j versions (2.0-beta9 through 2.15.0) will be flagged for this vulnerability. This vulnerability allows attackers to execute arbitrary code by sending specially crafted log messages.
Remediation priority: Immediate. Production systems with this vulnerability should be patched or mitigated within hours.
Example 2: EternalBlue SMB Vulnerability (CVE-2017-0144) - CVSS 8.8
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The MS17-010 vulnerability, exploited by WannaCry ransomware, scores 8.8:
- Attack Vector: Network - Remotely exploitable via SMB protocol (ports 445, 139)
- Attack Complexity: Low - Multiple reliable exploit tools exist (including in Metasploit)
- Privileges Required: Low - Requires authentication with low-privileged account
- User Interaction: None - Fully automated exploitation
- Scope: Unchanged - Affects the vulnerable SMB component
- High Impact - Complete system compromise possible
Real-world context: Appears in cybersecurity software scans as "Microsoft Windows SMB Remote Code Execution Vulnerability" or "MS17-010 EternalBlue." Despite being patched in 2017, this vulnerability still appears frequently in vulnerability scans of legacy Windows systems, particularly Windows 7, Server 2008, and XP.
Remediation priority: Critical. While patches exist, unpatched systems remain highly vulnerable to automated attacks and ransomware propagation.
High severity vulnerabilities
Example 3: SQL Injection in Web Applications - CVSS 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SQL injection vulnerabilities typically score between 8.0-9.8 depending on the specific implementation:
- Attack Vector: Network - Exploitable via web interface
- Attack Complexity: Low - Standard SQL injection techniques work
- Privileges Required: None - Available to unauthenticated users
- User Interaction: None - Direct exploitation possible
- Scope: Unchanged - Typically affects only the vulnerable database
- High Impact - Database contents can be read, modified, or deleted
Real-world context: Found in web application scans with tools like Burp Suite, OWASP ZAP, or Acunetix. Results may show "SQL Injection in [parameter]" or "Database Error Messages Exposed." Common in custom web applications, legacy systems, and occasionally in third-party plugins.
Remediation priority: Urgent. SQL injection allows attackers to bypass authentication, extract sensitive data, modify records, or execute operating system commands through database functions.
Example 4: Unpatched OpenSSL Heartbleed (CVE-2014-0160) - CVSS 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Heartbleed, while serious, scores lower than remote code execution vulnerabilities:
- Attack Vector: Network - Remotely exploitable via HTTPS
- Attack Complexity: Low - Simple exploitation
- Privileges Required: None - No authentication needed
- User Interaction: None - Automated exploitation possible
- Scope: Unchanged - Affects only the vulnerable SSL/TLS service
- Confidentiality Impact: High - Can leak memory contents including passwords and keys
- Integrity Impact: None - Cannot modify data
- Availability Impact: None - Does not cause service disruption
Real-world context: Appears in scans as "OpenSSL TLS Heartbeat Information Disclosure" or "Heartbleed vulnerability." Though patched in 2014, occasionally found on forgotten servers, embedded systems, or appliances with outdated OpenSSL libraries (versions 1.0.1 through 1.0.1f).
Remediation priority: High. While not as critical as RCE vulnerabilities, Heartbleed can expose sensitive data including session tokens, passwords, and private keys through repeated exploitation.
Example 5: SMBv1 Protocol Enabled - CVSS 7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SMBv1 protocol vulnerabilities score around 7.5:
- Attack Vector: Network - Remotely accessible
- Attack Complexity: Low - Known attack methods exist
- Privileges Required: None - Often no authentication needed
- User Interaction: None - Automated attacks possible
- Scope: Unchanged - Affects only SMB services
- Availability Impact: High - Can cause denial of service or facilitate ransomware spread
Real-world context: Found in cybersecurity software scans as "SMBv1 Protocol Enabled" or "Deprecated SMB Protocol in Use." Microsoft officially deprecated SMBv1 in 2017, but it remains enabled on many older Windows systems and network-attached storage devices.
Remediation priority: High. While SMBv1 itself may not allow immediate system compromise, it facilitates the spread of malware like WannaCry and provides an attack surface for various SMB-related vulnerabilities.
Medium severity vulnerabilities
Example 6: TLS 1.0/1.1 Support - CVSS 6.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Deprecated TLS versions score in the medium range:
- Attack Vector: Network - Remotely exploitable
- Attack Complexity: High - Requires man-in-the-middle position and cryptographic attacks
- Privileges Required: None - No authentication needed
- User Interaction: None - Passive exploitation possible
- Scope: Unchanged - Affects only TLS connections
- Confidentiality Impact: High - Can potentially decrypt traffic
- Integrity Impact: Low - Limited ability to modify traffic
- Availability Impact: None - Does not disrupt service
Real-world context: Shows up as "TLS 1.0/1.1 Protocol Deprecated" or "Weak SSL/TLS Protocol Supported." Common on web servers, email servers, and API endpoints that haven't been updated to enforce TLS 1.2 or higher.
Remediation priority: Medium. While exploitation requires sophisticated attacks (like BEAST or POODLE), regulatory compliance frameworks (PCI DSS, HIPAA) often prohibit TLS 1.0/1.1, making remediation necessary for compliance.
Example 7: Cross-Site Scripting (XSS) - CVSS 6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Stored or reflected XSS vulnerabilities typically score around 6.1:
- Attack Vector: Network - Exploitable via web browser
- Attack Complexity: Low - Straightforward exploitation
- Privileges Required: None - Available to unauthenticated users
- User Interaction: Required - Victim must visit malicious page or click link
- Scope: Changed - Can affect other users via stored XSS
- Confidentiality Impact: Low - Can steal session cookies or credentials
- Integrity Impact: Low - Can modify page content
- Availability Impact: None - Does not disrupt service
Real-world context: Found by web application scanners as "Cross-Site Scripting in [parameter]" or "Reflected XSS vulnerability." Common in search fields, comment sections, user profiles, and any user-controlled input that gets displayed.
Remediation priority: Medium. While XSS doesn't directly compromise servers, it enables session hijacking, credential theft, and targeted phishing attacks against users. Priority increases for administrative interfaces or applications handling sensitive data.
Example 8: Weak Password Policy - CVSS 5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weak password policies or exposed password enumeration score around 5.3:
- Attack Vector: Network - Remotely accessible login interfaces
- Attack Complexity: Low - Automated brute-force tools readily available
- Privileges Required: None - Available to any network user
- User Interaction: None - Automated attacks possible
- Scope: Unchanged - Affects only authentication system
- Confidentiality Impact: Low - Can eventually lead to account compromise
- Integrity Impact: None - No direct data modification
- Availability Impact: None - Does not disrupt service
Real-world context: Appears as "Weak Password Policy Detected," "User Enumeration Possible," or "No Account Lockout Policy." Common on web applications, SSH services, RDP endpoints, and VPN gateways that don't enforce strong password requirements or account lockout mechanisms.
Remediation priority: Medium. While not immediately exploitable, weak password policies enable credential-based attacks over time. Priority increases if the service has no multi-factor authentication and provides access to sensitive resources.
Low severity vulnerabilities
Example 9: Information Disclosure via HTTP Headers - CVSS 3.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Server banner disclosure and verbose error messages score low:
- Attack Vector: Network - Remotely detectable
- Attack Complexity: High - Information alone doesn't compromise systems
- Privileges Required: None - Publicly accessible
- User Interaction: None - Automated discovery possible
- Scope: Unchanged - Only information leakage
- Confidentiality Impact: Low - Reveals system details
- Integrity Impact: None - No system modification
- Availability Impact: None - No service disruption
Real-world context: Shows as "Server Version Disclosure," "Technology Stack Exposed," or "Verbose Error Messages." Examples include HTTP headers revealing "Server: Apache/2.4.41" or stack traces exposing framework versions, internal paths, or database schema details.
Remediation priority: Low. While these don't directly compromise systems, they aid reconnaissance and may reveal specific versions with known vulnerabilities. Best practice is to remove unnecessary information disclosure, but these can be addressed during routine maintenance windows.
Example 10: Missing Security Headers - CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Missing HTTP security headers like X-Frame-Options, Content-Security-Policy, or Strict-Transport-Security score low:
- Attack Vector: Network - Affects web users
- Attack Complexity: High - Requires additional vulnerabilities to exploit
- Privileges Required: None - Affects any site visitor
- User Interaction: Required - User must visit site
- Scope: Unchanged - Affects only web application
- Confidentiality Impact: Low - May enable clickjacking or limited attacks
- Integrity Impact: None - No direct data modification
- Availability Impact: None - No service disruption
Real-world context: Reported as "Missing X-Frame-Options Header," "Missing Content-Security-Policy," or "Missing Strict-Transport-Security." Nearly universal in older web applications that haven't been updated with modern security headers.
Remediation priority: Low. These headers provide defense-in-depth against certain browser-based attacks but don't represent direct vulnerabilities. They should be implemented as part of security hardening but are typically lower priority than patching actual vulnerabilities.
Contextualizing CVSS scores
While CVSS provides objective severity ratings, effective vulnerability management requires contextual analysis. A CVSS 10.0 vulnerability on an air-gapped development system may pose less immediate risk than a CVSS 7.0 vulnerability on an internet-facing payment gateway.
Environmental factors:
System exposure: Internal-only systems reduce the practical risk of network-based vulnerabilities. A remotely exploitable vulnerability on an internal database accessible only from application servers has lower effective risk than the same vulnerability on a public web server.
System criticality: Vulnerabilities on mission-critical systems warrant faster remediation regardless of score. A medium-severity vulnerability on your primary authentication system may require more urgent attention than a high-severity vulnerability on a development server.
Compensating controls: Existing security measures modify effective risk. A critical SQL injection vulnerability behind a web application firewall (WAF) with appropriate rules has reduced immediate risk, though remediation remains necessary.
Exploit availability: Vulnerabilities with public exploits or active exploitation campaigns require immediate attention. The CVSS Temporal metrics capture this, but many organizations don't adjust base scores for temporal factors.
Data sensitivity: Systems handling regulated data (PCI, HIPAA, GDPR) or sensitive business information warrant accelerated remediation timelines even for medium-severity vulnerabilities.
Common misconceptions about CVSS
Misconception 1: CVSS scores measure risk
CVSS provides severity ratings, not risk ratings. Risk involves both likelihood and impact. Likelihood is the probability that the vulnerability will be exploited, and impact is the potential damage severity, if exploited. A CVSS 9.0 vulnerability on an isolated system with no sensitive data may represent lower business risk than a CVSS 6.0 vulnerability on your primary revenue-generating application.
Misconception 2: High CVSS scores require immediate patching
Remediation timelines should consider risk. Industry frameworks provide guidance: CISA recommends patching critical vulnerabilities in internet-facing systems within 15 days, but your organization's risk profile should drive specific timelines.
Conclusion
CVSS provides the universal language for vulnerability severity, translating technical characteristics into standardized scores that remain constant across all environments. The framework reveals how vulnerabilities work: attack vectors show accessibility, complexity indicates reliability of exploitation, privilege requirements reveal authentication barriers, and impact metrics quantify potential damage. Understanding these mechanics transforms CVSS from abstract numbers into meaningful assessments of what makes vulnerabilities dangerous.