In depth
The Common Vulnerability Scoring System (CVSS) is an open standard for assigning a severity score to a security vulnerability. Maintained by FIRST.org, CVSS produces both a numeric score (0.0 to 10.0) and a structured vector string that captures the attributes the score was derived from. The current version is CVSS v4.0 (released November 2023); v3.1 is still in widespread use and most vulnerability-management tooling supports both in parallel.
A CVSS score has three metric groups. Base metrics describe the intrinsic properties of the vulnerability — attack vector (network, adjacent, local, physical), attack complexity, privileges required, user interaction, scope change, and impact to confidentiality, integrity and availability. Temporal metrics adjust for whether exploit code is publicly available and whether vendor patches exist. Environmental metrics let the consuming organisation re-score the vulnerability against its own deployment context — a critical-on-paper RCE in a service that is firewalled off and not internet-exposed might score Medium for that organisation, not Critical.
CVSS v4.0 introduced several improvements over v3.1: the deprecated "Scope" metric is replaced with explicit subsequent-system impact metrics, the Attack Requirements metric better captures preconditions that scanners miss, and the supplemental metrics group adds safety, automatable and recovery dimensions that are particularly relevant for industrial systems. Many security teams now publish both v3.1 and v4.0 vector strings in their reports during the transition period.
Common abuse of CVSS: treating Base score as if it were the final priority signal, ignoring the Environmental modifiers, and patching strictly by score rather than by exploitability. The right model is to triage on EPSS (Exploit Prediction Scoring System) and KEV (CISA's Known Exploited Vulnerabilities catalog) alongside CVSS, then apply the Environmental modifiers to reflect your actual deployment. Every AxVeil VAPT finding ships with both a CVSS v3.1 and a v4.0 vector string. See VAPT services.
A CVSS score has three metric groups. Base metrics describe the intrinsic properties of the vulnerability — attack vector (network, adjacent, local, physical), attack complexity, privileges required, user interaction, scope change, and impact to confidentiality, integrity and availability. Temporal metrics adjust for whether exploit code is publicly available and whether vendor patches exist. Environmental metrics let the consuming organisation re-score the vulnerability against its own deployment context — a critical-on-paper RCE in a service that is firewalled off and not internet-exposed might score Medium for that organisation, not Critical.
CVSS v4.0 introduced several improvements over v3.1: the deprecated "Scope" metric is replaced with explicit subsequent-system impact metrics, the Attack Requirements metric better captures preconditions that scanners miss, and the supplemental metrics group adds safety, automatable and recovery dimensions that are particularly relevant for industrial systems. Many security teams now publish both v3.1 and v4.0 vector strings in their reports during the transition period.
Common abuse of CVSS: treating Base score as if it were the final priority signal, ignoring the Environmental modifiers, and patching strictly by score rather than by exploitability. The right model is to triage on EPSS (Exploit Prediction Scoring System) and KEV (CISA's Known Exploited Vulnerabilities catalog) alongside CVSS, then apply the Environmental modifiers to reflect your actual deployment. Every AxVeil VAPT finding ships with both a CVSS v3.1 and a v4.0 vector string. See VAPT services.