CVSS - Definition & Explanation

The Common Vulnerability Scoring System (CVSS) is an open standard for assessing the severity of security vulnerabilities. It is maintained by FIRST (Forum of Incident Response and Security Teams) and is currently in version 4.0 (since October 2023).

Origins and Version History

CVSS was originally developed in 2005 by the National Infrastructure Advisory Council (NIAC) and handed over to FIRST. Since then, it has undergone continuous development:

CVSS 1.0 (2005): First open standard for uniform vulnerability assessment
CVSS 2.0 / 3.0: Refinement of assessment methods for evolving threat landscapes
CVSS 4.0 (2023): Accounts for temporal factors, cloud complexities, and large-scale network environments; vulnerabilities that have already been exploited can be assigned a higher severity

Calculation Basis

CVSS v4.0 assesses vulnerabilities based on several metric groups:

Base Score (fixed, dependent only on the vulnerability itself):

Attack Vector (AV): Network (N), Adjacent (A), Local (L), or Physical (P)
Attack Complexity (AC): Low (L) or High (H)
Privileges Required (PR): None (N), Low (L), or High (H)
User Interaction (UI): None (N), Passive (P), or Active (A)
Impact on CIA: Confidentiality, Integrity, Availability (None/Low/High)

Threat Score (contextual, depending on available exploits and attack activity)

Environmental Score (company-specific, depending on the criticality of the affected system - Confidentiality Requirement, Integrity Requirement, Availability Requirement)

CVSS Vector String

The score is output as a vector string that makes all ratings readable at a glance:

CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The beginning indicates the CVSS version used. Each abbreviation stands for a metric: AV:N means Attack Vector: Network, AC:L means Attack Complexity: Low, etc. Penetration testers and security experts worldwide understand this notation without further explanation.

CVSS and CVE

CVSS and CVE are often used together, but they describe different things:

CVE (Common Vulnerabilities and Exposures): Assigns a unique identification number to a vulnerability (e.g., CVE-2023-12345). The first number is the year, the second is a sequential number. CVEs ensure that no confusion or duplication occurs.
CVSS: Numerically assesses the severity of a vulnerability. Each CVE typically has a CVSS score.

Anyone familiar with penetration test reports will recognize this combination: The CVE number uniquely identifies the vulnerability, while the CVSS score immediately indicates its criticality.

Score Interpretation

Score	Severity	Recommended Response Time
9.0-10.0	Critical	Immediate (< 24h)
7.0-8.9	High	< 72 hours
4.0–6.9	Moderate	< 30 days
0.1–3.9	Low	Next release
0.0	None	None

Zero-day vulnerabilities often achieve scores above 8.0 or even 9.0, as they are actively exploited before a patch is available. NIST provides a calculator at nvd.nist.gov that can be used to calculate CVSS scores for your own vulnerability analyses.

CVSS in Penetration Testing

In penetration testing, CVSS is the industry-wide standard for vulnerability assessment. AWARE7 uses CVSS 4.0 in all pentest reports:

Each vulnerability found receives a CVSS score with a complete vector string
Findings are prioritized by score—critical vulnerabilities first
The score clearly communicates the urgency to both technical and non-technical stakeholders
Reports enable the client to focus resources specifically on the most dangerous vulnerabilities

Important Limitation

The CVSS score evaluates the technical severity of a single vulnerability in isolation. It does not take into account the business criticality of the affected system, existing mitigations, or the actual exploitability within the specific corporate environment. For practical prioritization, CVSS should always be combined with the Environmental Score and Threat Intelligence.