CVSS score is like an encrypted message which as a Security Engineer only you can decode. The key to decrypting this message is to understand how the CVSS score was calculated. Does the same CVSS score apply to you or does your system have mitigations that reduce the original CVSS score.
A Very High CVSS score does not always mean the risk to your business is High. Because if the vulnerability lies on an isolated system which cannot be reached by the attackers the chances of its exploitation will be close to 0 (except insider risk π ). Hence, to calculate the right CVSS score for your system, security engineers use EPSS.
Every CVE you’ll ever read about comes with a number between 0.0 and 10.0. That number is the CVSS score, and it’s probably the single most-cited, most-misunderstood metric in security. Teams treat a 9.8 as an automatic fire drill and a 5.0 as something to ignore β but CVSS was never built to make that decision for you. It measures technical severity, not business risk. This post breaks down what CVSS actually measures, how the score gets calculated, and where it falls short so you can use it the way it was actually designed to be used.
What CVSS Actually Measures
CVSS β the Common Vulnerability Scoring System β is maintained by FIRST.org and used everywhere: CVE records, vendor advisories, vulnerability scanners, SIEM dashboards, and board-level risk reports. It exists to give defenders a standardized, vendor-neutral way to talk about how severe a vulnerability is, independent of who found it or who’s reporting on it.
The number you usually see β the one attached to a CVE in a news headline β is the Base Score. It reflects the intrinsic characteristics of the vulnerability itself: how easy it is to exploit, what access it requires, and what it compromises. It deliberately does not account for whether a patch exists, whether the vulnerability is being actively exploited, or how critical the affected system is to your organization. Those considerations live in separate metric groups that most headlines never mention.
The Metrics Behind the Number
CVSS Base Score is built from a handful of metrics that combine into the final number:
- Attack Vector β can this be exploited remotely over a network, or does it require local or physical access? Network-exploitable vulnerabilities score higher.
- Attack Complexity β does exploitation require special conditions, or will it work reliably every time an attacker tries?
- Privileges Required β does the attacker need to already have some level of access, or can they exploit it with none at all?
- User Interaction β does a victim have to click something or take an action, or can the attack happen with zero interaction?
- Impact metrics β what happens to confidentiality, integrity, and availability if the vulnerability is exploited successfully?
A vulnerability that’s remotely exploitable, requires no privileges, needs no user interaction, and fully compromises a system will land in the Critical range (9.0β10.0). Change any one of those conditions β say, it requires the attacker to already be authenticated β and the score drops significantly, even if the eventual impact is just as bad.
CVSS 3.1 vs. CVSS 4.0
If you’ve noticed two different CVSS scores attached to the same CVE recently, that’s not an error. CVSS 4.0, published by FIRST in November 2023, is now the current standard, but CVSS 3.1 is still in active use across the industry β NVD publishes both scores side by side for newly published CVEs, and most commercial vulnerability management platforms now support both.
The practical difference worth knowing: CVSS 4.0 base scores tend to run higher than the equivalent 3.1 score for the same vulnerability, because 4.0 replaced the old “Scope” metric (a common source of scoring disagreements) with clearer, separate impact metrics for the vulnerable system versus any system it can affect downstream. CVSS 4.0 also adds a Supplemental Metric Group for things like Safety and Automatable exploitation β useful context that older versions didn’t capture.
For now, expect to see both versions coexisting for the next several years. If you’re building internal SLAs or dashboards around CVSS thresholds, decide explicitly which version you’re standardizing on, and document it β don’t let your tooling silently mix the two.
Currently, we use CVSS version 3.1 in our organization as most of the scanning tools are using this version. The migration to version 4.0 will happen when the scanning tools start calculating CVSS as per the new version and our organization publishes the direction to use the new version.
Why a High CVSS Score Doesn’t Always Mean “Patch Today”
This is the part most teams get wrong. A 9.8 on an internal lab host with no inbound connectivity may genuinely be lower priority than a 7.5 on an internet-facing authentication system. CVSS Base Score tells you nothing about whether a vulnerability is actually being exploited in the wild, whether a patch is even available yet, or how critical the affected asset is to your business.
That’s exactly what the other CVSS metric groups β Temporal/Threat and Environmental β exist to capture, and exactly why most organizations should pair CVSS with two other signals before deciding what to patch first:
- CISA’s Known Exploited Vulnerabilities (KEV) catalog β tells you definitively whether a CVE is being actively exploited right now, not just theoretically exploitable
- EPSS (Exploit Prediction Scoring System) β a separate, complementary score that estimates the probability a vulnerability will be exploited in the next 30 days, based on real-world data
A genuinely defensible prioritization approach looks at CVSS severity, EPSS likelihood, KEV status, and asset criticality together β not CVSS in isolation.
Frequently Asked Questions
Is a CVSS score the same as a CVE? No. A CVE is the identifier for a specific vulnerability (e.g., CVE-2026-26030). CVSS is the scoring system used to rate how severe that vulnerability is. Every CVE typically gets a CVSS score attached, but they’re two different things.
What CVSS score counts as “Critical”? 9.0β10.0 is Critical, 7.0β8.9 is High, 4.0β6.9 is Medium, 0.1β3.9 is Low, and 0.0 is None, under both CVSS 3.1 and 4.0 rating scales.
Should I always patch Critical CVSS vulnerabilities first? Not automatically. Combine CVSS severity with exploit intelligence (KEV, EPSS) and how exposed and critical the affected asset actually is in your environment before deciding patch order.
Why do some CVEs show two different CVSS scores? Many CVEs now carry both a CVSS 3.1 and a CVSS 4.0 score, since the industry is still transitioning between versions. They can legitimately differ because 4.0 changed how certain impact metrics are calculated.
Who calculates CVSS scores? Typically the vendor or researcher who reports the vulnerability calculates an initial score, which NVD may then review and publish. The scoring system itself is maintained by FIRST.org.
Next Steps
This post is the first in a short series on cybersecurity fundamentals β next up is a breakdown of Log4Shell, one of the most consequential vulnerabilities in recent memory, followed by the SolarWinds hack, Zero Trust Architecture, and a capstone post connecting CVE disclosure to real-world exploitation. For live CVSS scores on current vulnerabilities, check the CVE Tracker.
Raghu the Security Expert has 20 years of experience in Security, DevSecOps, AI Security, and Penetration Testing. He has helped 80,000+ students upskill themselves in DevSecOps, Application Security, and AI Security. Follow his work onΒ LinkedIn,Β YouTube, andΒ Udemy.