Common Vulnerability Scoring System (CVSS) — Full Guide

The Common Vulnerability Scoring System (CVSS), currently at version 4.0 (released 2023), is an open framework maintained by FIRST (Forum of Incident Response and Security Teams) for rating the severity of software security vulnerabilities. CVSS produces a numerical score from 0.0 to 10.0, mapped to qualitative ratings: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), and Critical (9.0–10.0). The score is calculated from metric groups: Base metrics (intrinsic vulnerability characteristics, unchanged by context — attack vector, complexity, privileges required, user interaction, scope, and impact); Threat metrics (current exploit maturity); and Environmental metrics (product-specific deployment context and mitigations). The NVD publishes CVSS scores for all CVEs.

CVSS is the de facto severity communication standard for CRA compliance. The CRA requires manufacturers to address vulnerabilities and provide users with information about their severity. CVSS base scores, published in the NVD, provide the standardised language for severity communication that both manufacturers and users understand. CSAF security advisories include CVSS vector strings so that users and their vulnerability management tools can process severity programmatically. PSIRT teams use CVSS scores to prioritise remediation queues: Critical (9.0+) vulnerabilities typically trigger emergency patch procedures; High (7.0+) trigger expedited remediation. CVSS scores also inform the CRA's 'without undue delay' patching standard — higher severity implies shorter acceptable delay.

Manufacturers and users frequently rely only on the CVSS Base score from the NVD — a common and important error. The Base score reflects the vulnerability's intrinsic severity in isolation, without accounting for whether exploits exist (Threat metrics) or whether the product's specific environment mitigates the risk (Environmental metrics). A CVSS 9.8 Base score for a vulnerability exploitable only via adjacent network access, on a product deployed on an isolated industrial network with no internet exposure, may have a far lower Environmental score after accounting for deployment context. Manufacturers should calculate Environmental scores for vulnerabilities affecting their products and use these adjusted scores in their own security advisories and remediation prioritisation — not rely solely on the NVD Base score.

The most frequent error is treating CVSS Base scores as absolute and definitive severity ratings. CVSS Base scores are designed to be a starting point for context-aware assessment, not the final word on risk. A second error is using outdated CVSS versions: the industry has largely moved to CVSS v3.1 and CVSS v4.0, but many older advisories and tools still reference CVSS v2 scores, which use a different scale and methodology. Manufacturers publishing CVSS scores in their security advisories should specify the CVSS version and include the full vector string, not just the numerical score, so recipients can audit and recalculate Environmental scores for their own context. Failing to include the vector string is a common advisory quality issue flagged by PSIRT communities.