CVSS v4.0

CVSS v4.0 is the latest major release of the Common Vulnerability Scoring System, the industry-standard framework for communicating the characteristics and severity of software vulnerabilities. Published by FIRST in November 2023, CVSS v4.0 significantly revises the metric structure of its predecessor (v3.1), which had been in use since 2019. Key structural changes include: renaming and redefining several base metrics; introducing new 'supplemental' metrics for additional context (such as Safety and Automatable); separating 'threat' (exploitation status) into its own dedicated metric group; and restructuring the temporal metrics. The result is a more expressive and contextually accurate scoring system.

Several CVSS v4.0 changes are particularly relevant to manufacturers of CRA-covered products:

• Safety (S) supplemental metric: CVSS v4.0 introduces a Safety metric indicating whether exploitation of the vulnerability could have physical safety consequences. This is directly relevant for Important Class products used in safety-critical contexts (medical devices, industrial controllers, automotive systems).
• Automatable (AU) metric: Indicates whether the vulnerability can be exploited at scale without human interaction — a key factor for IoT products that may be targeted by automated botnets.
• Improved OT/ICS context: v4.0 provides clearer guidance for scoring vulnerabilities in operational technology and industrial control systems contexts.
• Threat metrics separate from base: The new structure cleanly separates 'what this vulnerability can do' (base) from 'whether it is being actively exploited' (threat) — cleaner than v3.1's temporal metrics.

CVSS v4.0 uses a new naming convention for combined scores to avoid confusion with v3.x:

• CVSS-B: Base score only — the theoretical maximum severity.
• CVSS-BT: Base + Threat metrics — accounts for exploitation status.
• CVSS-BE: Base + Environmental metrics — accounts for deployment context (compensating controls, impact on specific system).
• CVSS-BTE: Base + Threat + Environmental — the most complete, contextualised score.

For CRA vulnerability advisories, manufacturers should use at minimum CVSS-BT (including threat status) when publishing CSAF advisories, as this communicates exploitation status to users. When the manufacturer has information about typical deployment environments (e.g., the product is typically deployed behind a firewall), using CVSS-BE to provide an adjusted score helps users with their own risk assessments.

CVSS v4.0 and v3.1 will coexist for several years during the transition period. CSAF (Common Security Advisory Framework) supports both versions. NVD is progressively adding v4.0 scores to new CVE entries while maintaining v3.1 scores for backwards compatibility. For manufacturers:

• Existing advisories: No immediate need to re-score historical advisories in v4.0.
• New advisories: Consider publishing both v3.1 and v4.0 scores during the transition to support tools not yet updated for v4.0.
• PSIRT scoring guidelines: Update internal scoring guidelines to incorporate v4.0 supplemental metrics, particularly Safety and Automatable, for product categories where these are relevant.
• Training: PSIRT team members should complete FIRST's CVSS v4.0 training to understand the scoring differences, particularly for the restructured attack complexity and privilege requirements metrics.