Security teams are inundated with alerts—dozens or even hundreds a day. How can they know which ones to tackle first?
Risk prioritization is a dangerous juggling act. Without a standardized rating system to help teams assess each incoming vulnerability, organizations’ risk management would be slapdash, ad-hoc, and reliant on manual processes and inconsistent judgment calls.
That’s where the Common Vulnerability Scoring System (CVSS) comes in. CVSS is a standardized severity score ranging from 0 (least severe) to 10 (most severe), based on ease of exploitation and potential impact. CVSS provides a standardized, objective, and comprehensive measure of vulnerability severity that security professionals can rely on when they’re prioritizing risks.
Over the years, there have been several iterations of CVSS, but the last major update before 2023 was in 2015. In a number of ways, CVSS 3.1 has not been keeping up with today’s security needs, meaning an update was sorely needed.
CVSS 4.0 was finally released in November 2023, and this substantial overhaul promises to make the work of vulnerability management even simpler for security professionals. This post will explore what CVSS 4.0 is and why an expansion of CVSS 3.1 was necessary, along with some of the key benefits and challenges of working with CVSS 4.0.
What Is CVSS?
The Common Vulnerability Scoring System (CVSS) was introduced by the nonprofit Forum of Incident Response and Security Teams (FIRST) in 2005 to help simplify risk management decision-making.
Today, organizations worldwide rely heavily on CVSS to prioritize vulnerabilities, allocate resources, and make informed decisions. It is the standard value security professionals look to when assessing how critical a particular vulnerability might be.
CVSS assesses the severity of software vulnerabilities based on factors such as exploitability, impact, and scope, and assigns each vulnerability a score between 0 and 10. In addition to this numeric score, CVSS also provides a qualitative scale as follows:
|CVSS 4.0 Score
(Data source: first.org)
Having a standard CVSS system has provided security professionals with a number of benefits:
- A standardized scoring system for easy vulnerability communication and collaboration
- Granular scoring with decimal points for nuanced impact distinctions
- Qualitative severity ratings for simplified risk communication and assessment
- Widespread adoption, which provides a consistent vulnerability management foundation
All of these benefits have led to greater standardization across the industry, making CVSS the de facto standard since 2005.
But a lot has changed in the world of vulnerability management. While CVSS 3.1 introduced some improvements over CVSS 3.0 in 2019, there has been great demand for a new version, ultimately leading to the current evolution: CVSS 4.0.
The Evolution from CVSS 3.1 to CVSS 4.0
Prior to CVSS, vulnerability management faced significant challenges due to inconsistent criteria and scoring systems. CVSS succeeded in introducing a standardized scoring framework based on real-world exploitability and impact, improving consistency in threat response, promoting clear communication and collaboration, simplifying compliance, and letting organizations make more informed security decisions.
However, older versions of CVSS, most recently CVSS 3.1, also experienced some shortcomings, including an overemphasis on exploitability, which prioritizes theoretical risk over real-world impact. CVSS 3.1 also inadequately represents risk by neglecting factors such as asset value and attacker capabilities and disregarding broader organizational factors and chained exploits. Finally, its scoring process is complex and subjective, leading to inconsistencies and susceptibility to interpretation bias.
However, the biggest problem with the previous version of CVSS was that the base score was static, meaning that a low-scoring vulnerability would remain low-scoring even months later, after an exploit became publicly available (significantly increasing the actual risk).
This static scoring methodology struggled to address evolving attack vectors, cloud dependencies, and supply chain risks, leading to calls for a more dynamic and contextual CVSS 4.0 that could address today’s security realities.
And in November 2023, FIRST responded with the first major iteration of CVSS in eight years. The following table indicates the primary improvements implemented in CVSS 4.0:
|Base, Temporal, Environmental
|Base, Temporal, Environmental, plus added Supplemental metric groups
|Primarily software vulnerabilities
|Includes potential for hardware and configuration weaknesses
|More granularity with additional metrics and sub-metrics
|Static score based on base metrics
|Dynamic scoring incorporating temporal and environmental factors
|Can be complex and challenging for non-technical users
|Simplified terminology and documentation
The following section will explore some of the key changes and features in CVSS 4.0 in greater detail.
Key Changes and Features in CVSS 4.0
Like CVSS 3.1 before it, CVSS 4.0 is an open framework to express the severity of vulnerabilities using a compound string known as a vector. The vector encodes the different metrics—e.g., Attack Vector (AV), Attack Complexity (AC)—used to assess a vulnerability’s severity as a string of abbreviations like “AV:N/AC:L.” (In this example, AV is N, meaning a network vector; AC is L, meaning it is a low-complexity attack.)
CVSS 4.0 brings with it three primary improvements that were much needed after years of getting by with CVSS 3.1. First, it provides additional environmental factors, including specific configuration settings, providing greater insight into potential risks. Second, it creates a new framework for supplemental metrics beyond software vulnerabilities to reflect factors like individual environments, configuration weaknesses, and more. And finally, CVSS 4.0 enables interpretation within specific contexts, potentially highlighting configuration-related threats that could easily be overlooked in CVSS 3.1.
Like CVSS 3.1, the CVSS 4.0 score is calculated based on an array of standardized metrics in four categories: Base, Threat, Environmental, and—new to CVSS 4.0—Supplemental.
Base metrics and sub-metrics reflect the ease of exploit of the vulnerability (its exploitability), along with its impact, meaning the consequences for vulnerable and downstream systems.
For example, Base metrics will raise the CVSS score for an unpatched web server storing sensitive data with known security holes, since exploitability is high (remote exploit probability) and the impact is also high (sensitive data is exposed).
This category was known as “Temporal metrics” in CVSS 3.1 and has been pared down to a single sub-metric in CVSS 4.0. This metric reflects whether or not an exploit exists and how accessible code is related to a vulnerability. These factors will raise or lower the score without regard to user environments and configurations.
For example, the Threat metric will lower the CVSS score if the vulnerability has not been exploited, or if there is no public exploit code.
These metrics reflect unique vulnerability characteristics within the specific organization’s environment, including security controls and asset importance to the business.
For example, Environmental metrics will raise the CVSS score if high-value data is present on a vulnerable system with no mitigating controls.
This metric group is new for CVSS 4.0. Supplemental metrics add context and detail to vulnerabilities, allowing for user-defined prioritization. They do not affect the final CVSS score but can aid organizations in planning and prioritizing security configuration and response.
For example, a vulnerability with a Base Score of 7.5 (high severity) with the Supplemental metric “Automatable” as Yes (Y) means that vulnerability can be exploited automatically. The organization should prioritize that vulnerability since it can be exploited very quickly and easily.
The following table lists the metrics and sub-metrics in CVSS 3.1 and CVSS 4.0. Metrics which have been phased out in CVSS 4.0 have been noted with strikethrough text, while those that are new to CVSS 4.0 are indicated with bold text.
|From CVSS 3.1…
(phased out metrics in 4.0 noted with
|… to CVSS 4.0
(new metrics since 3.1 in bold)
Vulnerable system confidentiality
Vulnerable system integrity
Vulnerable system availability
Subsequent system confidentiality
Subsequent system integrity
Subsequent system availability
|Temporal (renamed Threat in 4.0)
|Exploit Code Maturity
|Modified base metrics
|11 new environmental sub-metrics
|Supplemental(new to 4.0)
Vulnerability Response Effort
As this table makes clear, the greatest difference in CVSS 4.0 is the addition of many new environmental sub-metrics, allowing security users to drill down into the logistics of a potential exploit, giving them valuable information to plan prevention, mitigation, and recovery efforts.
Grasping the full scope of vulnerability risk demands delving deeper than isolated metrics. Every factor, from attacker intent to potential impact, builds a comprehensive understanding. Unlike static scores, CVSS 4.0 can adapt to evolving landscapes, weaving in newly discovered exploits, patched dependencies, and shifting circumstances.
Thanks to the increased granularity and context of CVSS 4.0, the potential for misinterpretation is greatly reduced. In addition, vulnerability scores may be more accurate in CVSS 4.0.
The CVE-2023-3089 vulnerability is a compliance issue with the Red Hat OpenShift Container Platform: Not all cryptographic modules are FIPS-validated when FIPS mode is enabled. Here’s how its CVSS scoring would look under both CVSS 3.1 and CVSS 4.0:
Note that in CVSS 4.0, anyone familiar with the vector system will be able to decipher it to obtain a description of the vulnerability as shown in the “Description” column. In addition, in CVSS 4.0, the vulnerability’s score is lowered slightly when Environment variables are taken into consideration alongside the Base variables.
|An attacker could exploit this vulnerability to gain unauthorized access to a system.
|An attacker with network access to the system (AV:N) could exploit this vulnerability to breach system confidentiality (VC:H) without any user interaction required (UI:N, a more granular value than in CVSS 3.1).
Here are a few examples of where CVSS 4.0 can shine thanks to the greater context that these new environment sub-metrics provide:
- Lowering risk priority: A vulnerability with a high CVSS score might not be considered critical in a specific environment due to the presence of strong mitigating controls.
- Raising risk priority: A vulnerability with a lower CVSS score might be prioritized for patching in a specific environment due to the high value of exposed assets.
- Tracking risk priority: A vulnerability with a changing exploitability score might be monitored more closely to assess the evolving risk it poses within a specific environment.
Challenges and Considerations with CVSS 4.0
While most vulnerability management tools will be moving over to supporting CVSS 4.0 in the coming months and years, there are additional benefits to an organization directly using CVSS 4.0 to anchor its security policies. Rather than simply relying on a flat score, CVSS 4.0 is better able to guide IT and security leaders towards fully informed decision making.
With CVSS 3, a vulnerability with a high CVSS score of 9.0 (Critical) would probably have been immediately flagged for urgent remediation regardless of context. For instance, it might have received this score due to its potentially significant impact on the business and the fact that it could allow low-privileged users to gain complete control.
In CVSS 4.0, the Scope metrics have been replaced with 6 new metrics, making this value much more nuanced, and this increased context indicates that an attack would have limited impact on the vulnerable system. This same vulnerability would now have a CVSS score of only 7.5 (High) and could possibly be de-risked with targeted mitigation steps rather than rolling out a patch.
However, this new framework is more complex and nuanced, so security pros will need training to fully understand and work with CVSS 4.0.
It’s important to remember that even CVSS 4.0 offers only part of the picture when it comes to vulnerabilities in the environment. Most organizations will want a strategy that’s more nuanced and goes beyond simply basing decisions on the CVSS score.
In addition, metrics for CVSS 4.0 are still under development for 4.0, meaning this is a dynamic field, and metrics will continue to evolve and improve over time. Security teams need to remain attuned to ongoing updates as these are released.
Get Ready for CVSS 4.0 Today
In addition to having the world’s fastest and most secure and affordable application dependency mapping platform, Faddom has also released a new cybersecurity module that comes with cutting-edge vulnerability detection, severity scoring, actionable insights – and a lot more. All without using any agents!
The module detects common vulnerabilities in installed software on Linux-based servers. This is achieved by using a CVSS scoring mechanism, allowing you to take a proactive approach to securing your environment.
To start a free trial today, just fill out the form in the sidebar!