Achieve DORA Compliance by Tomorrow! Learn from our expert-led webinar on mastering DORA requirements! 🎥
Search
Close this search box.

CVSS 4.0 is Coming: Is Your Organization Ready?

Read Time: 7 minutes

Security teams are inundated with alerts—dozens or even hundreds a day. How can they know which ones to tackle first? 

Risk prioritization is a dangerous juggling act. Without a standardized rating system to help teams assess each incoming vulnerability, organizations’ risk management would be slapdash, ad-hoc, and reliant on manual processes and inconsistent judgment calls.

That’s where the Common Vulnerability Scoring System (CVSS) comes in. CVSS is a standardized severity score ranging from 0 (least severe) to 10 (most severe), based on ease of exploitation and potential impact. CVSS provides a standardized, objective, and comprehensive measure of vulnerability severity that security professionals can rely on when they’re prioritizing risks.

Over the years, there have been several iterations of CVSS, but the last major update before 2023 was in 2015. In a number of ways, CVSS 3.1 has not been keeping up with today’s security needs, meaning an update was sorely needed.

CVSS 4.0 was finally released in November 2023, and this substantial overhaul promises to make the work of vulnerability management even simpler for security professionals. This post will explore what CVSS 4.0 is and why an expansion of CVSS 3.1 was necessary, along with some of the key benefits and challenges of working with CVSS 4.0.

What Is CVSS?

The Common Vulnerability Scoring System (CVSS) was introduced by the nonprofit Forum of Incident Response and Security Teams (FIRST) in 2005 to help simplify risk management decision-making.

Today, organizations worldwide rely heavily on CVSS to prioritize vulnerabilities, allocate resources, and make informed decisions. It is the standard value security professionals look to when assessing how critical a particular vulnerability might be.

CVSS assesses the severity of software vulnerabilities based on factors such as exploitability, impact, and scope, and assigns each vulnerability a score between 0 and 10. In addition to this numeric score, CVSS also provides a qualitative scale as follows:

Criticality RatingCVSS 4.0 Score
None0.0
Low0.1–3.9
Medium4.0–6.9
High7.0–8.9
Critical9.0–10.0

(Data source: first.org)

Having a standard CVSS system has provided security professionals with a number of benefits:

  • A standardized scoring system for easy vulnerability communication and collaboration
  • Granular scoring with decimal points for nuanced impact distinctions
  • Qualitative severity ratings for simplified risk communication and assessment
  • Widespread adoption, which provides a consistent vulnerability management foundation

All of these benefits have led to greater standardization across the industry, making CVSS the de facto standard since 2005.

But a lot has changed in the world of vulnerability management. While CVSS 3.1 introduced some improvements over CVSS 3.0 in 2019, there has been great demand for a new version, ultimately leading to the current evolution: CVSS 4.0.

The Evolution from CVSS 3.1 to CVSS 4.0

Prior to CVSS, vulnerability management faced significant challenges due to inconsistent criteria and scoring systems. CVSS succeeded in introducing a standardized scoring framework based on real-world exploitability and impact, improving consistency in threat response, promoting clear communication and collaboration, simplifying compliance, and letting organizations make more informed security decisions.

However, older versions of CVSS, most recently CVSS 3.1, also experienced some shortcomings, including an overemphasis on exploitability, which prioritizes theoretical risk over real-world impact. CVSS 3.1 also inadequately represents risk by neglecting factors such as asset value and attacker capabilities and disregarding broader organizational factors and chained exploits. Finally, its scoring process is complex and subjective, leading to inconsistencies and susceptibility to interpretation bias.

However, the biggest problem with the previous version of CVSS was that the base score was static, meaning that a low-scoring vulnerability would remain low-scoring even months later, after an exploit became publicly available (significantly increasing the actual risk).

This static scoring methodology struggled to address evolving attack vectors, cloud dependencies, and supply chain risks, leading to calls for a more dynamic and contextual CVSS 4.0 that could address today’s security realities.

And in November 2023, FIRST responded with the first major iteration of CVSS in eight years. The following table indicates the primary improvements implemented in CVSS 4.0:

FeatureCVSS 3.1CVSS 4.0
Metric GroupsBase, Temporal, EnvironmentalBase, Temporal, Environmental, plus added Supplemental metric groups
ScopePrimarily software vulnerabilitiesIncludes potential for hardware and configuration weaknesses
GranularityLimited granularityMore granularity with additional metrics and sub-metrics
ScoringStatic score based on base metricsDynamic scoring incorporating temporal and environmental factors
UsabilityCan be complex and challenging for non-technical usersSimplified terminology and documentation

The following section will explore some of the key changes and features in CVSS 4.0 in greater detail.

Key Changes and Features in CVSS 4.0

Like CVSS 3.1 before it, CVSS 4.0 is an open framework to express the severity of vulnerabilities using a compound string known as a vector. The vector encodes the different metrics—e.g., Attack Vector (AV), Attack Complexity (AC)—used to assess a vulnerability’s severity as a string of abbreviations like “AV:N/AC:L.” (In this example, AV is N, meaning a network vector; AC is L, meaning it is a low-complexity attack.)

CVSS 4.0 brings with it three primary improvements that were much needed after years of getting by with CVSS 3.1. First, it provides additional environmental factors, including specific configuration settings, providing greater insight into potential risks. Second, it creates a new framework for supplemental metrics beyond software vulnerabilities to reflect factors like individual environments, configuration weaknesses, and more. And finally, CVSS 4.0 enables interpretation within specific contexts, potentially highlighting configuration-related threats that could easily be overlooked in CVSS 3.1.

Like CVSS 3.1, the CVSS 4.0 score is calculated based on an array of standardized metrics in four categories: Base, Threat, Environmental, and—new to CVSS 4.0—Supplemental.

Base Metrics

Base metrics and sub-metrics reflect the ease of exploit of the vulnerability (its exploitability), along with its impact, meaning the consequences for vulnerable and downstream systems. 

For example, Base metrics will raise the CVSS score for an unpatched web server storing sensitive data with known security holes, since exploitability is high (remote exploit probability) and the impact is also high (sensitive data is exposed).

Threat Metric

This category was known as “Temporal metrics” in CVSS 3.1 and has been pared down to a single sub-metric in CVSS 4.0. This metric reflects whether or not an exploit exists and how accessible code is related to a vulnerability. These factors will raise or lower the score without regard to user environments and configurations. 

For example, the Threat metric will lower the CVSS score if the vulnerability has not been exploited, or if there is no public exploit code. 

Environmental Metrics

These metrics reflect unique vulnerability characteristics within the specific organization’s environment, including security controls and asset importance to the business. 

For example, Environmental metrics will raise the CVSS score if high-value data is present on a vulnerable system with no mitigating controls.

Supplemental Metrics

This metric group is new for CVSS 4.0. Supplemental metrics add context and detail to vulnerabilities, allowing for user-defined prioritization. They do not affect the final CVSS score but can aid organizations in planning and prioritizing security configuration and response.

For example, a vulnerability with a Base Score of 7.5 (high severity) with the Supplemental metric “Automatable” as Yes (Y) means that vulnerability can be exploited automatically. The organization should prioritize that vulnerability since it can be exploited very quickly and easily.

The following table lists the metrics and sub-metrics in CVSS 3.1 and CVSS 4.0. Metrics which have been phased out in CVSS 4.0 have been noted with strikethrough text, while those that are new to CVSS 4.0 are indicated with bold text.

Metric CategoryFrom CVSS 3.1…
(phased out metrics in 4.0 noted with strikethrough)
… to CVSS 4.0
(new metrics since 3.1 in bold)
BaseExploitability

Attack Vector
Attack Complexity
Privileges Required
User Interaction

Impact

Confidentiality impact
Integrity impact
Availability impact

Other

Scope
Exploitability

Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction

Impact

Vulnerable system confidentiality
Vulnerable system integrity
Vulnerable system availability
Subsequent system confidentiality
Subsequent system integrity
Subsequent system availability
Temporal (renamed Threat in 4.0)Exploit Code Maturity
Remediation Level
Report Confidence
Exploit Maturity
EnvironmentalModified base metrics
Confidentiality requirement
Integrity requirement
Availability requirement
11 new environmental sub-metrics
Confidentiality requirement
Integrity requirement
Availability requirement
Supplemental(new to 4.0)Automatable
Recovery
Safety
Value Density
Vulnerability Response Effort
Provider Urgency

As this table makes clear, the greatest difference in CVSS 4.0 is the addition of many new environmental sub-metrics, allowing security users to drill down into the logistics of a potential exploit, giving them valuable information to plan prevention, mitigation, and recovery efforts.

Grasping the full scope of vulnerability risk demands delving deeper than isolated metrics. Every factor, from attacker intent to potential impact, builds a comprehensive understanding. Unlike static scores, CVSS 4.0 can adapt to evolving landscapes, weaving in newly discovered exploits, patched dependencies, and shifting circumstances. 

Thanks to the increased granularity and context of CVSS 4.0, the potential for misinterpretation is greatly reduced. In addition, vulnerability scores may be more accurate in CVSS 4.0.

Example

The CVE-2023-3089 vulnerability is a compliance issue with the Red Hat OpenShift Container Platform: Not all cryptographic modules are FIPS-validated when FIPS mode is enabled. Here’s how its CVSS scoring would look under both CVSS 3.1 and CVSS 4.0: 

Note that in CVSS 4.0, anyone familiar with the vector system will be able to decipher it to obtain a description of the vulnerability as shown in the “Description” column. In addition, in CVSS 4.0, the vulnerability’s score is lowered slightly when Environment variables are taken into consideration alongside the Base variables.

CVSS VersionScoreVectorDescription
CVSS 3.17.5AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NAn attacker could exploit this vulnerability to gain unauthorized access to a system.
CVSS 4.08.3(B+E8.1)AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:NAn attacker with network access to the system (AV:N) could exploit this vulnerability to breach system confidentiality (VC:H) without any user interaction required (UI:N, a more granular value than in CVSS 3.1). 

Here are a few examples of where CVSS 4.0 can shine thanks to the greater context that these new environment sub-metrics provide:

  • Lowering risk priority: A vulnerability with a high CVSS score might not be considered critical in a specific environment due to the presence of strong mitigating controls.
  • Raising risk priority: A vulnerability with a lower CVSS score might be prioritized for patching in a specific environment due to the high value of exposed assets.
  • Tracking risk priority: A vulnerability with a changing exploitability score might be monitored more closely to assess the evolving risk it poses within a specific environment.

Challenges and Considerations with CVSS 4.0

While most vulnerability management tools will be moving over to supporting CVSS 4.0 in the coming months and years, there are additional benefits to an organization directly using CVSS 4.0 to anchor its security policies. Rather than simply relying on a flat score, CVSS 4.0 is better able to guide IT and security leaders towards fully informed decision making.

Example

With CVSS 3, a vulnerability with a high CVSS score of 9.0 (Critical) would probably have been immediately flagged for urgent remediation regardless of context. For instance, it might have received this score due to its potentially significant impact on the business and the fact that it could allow low-privileged users to gain complete control.

In CVSS 4.0, the Scope metrics have been replaced with 6 new metrics, making this value much more nuanced, and this increased context indicates that an attack would have limited impact on the vulnerable system. This same vulnerability would now have a CVSS score of only 7.5 (High) and could possibly be de-risked with targeted mitigation steps rather than rolling out a patch.

However, this new framework is more complex and nuanced, so security pros will need training to fully understand and work with CVSS 4.0. 

It’s important to remember that even CVSS 4.0 offers only part of the picture when it comes to vulnerabilities in the environment. Most organizations will want a strategy that’s more nuanced and goes beyond simply basing decisions on the CVSS score.

In addition, metrics for CVSS 4.0 are still under development for 4.0, meaning this is a dynamic field, and metrics will continue to evolve and improve over time. Security teams need to remain attuned to ongoing updates as these are released.

Get Ready for CVSS 4.0 Today

In addition to having the world’s fastest and most secure and affordable application dependency mapping platform, Faddom has also released a new cybersecurity module that comes with cutting-edge vulnerability detection, severity scoring, actionable insights – and a lot more. All without using any agents!

The module detects common vulnerabilities in installed software on Linux-based servers. This is achieved by using a CVSS scoring mechanism, allowing you to take a proactive approach to securing your environment.

To start a free trial today, just fill out the form in the sidebar!

Map All Your Servers, Applications, and Dependencies in 60 Minutes

Document your IT infrastructure both on premises and in the cloud.
No agents. No open firewalls. Can work offline.
FREE for 14 days. No credit card needed.

Share this article

Map Your Infrastructure Now

Simulate and plan ahead. Leave firewalls alone. See a current blueprint of your topology.

Try Faddom Now!

Map all your on-prem servers and cloud instances, applications, and dependencies
in under 60 minutes.

Get a 14-day FREE trial license.
No credit card required.

Try Faddom Now!

Map all your servers, applications, and dependencies both on premises and in the cloud in as little as one hour.

Get a FREE, immediate 14-day trial license
without talking to a salesperson.
No credit card required.
Support is always just a Faddom away.