The Common Vulnerability Scoring System (CVSS) is a standardized framework used across the cybersecurity industry to assess and communicate the severity of software vulnerabilities. Maintained by the Forum of Incident Response and Security Teams (FIRST), CVSS provides a numerical score ranging from 0.0 to 10.0, helping organizations prioritize remediation efforts based on the potential impact and exploitability of each vulnerability. This widely adopted scoring model enables consistency across vulnerability disclosures, patch advisories, and security tools.
What is CVSS?
CVSS offers a structured and vendor-neutral approach to scoring vulnerabilities using a defined set of metrics that evaluate technical severity, exploitability, and potential impact. A CVSS score helps security teams, IT professionals, and decision-makers triage vulnerabilities by indicating their severity at a glance. The score is commonly included in vulnerability databases such as the National Vulnerability Database (NVD), which uses CVSS to describe the severity of Common Vulnerabilities and Exposures (CVEs).
The most recent version, CVSS v4.0, improves on earlier iterations by expanding the scoring formula to better account for modern computing environments, including cloud, mobile, and IoT systems. It introduces enhanced metric granularity and optional supplemental metrics for stakeholders who require greater context in risk evaluation.
Why CVSS matters
CVSS serves as a universal language for vulnerability severity. In complex IT environments, especially those operating in the cloud, security teams face the daunting task of addressing thousands of vulnerabilities. CVSS helps filter through this noise by allowing organizations to focus first on the most severe and exploitable issues.
A CVSS score of 9.8 or 10.0, for instance, instantly signals a critical vulnerability that could allow remote code execution with minimal user interaction. This enables rapid prioritization and patching. At the same time, lower-scoring vulnerabilities can be addressed with routine maintenance cycles or deprioritized based on operational context.
Beyond internal operations, CVSS scores are also used by software vendors, cloud service providers, and regulatory agencies. Many compliance standards—including PCI DSS, HIPAA, and NIST guidelines—reference CVSS to define thresholds for acceptable risk and required remediation timelines.
How it works
CVSS consists of three core metric groups: Base, Temporal, and Environmental. Each metric group contributes to the overall score and helps contextualize vulnerability risk from different perspectives.
- Base metrics evaluate the inherent characteristics of a vulnerability that remain constant over time and across user environments. These include:
- Attack vector (e.g., network, adjacent, local)
- Attack complexity
- Privileges required
- User interaction
- Scope (whether exploitation affects other components)
- Impact on confidentiality, integrity, and availability
- Temporal metrics reflect factors that can change over time, such as:
- Exploit code maturity
- Remediation level
- Confidence in the report
- Environmental metrics allow organizations to adjust scores based on the importance of the affected system and the presence of mitigating controls within their own infrastructure.
Each component feeds into a formula that produces a final CVSS score, which is then mapped to a qualitative severity rating:
- 0.0: None
- 0.1–3.9: Low
- 4.0–6.9: Medium
- 7.0–8.9: High
- 9.0–10.0: Critical
Limitations and challenges
Despite its usefulness, CVSS is not without limitations. It evaluates vulnerability severity in a vacuum, focusing on technical characteristics without factoring in real-world exploitability or business impact. For instance, a vulnerability affecting a non-critical, isolated system may still receive a high CVSS score even though the actual risk to the organization is minimal.
This disconnect often leads to inefficient resource allocation and alert fatigue. Security teams may spend time remediating high-scoring vulnerabilities with little real-world impact while overlooking lower-scoring ones that are actively exploited in the wild. In fact, CISA’s Known Exploited Vulnerabilities (KEV) catalog includes many vulnerabilities with medium CVSS scores that pose high operational risk due to active threat actor targeting.
Other challenges include:
- Subjectivity: Slight differences in metric interpretation can result in inconsistent scoring between vendors.
- Inflation: CVSS scores may be overstated in vendor disclosures to drive urgency.
- Lack of threat context: CVSS does not consider exploit trends, actor behavior, or likelihood of targeting.
Best practices for using CVSS effectively
Organizations should integrate CVSS into a broader, risk-based vulnerability management strategy. This involves:
- Combining CVSS with threat intelligence: Augment CVSS scores with data about known exploits, malware campaigns, and adversary targeting.
- Contextual prioritization: Weigh CVSS against asset criticality, exposure to the internet, and internal dependencies.
- Dynamic reevaluation: Continuously reassess vulnerability scores as threat landscapes evolve and environments change.
- Custom environmental scoring: Adjust CVSS Environmental metrics to reflect actual business impact in your environment.
- Automation: Use tools that correlate CVSS with environmental and threat data to automatically prioritize remediation workflows.
By using CVSS as one input rather than a sole determinant, security teams can better align their efforts with actual business risk.
How Orca Security helps
The Orca Cloud Security Platform detects, prioritizes, and remediates vulnerabilities across the multi-cloud environments of AWS, Azure, Google Cloud, Alibaba Cloud, and Oracle Cloud. The platform dynamically utilizes more than 20 vulnerability data sources, including CVSS, to help prioritize risks effectively. Instead of presenting static severity scores, Orca analyzes each vulnerability in relation to real-world exploitability, cloud context, and business-critical assets.
Orca’s platform automatically:
- Detects and prioritizes vulnerable packages that attackers can actually exploit in runtime, both through Agentless and Dynamic Reachability Analysis.
- Surfaces attack paths involving vulnerabilities that endanger high-value assets, with targeted remediation to break the chains.
- Prioritizes remediation based on a comprehensive and dynamic set of asset- and risk-based factors, including CVSS scores, EPSS scores, and much more.
- Visualizes the potential blast radius of exploited vulnerabilities in multi-cloud environments.
This approach empowers security teams to cut through the noise and focus on fixing the vulnerabilities that matter most. Orca also supports CVSS v3.x and v4.0 scoring and includes automated alerts and remediation recommendations based on organizational risk tolerance.
