What is a CVSS Score?

What is a CVSS Score?

A CVSS score (Common Vulnerability Scoring System) is a standardized numerical rating that measures the severity of a security vulnerability on a scale from 0.0 to 10.0. It provides security teams with a consistent, objective method to assess how critical a vulnerability is and how urgently it needs to be remediated. A score of 0.0 means no impact, while 10.0 represents the most severe vulnerability possible. CVSS helps organizations prioritize which vulnerabilities to fix first based on their potential impact and exploitability.

Why CVSS Scores Matter

Without a standardized scoring system, organizations would struggle to compare vulnerabilities across different applications, technologies, and vendors. CVSS solves this problem by providing a common language for vulnerability severity.

Here's why CVSS is essential:

• Prioritization: Security teams can focus remediation efforts on the highest-risk vulnerabilities first
• Communication: CVSS scores enable non-technical stakeholders to understand vulnerability severity without deep technical knowledge
• Compliance: Many regulatory frameworks (PCI-DSS, HIPAA, SOC 2) reference CVSS scores in their requirements
• Resource Allocation: Teams can justify budget and resources for fixing vulnerabilities based on objective scoring
• Consistency: Organizations can compare vulnerabilities across different applications and systems using the same metric

CVSS Score Ranges and Severity Ratings

CVSS scores are grouped into severity ratings that make it easy to understand the risk level at a glance:

| Score Range | Severity Rating | |---|---| | 0.0 | None | | 0.1-3.9 | Low | | 4.0-6.9 | Medium | | 7.0-8.9 | High | | 9.0-10.0 | Critical |

A vulnerability scored 3.2 is considered "Low" severity and might not require immediate action. In contrast, a vulnerability scored 9.8 is "Critical" and should be remediated as soon as possible.

How CVSS Scores Are Calculated

CVSS v3.1 (the most widely used version) calculates scores based on multiple factors grouped into three metric groups:

Base Score Metrics

Base metrics represent the fundamental characteristics of a vulnerability that don't change over time:

• Attack Vector (AV): How easily the vulnerability can be exploited (Network, Adjacent, Local, Physical)
• Attack Complexity (AC): How complicated the exploit is (Low, High)
• Privileges Required (PR): What level of access an attacker needs before exploiting the vulnerability (None, Low, High)
• User Interaction (UI): Whether the attack requires user action (None, Required)
• Scope (S): Whether the vulnerability can affect resources beyond its intended scope (Unchanged, Changed)
• Confidentiality, Integrity, and Availability (CIA): The impact to these three security properties (None, Low, High)

Base score metrics are combined using a formula to produce the base CVSS score, typically ranging from 0.0 to 10.0.

Temporal Score Metrics

Temporal metrics adjust the base score based on how the vulnerability is being exploited in the real world:

• Exploit Code Maturity: Is exploit code publicly available? (Unproven, Proof-of-Concept, Functional, High)
• Remediation Level: Has a patch been released? (Unavailable, Workaround, Temporary Fix, Official Fix)
• Report Confidence: How confident are we in the vulnerability report? (Unknown, Reasonable, Confirmed)

Environmental Score Metrics

Environmental metrics allow organizations to adjust the score based on how the vulnerability affects their specific systems and business context. This is less commonly used but valuable for organizations with unique infrastructure.

Real-World Example

Consider a SQL injection vulnerability in a web application's login form:

• Attack Vector: Network (can be exploited remotely)
• Attack Complexity: Low (straightforward to exploit)
• Privileges Required: None (no authentication needed)
• User Interaction: None (attacker doesn't need user action)
• Scope: Changed (attacker can access the entire database, not just their own data)
• Confidentiality Impact: High (database contents can be stolen)
• Integrity Impact: High (data can be modified)
• Availability Impact: High (data can be deleted)

This combination would result in a CVSS Base Score of 9.9 (Critical), indicating an urgent need for remediation.

CVSS Versions: v3.1 vs. v3.0 and Earlier

CVSS has evolved over time. The current standard is CVSS v3.1, released in 2019. It refined scoring for specific attack scenarios compared to CVSS v3.0.

CVSS v2.0 (deprecated but still seen in legacy systems) used a different calculation method and maximum score of 10.0, but the scoring logic differs significantly from v3.x.

When comparing CVSS scores, ensure both are using the same version. A CVSS v3.1 score of 7.0 is not directly comparable to a CVSS v2.0 score of 7.0.

Limitations of CVSS

While CVSS is valuable, it has limitations:

• Doesn't account for business context: A low-severity vulnerability in a critical business system might need urgent attention despite its score
• Requires interpretation: Different teams might score the same vulnerability differently without careful analysis
• Doesn't measure actual exploitability: A high CVSS score doesn't mean an exploit currently exists
• Static in nature: CVSS scores don't automatically update as exploits become more common or patches are released

Using CVSS in Your Security Program

Best practices for CVSS in your organization:

• Use CVSS as one input to remediation decisions, not the only factor
• Consider business impact, asset criticality, and threat landscape alongside CVSS scores
• Establish SLAs (Service Level Agreements) for remediation based on CVSS severity tiers
• Regularly review and update CVSS scores as new information emerges
• Train your team on how CVSS is calculated to avoid misunderstandings
• Combine CVSS with other metrics like asset criticality and exploitability data

How TurboPentest Delivers CVSS Scores

When you run a pentest with TurboPentest, every vulnerability finding in your professional PDF report includes a CVSS score and severity rating. This standardized scoring, combined with proof-of-concept demonstrations and remediation steps, gives you a clear, actionable roadmap for fixing security issues. Whether you're running a Standard, Deep, or Blitz pentest, CVSS scoring helps you prioritize findings and communicate risk to your team.

Ready to identify vulnerabilities in your web applications and APIs? Start a pentest on TurboPentest today and get detailed CVSS scores with your findings.