CVSS (Common Vulnerability Scoring System) — How Severity Is Calculated and What It Really Means

CVSS — What It Is (and What It Is Not) 🧠

CVSS (Common Vulnerability Scoring System) is a standardized framework used to measure the technical severity of a vulnerability.

It provides a numerical score from 0.0 to 10.0 and a vector string that explains how that score was calculated.

Important: CVSS measures technical severity, not business risk.

A vulnerability with a lower CVSS score may still represent higher operational risk in your environment depending on exposure, asset criticality, and exploitation status.

On SECMONS, CVSS is always presented alongside:

• the vulnerability identifier via /glossary/cve/
• the weakness classification via /glossary/cwe/
• exploitation status such as /glossary/exploited-in-the-wild/
• and KEV tracking via /glossary/known-exploited-vulnerabilities-kev/

CVSS Scoring Ranges 📊

These ratings are derived from the Base Score, which reflects intrinsic technical characteristics of the vulnerability.

CVSS v3.1 Base Metrics Explained 🔎

The Base Score is calculated using two major metric groups:

1️⃣ Exploitability Metrics

Example:

• AV:N → Network exploitable
• UI:R → Requires user interaction

These terms frequently appear in vulnerability records across /vulnerabilities/ and in exploitation mapping under /attack-techniques/.

2️⃣ Impact Metrics

Each is scored as None (N), Low (L), or High (H).

CVSS Vector String — How to Read It 🔐

A full CVSS vector might look like this:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Breaking it down:

• AV:N → Network
• AC:L → Low complexity
• PR:N → No privileges required
• UI:R → User interaction required
• S:U → Scope unchanged
• C:H / I:H / A:H → High impact across CIA triad

Understanding this vector allows defenders to quickly assess technical exposure before diving into deeper guidance in /guides/.

What CVSS Does Not Tell You ⚠️

CVSS does not account for:

• Whether exploitation is active
• Whether your specific environment is exposed
• Asset criticality
• Internet exposure
• Patch availability timing
• Compensating controls

This is why SECMONS pairs CVSS with:

• exploitation tracking via /glossary/exploited-in-the-wild/
• KEV status via /glossary/known-exploited-vulnerabilities-kev/
• tactical guidance in /guides/
• and contextual analysis in /research/

A CVSS 8.8 with confirmed exploitation may demand faster action than a CVSS 9.8 that is not being exploited.

CVSS in Real Security Operations 🎯

In enterprise environments, CVSS is used for:

• Patch prioritization baselines
• SLA categorization
• Scanner result triage
• Risk reporting dashboards
• Compliance frameworks

However, mature programs do not use CVSS in isolation.

The correct flow is:

CVE identified → CVSS reviewed → exploitation status confirmed → asset exposure mapped → remediation prioritized.

You’ll see that structure consistently across SECMONS vulnerability records and operational guides.

CVSS and Weakness Mapping 🔄

Many CVE records include a mapped weakness classification via CWE, such as:

• /glossary/use-after-free/
• /glossary/security-feature-bypass/
• /glossary/memory-corruption/

Understanding the underlying weakness often provides more insight than the numeric score alone.

Why CVSS Still Matters 📌

Even with its limitations, CVSS remains:

• The most widely adopted scoring system globally
• A standardized reference for cross-vendor comparison
• A common language between vendors, defenders, auditors, and regulators

Used correctly, CVSS accelerates triage.
Used blindly, it distorts prioritization.

SECMONS uses CVSS as a structured data point — not as a substitute for operational judgment.

Authoritative Reference 📎

• FIRST CVSS Specification (v3.1): https://www.first.org/cvss/