Back to Blog
CVSS Vulnerability Management Security Risk

CVSS Scores Explained: Understanding Vulnerability Severity in Your Software

CVSS scores are the industry standard for rating vulnerability severity — but they are widely misunderstood and misapplied. This guide explains how CVSS 3.1 works, what the numbers really mean, and how to use them effectively for vulnerability prioritisation.

CRATrust Security Research20 November 2025 10 min read
CVSS Scores Explained: Understanding Vulnerability Severity in Your Software

When a new CVE is published, the first number most security teams look at is the CVSS score — a single decimal between 0.0 and 10.0 that purports to summarise how dangerous a vulnerability is. It's on every CVE page on NVD, in every vulnerability scanner report, and in every board-level security briefing.

Yet CVSS is one of the most misunderstood metrics in information security. Teams routinely patch everything above 7.0, miss exploited vulnerabilities scored 5.9, and exhaust themselves triaging medium-severity issues that will never be exploited in their environment. This guide explains how CVSS actually works — and how to use it correctly.

What Is CVSS?

The Common Vulnerability Scoring System (CVSS) is an open standard maintained by FIRST (Forum of Incident Response and Security Teams). Version 3.1 is currently most widely used; CVSS 4.0 was released in November 2023 and is being gradually adopted.

CVSS provides a formula for calculating a score based on characteristics of the vulnerability itself — not characteristics of your specific environment. This is important: a CVSS Base Score describes the worst-case theoretical impact, not the actual risk to your organisation.

The CVSS 3.1 Base Metric Groups

The Base Score is calculated from two metric groups: Exploitability and Impact.

Exploitability Metrics

CVSS 3.1 — Exploitability Metrics Attack Vector (AV) Network (N) — 0.85 Adjacent (A) — 0.62 Local (L) — 0.55 Physical (P) — 0.20 Network = remotely exploitable (highest) Attack Complexity (AC) Low (L) — 0.77 High (H) — 0.44 Low = no special conditions required Privileges Required (PR) None (N) — 0.85 Low (L) — 0.62 High (H) — 0.27 None = no account needed to exploit User Interaction (UI) None (N) — 0.85 Required (R) — 0.62 None = attacker can act without victim

Impact Metrics

The three CIA triad metrics each rate potential impact to Confidentiality, Integrity, and Availability. Each is scored None/Low/High. A vulnerability that enables full remote code execution typically scores High on all three.

The Scope metric captures whether exploitation can affect components beyond the vulnerable one (Changed vs Unchanged). A vulnerability in a container runtime that allows escaping to the host scores Scope: Changed.

The Severity Rating Scale

None 0.0 Low 0.1 – 3.9 Medium 4.0 – 6.9 High 7.0 – 8.9 Critical 9.0 – 10.0

The Problem with CVSS-Only Prioritisation

Here is the uncomfortable truth: CVSS Base Scores are a poor proxy for actual risk. Research by Cyentia Institute and FIRST has consistently shown that fewer than 5% of CVEs with scores above 7.0 are ever exploited in the wild. Meanwhile, some actively exploited vulnerabilities score in the medium range.

The reasons are structural:

  • Base Score ignores your environment. A network-exploitable vulnerability in a service that is not exposed to the internet poses minimal risk, yet scores identically to one on a public-facing server.
  • Base Score ignores exploit availability. A vulnerability with a published, weaponised exploit in Metasploit is far more dangerous than one with no known exploit, even at the same score.
  • Base Score ignores asset criticality. A medium-severity vulnerability on your payment processing server may warrant immediate attention; a critical score on a development sandbox does not.

Better Prioritisation: EPSS and KEV

Two complementary frameworks significantly improve on CVSS-only prioritisation:

EPSS — Exploit Prediction Scoring System

The EPSS model, also maintained by FIRST, predicts the probability that a vulnerability will be exploited in the wild within the next 30 days. It is trained on actual exploitation telemetry. An EPSS score of 0.94 means the model predicts a 94% chance of exploitation — treat it urgently. An EPSS score of 0.002 for a 9.8 CVSS vulnerability suggests exploitation is extremely unlikely.

CISA KEV — Known Exploited Vulnerabilities Catalogue

The CISA KEV catalogue lists vulnerabilities with confirmed evidence of active exploitation in the wild. Any CVE on the KEV list demands immediate attention regardless of CVSS score. US Federal agencies are mandated to remediate KEV vulnerabilities within 15–21 days; commercial organisations should treat them with equal urgency.

A Practical Triage Framework

Combine these signals for a risk-based prioritisation approach:

  1. Is the CVE on CISA KEV? → Patch immediately, regardless of CVSS
  2. EPSS > 0.70? → High exploitation probability, treat as P1
  3. CVSS ≥ 9.0 AND exposed service? → Critical priority
  4. CVSS 7.0–8.9 AND EPSS > 0.30? → High priority, patch within 7 days
  5. CVSS 4.0–6.9 AND no exploit available? → Standard remediation cycle
  6. CVSS < 4.0? → Patch in bulk during next maintenance window

CRATrust incorporates CVSS, EPSS, and KEV data automatically for every vulnerability detected in your SBOM components — so you always have the full picture, not just a single score.

Further Reading

Share this article

Share on X / TwitterShare on LinkedIn
All articlesJoin Free Beta

CRATrust Support

Typically replies in minutes

Hi there!

Ask us anything about CRA compliance. We're here to help.