← Concept Explainers

Understanding CVSS Scores

What Is CVSS?

The Common Vulnerability Scoring System (CVSS) gives security teams a standard way to describe the technical severity of software vulnerabilities. It helps organizations compare vulnerabilities by assigning each one a numerical score.

CVSS creates consistency. Instead of relying only on subjective labels, teams can use a shared scoring framework to discuss vulnerability severity across tools, reports, and security programs.

However, CVSS does not measure complete business risk. A high CVSS score does not always mean a vulnerability is exploitable in your environment, and a lower score does not always mean the issue is safe to ignore.

CVSS Score Ranges

  • 0.0 — None
  • 0.1–3.9 — Low
  • 4.0–6.9 — Medium
  • 7.0–8.9 — High
  • 9.0–10.0 — Critical

These ranges help teams sort vulnerabilities by technical severity. However, security teams should treat them as a starting point rather than a final prioritization model.

How CVSS Scores Are Calculated

CVSS v3.1 uses three metric categories: Base, Temporal, and Environmental.

Base Metrics describe the inherent characteristics of a vulnerability. These include factors such as attack vector, attack complexity, privileges required, user interaction, and potential impact.

Temporal Metrics account for factors that change over time. These include exploit code maturity, remediation level, and report confidence.

Environmental Metrics adjust the score based on a specific organization’s environment. These metrics consider asset importance, security requirements, and modified impact.

Together, these categories help teams describe vulnerability severity more consistently. Still, the final score does not automatically show whether an attacker can exploit the issue in a specific environment.

Important Limitations

CVSS scores have limits that organizations often overlook.

CVSS does not fully account for business context. It does not know whether the affected system supports a critical business process, stores sensitive data, or sits behind compensating controls. It also does not prove whether an attacker can actually reach or exploit the vulnerable asset.

For example, a critical CVSS score on an isolated internal system may create less real-world risk than the same score on a customer-facing authentication service. The technical severity may look similar, but the business exposure differs.

In short, CVSS describes the vulnerability condition. It does not fully describe risk in your environment.

Using CVSS Effectively

Security teams should use CVSS scores as a starting point, not as the final basis for remediation priority.

Effective vulnerability management combines CVSS with:

  • business context,
  • asset criticality,
  • exploitability validation,
  • attacker-path analysis,
  • exposure data,
  • remediation effort.

This approach helps teams focus on vulnerabilities that create real risk, not just vulnerabilities with high technical severity.

How Scapien Uses CVSS Scores

Scapien’s iPAS platform combines CVSS data with exploit validation and business impact assessment. This helps organizations move beyond generic severity scoring and prioritize findings based on real organizational risk.

CVSS helps describe the vulnerability. Scapien helps determine whether that vulnerability is exploitable, relevant, and worth prioritizing in your environment.