Skip to content Skip to navigation Skip to footer

What Is Common Vulnerability Scoring System (CVSS)?

Common Vulnerability Scoring System (CVSS): Overview

Common Vulnerabilities and Exposures (CVE) is a list or glossary of publicly known security flaws. It assesses vulnerabilities and scores them using the Common Vulnerability Scoring System (CVSS). Cybersecurity professionals use this information to determine how dangerous vulnerabilities are.

Managed by the MITRE Corporation, the CVE glossary project is devoted to monitoring and recording flaws in information security. The U.S. Department of Homeland Security (DHS) provides funds to maintain it. 

How Does CVSS Work?

An overall CVSS score is calculated using the following:

  1. Base CVSS score: This is determined by the actual vulnerability—specifically how threat actors can exploit the vulnerability and the kind of damage they can inflict after gaining access to a system.
  2. Environmental CVSS score: The environmental CVSS score focuses on the assets the vulnerability exposes to attack. It quantifies the confidentiality, integrity, and availability of the asset, specifically how these factors make it easy to exploit the vulnerability.

What Is Common Vulnerability Scoring System: Three Metrics of CVSS

CVSS uses three primary metrics to score vulnerabilities: base metrics, temporal metrics, and environmental metrics. Metrics are different from scores in that they are the elements CVSS uses to determine the scores.

Base Metrics

These metrics focus on how exploitable the vulnerability is and its impact.


The exploitability element of the vulnerability takes into account:

  1. The attack vector that can be used to exploit the vulnerability
  2. The complexity of the attack that can exploit the vulnerability (i.e., how difficult it is to pull off the attack)
  3. The privileges required to access and exploit the vulnerability
  4. User interaction (i.e., how often the user must interact with tools the attacker uses or the system itself for the attack to be successful)

The number of times attackers have to authenticate as they attempt to gain access to a system using the vulnerability

Temporal Metrics

The temporal metrics value varies over the life span of the vulnerability, which sets it apart from other CVSS metrics. This is because of exploits being created, published, and automated, as well as the availability of mitigation solutions. Because these factors change over time, temporal metrics are designed to adjust accordingly.

  1. Exploitability: In the context of temporal metrics, this describes the present state of the automated exploitation code or techniques that attackers leverage to take advantage of a vulnerability.
  2. Remediation level: This refers to the number of fixes and solutions available to reduce the number of vulnerabilities.
  3. Report confidence: This term describes the likelihood that a vulnerability actually exists, as well as the accuracy of the technical information about the vulnerability.

Environmental Metrics

The environmental metrics evaluate the seriousness of the impact of a vulnerability.

  1. Collateral damage potential: This measures the potential loss or impact on physical assets, such as tools, hardware, and users—or the financial consequences if the vulnerability is exploited.
  2. Target distribution: This metric calculates the percentage of weak systems the vulnerability can exploit.
  3. Impact subscore modifier: This measures how important it is to maintain the confidentiality, integrity, and availability of the assets the vulnerability can compromise.

Limitations of the CVSS Framework

CVSS base scores only represent the severity of a vulnerability. They do not take into account the risk that severity brings to your specific environment or provide an accurate cyber-risk score. As such, it is impossible to prioritize vulnerability remediation effectively. In other words, some vulnerabilities may be extremely concerning overall, but they may not endanger your specific environment at all.

Base CVSS scores can be accessed through several publicly available databases. As a result, most security teams look through these databases first when prioritizing and patching vulnerabilities. However, relying on these base scores in a vacuum is a serious mistake. They do not account for the impact of real-world exploits or consider the availability of attack-mitigation solutions that can render the vulnerability relatively harmless.

Without this supporting information, a vulnerability management team may focus their time and effort on noncritical vulnerabilities instead of dedicating resources toward addressing vulnerabilities that pose the greatest risk to business-critical assets.

What Is CVSS Score and How Is It Calculated?

What is CVSS in cybersecurity? The CVSS score can be used to determine the threat level associated with each vulnerability—and thus, which vulnerability to prioritize. This means software developers, testers, security experts, and IT professionals all have a standardized procedure for evaluating vulnerabilities, thanks to CVSS.

How is CVSS score calculated? Several score subgroups are combined to get the CVSS score. Only the base score components are required to classify a vulnerability within the CVSS system. For a more accurate assessment, CVSS scores should also include environmental and temporal metrics.

The overall CVSS score also takes into account an impact subscore, an exploitability subscore, and a scope subscore. These three criteria evaluate the importance of the damaged data and systems, the attack's impact on systems that may appear to be unaffected, and the overall extent of the attack.

How to Leverage CVSS Scores to Improve Business Security

A CVSS score offers one straightforward value that summarizes the effect of a single computer security flaw. But when using CVSS for incident response and vulnerability remediation, contextual considerations must also be factored in.

Keep in mind that CVSS does not consider details of an organization's IT environment, which can influence the effect and severity of a vulnerability. This makes it difficult to examine what each score means, especially when taken out of context. For instance, a “critical” severity vulnerability on a less significant system may be less important than a “medium” severity vulnerability on a more business-critical system.

But if you are aware of the existence of vulnerabilities, you can take further steps, such as performing a vulnerability assessment or penetration test. In this way, each vulnerability's CVSS score can raise awareness and motivate cyber-defense teams to action.


CVSS is not a vulnerability classification system. This makes it different from CVE, which is a list of all the vulnerabilities mentioned in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD).

In other words, while CVE identifies each vulnerability and provides a means of distinguishing one vulnerability from the next, CVSS gives IT teams a means of ranking the severity of each vulnerability. As a result, IT teams can use CVE to differentiate between vulnerabilities and then CVSS to rank them according to which ones can have the most impact on a network environment.

How Fortinet Can Help

The FortiGate Next-Generation Firewalls (NGFWs) provide enterprise security, complete visibility, and threat protection that is unmatched in the industry. This level of defense makes safeguarding your digital assets easier, regardless of the CVSS score of the vulnerabilities that concern you most. With a FortiGate NGFW, organizations can create security-driven networks and integrate security deep into their hybrid IT architectures to provide:

  1. Security with high throughput that will not bog down your network
  2. Real-time cyber defense that leverages threat intelligence from FortiGuard Security Services
  3. Improved end-user experiences due to fast security processing capabilities
  4. Automation of key security functions to save your IT team time and energy


What is the Common Vulnerability Scoring System (CVSS)?

The Common Vulnerability Scoring System (CVSS) is used in line with the Common Vulnerabilities and Exposures (CVE), which is a glossary that categorizes vulnerabilities. CVSS scores vulnerabilities according to a set of criteria, assigning each vulnerability a numerical value that represents how severe it is. This data is used by cybersecurity professionals to determine how dangerous vulnerabilities are.

What are the limitations of CVSS?

CVSS base scores only represent the severity of a vulnerability. They do not take into account the risk that severity brings to your specific environment or provide an accurate cyber-risk score. As such, it is impossible to prioritize vulnerability remediation effectively. In other words, some vulnerabilities may be extremely concerning overall, but they may not endanger your specific environment at all.