CVE 📅 Jul 3, 2026 ⏱ 9 min read 👶 Beginner friendly

How CVSS Scoring Works: Understanding Vulnerability Severity

When a new vulnerability is announced, the first question most IT teams ask is: how bad is it? The answer comes from CVSS — a scoring system that turns a complex set of technical factors into a single number between 0 and 10. The higher the number, the worse the vulnerability.

But CVSS is more than just a number. Understanding how it is calculated helps you make smarter patching decisions and explain risk to non-technical stakeholders in language they understand.

What is CVSS?

CVSS stands for Common Vulnerability Scoring System. It is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS is maintained by FIRST (Forum of Incident Response and Security Teams) and is currently on version 3.1, with version 4.0 published in 2023.

In simple terms: CVSS is like a medical triage scale. A score of 10 means "rush to the operating theatre now." A score of 2 means "schedule a routine appointment."

The National Vulnerability Database (NVD) at NIST publishes CVSS scores for every CVE. When you look up a CVE, the CVSS score is one of the first things you see.

The 0–10 score scale

Score rangeSeverityWhat to do
0.0NoneNo action needed
0.1 – 3.9LowPatch in next scheduled cycle
4.0 – 6.9MediumPatch within 30 days
7.0 – 8.9HighPatch within 7 days
9.0 – 10.0CriticalPatch immediately — drop everything

Base score metrics

The CVSS Base Score measures the intrinsic characteristics of a vulnerability — things that do not change over time or environment. It is calculated from two groups of metrics:

Exploitability metrics (how easy is it to attack?)

Impact metrics (how bad is the damage?)

CVSS measures impact across three dimensions — the classic security triad:

A vulnerability that scores High on all three impact dimensions, requires no privileges, no user interaction, and can be exploited over the network with low complexity — that is a 10.0. That is Log4Shell (CVE-2021-44228).

Pro Tip

Use the NVD's CVSS calculator at nvd.nist.gov/vuln-metrics/cvss/v3-calculator to score any vulnerability yourself. Pick the metric values and the score calculates automatically — a great way to build intuition for what drives severity up or down.

Temporal and environmental scores

Beyond the Base Score, CVSS has two optional modifier layers:

Temporal Score

The Temporal Score adjusts the base score based on factors that change over time:

Environmental Score

The Environmental Score lets your organisation adjust the base score based on your specific situation:

Most teams work with the Base Score because it is standardised. The Environmental Score is most useful for mature security operations with asset inventory tools.

Real scoring examples

Let us look at three real CVEs to see how the score reflects real-world severity:

CVE-2021-44228 — Log4Shell CRITICAL 10.0

Attack Vector: Network. Complexity: Low. No privileges needed. No user interaction. Full confidentiality, integrity, and availability impact. A remote attacker could execute arbitrary code on millions of servers with a single request. Score: 10.0.

CVE-2023-34048 — VMware vCenter RCE CRITICAL 9.8

A heap overflow in vCenter allowed unauthenticated remote code execution. Network attack vector, low complexity, no privileges. Score: 9.8. Actively exploited by nation-state actors within weeks of disclosure.

CVE-2023-20198 — Cisco IOS XE CRITICAL 10.0

A privilege escalation in Cisco's web UI allowed attackers to create admin accounts with no authentication. Used to compromise tens of thousands of network devices within days. Score: 10.0.

How to use CVSS in practice

Here is a simple prioritisation workflow for any IT team:

  1. Get CVE feeds — subscribe to NVD, vendor security bulletins, or use a vulnerability scanner (Tenable Nessus, Qualys, OpenVAS).
  2. Filter by severity — start with Critical (9.0+), then High (7.0+). Do not lose sleep over Low scores until the urgent work is done.
  3. Check CISA KEV — any CVE in the Known Exploited Vulnerabilities catalog is being exploited right now. These jump the queue regardless of CVSS score.
  4. Confirm you are affected — check your asset inventory. If the vulnerable product is not in your environment, move on.
  5. Patch or mitigate — apply the vendor patch. If no patch exists, apply the vendor's workaround and set a reminder to patch when one arrives.
  6. Document and close — record what you patched and when. Auditors love this.

Limitations of CVSS

CVSS is useful but imperfect. Know its limits:

Key Takeaway

Use CVSS as your starting filter, then layer on threat intelligence (CISA KEV, vendor advisories) and asset context (is this system critical? internet-facing?) to prioritise your actual patching workload. CVSS + context = smart vulnerability management.

Frequently asked questions

What is a good CVSS score?

Lower is better. A score of 0 means no severity. Anything below 4.0 is low risk. Scores of 9.0 and above are Critical and require immediate action.

Who calculates the CVSS score?

The NVD team at NIST calculates Base Scores for all published CVEs. Vendors also publish their own scores for vulnerabilities in their products, sometimes differing slightly from NVD's assessment.

Is CVSS v3.1 or v4.0 better?

CVSS v4.0 (released November 2023) adds new metrics including supplemental scores and better support for operational technology (OT/ICS) systems. Most public databases still primarily show v3.1 scores. Both use the same 0–10 scale, so the severity bands are comparable.

Can a CVSS 10.0 vulnerability not affect me?

Yes. If you do not run the vulnerable software, a CVSS 10.0 score is irrelevant to you. Always confirm affected versions against your actual asset inventory before escalating.

Keep learning on ITVedas

Next: understand what a zero-day vulnerability is and why patching within 24 hours is sometimes not fast enough.

Back to CVE Chapter →