Infosec Journey

CVSS (Common Vulnerability Scoring System) is the industry standard for rating the severity of security vulnerabilities in software and hardware. Most vulnerabilities receive a CVSS score—ranging from 0 to 10—and are categorized by severity, with CVSS 2.0 using Low, Medium, and High, and CVSS 3.0 adding Critical and None for greater precision. While many enterprises are now adopting CVSS 3.0, some organizations and tools still rely on CVSS 2.0, creating a mixed landscape where vulnerabilities may be rated differently depending on the framework in use. This shift can impact SLAs and remediation priorities, but it ultimately leads to a more accurate assessment of risk. Still, CVSS 3.0 is not the final word on security. True resilience comes from disciplined risk management. It also requires asset awareness and a commitment to continuous improvement.

The Shortcomings of CVSS 2.0

CVSS 2.0 was a solid start, but it had some serious blind spots:

1. Inadequate Impact Granularity

• CVSS 2.0 only offered three options for Confidentiality, Integrity, and Availability: None, Partial, and Complete. This made it hard to tell the difference between a minor leak and a major breach.
• Example:Heartbleed (CVE-2014-0160) let attackers read small chunks of memory, but even that could expose private keys. CVSS 2.0 scored it as “Partial” (5.0, Medium), which underestimated the real risk. CVSS 3.0 introduced “Low” and “High” impact, so Heartbleed is now scored as “High” (7.5, High).

2. No Scope Awareness

• CVSS 2.0 couldn’t handle vulnerabilities that cross system boundaries. For example, a bug in a virtual machine lets an attacker break out to the host OS.
• Example:A VM escape flaw was only scored for the VM, not the host. CVSS 3.0 added the Scope metric. Now, it can reflect the broader impact. This often results in a much higher (Critical) score.

3. Authentication Confusion

• The old “Authentication” metric didn’t distinguish between needing a regular user account, admin rights, or user action. For example, it did not differentiate user actions like clicking a link.
• Example:Some attacks needed only a low-privilege user or a click, but CVSS 2.0 treated them all the same. CVSS 3.0 splits this into “Privileges Required” and “User Interaction,” so now it’s clear how much user involvement is needed.

4. Static and Context-Blind Scoring

• CVSS 2.0 scores didn’t update if a vulnerability became more exploitable or if your asset was business-critical.
• Example:Log4Shell (CVE-2021-44228) scored 10.0 everywhere, but an isolated server was much less at risk than a public-facing one. CVSS 3.0 lets you adjust scores based on your environment, so you can better reflect actual risk.

5. Overhyped and Underhyped Vulnerabilities

• CVSS 2.0 often rated vulnerabilities as “High” or “Critical” even when they were rarely exploited. It missed other vulnerabilities that were actively being attacked.
• Example: Research found that 64% of top CVEs in 2022 were overrated by public CVSS scores. This led teams to waste time on less relevant issues.

Is CVSS 3.0 the Answer?

CVSS 3.0 is a big improvement, but it’s not perfect. Here’s where it still falls short:

1. Static Scoring

• The base score doesn’t update if a vulnerability suddenly gets a working exploit.
• Example:WannaCry (CVE-2017-0144) became a global crisis only after the exploit was released. However, the CVSS score didn’t change unless manually updated. Many organizations didn’t prioritize patching fast enough, leading to massive breaches.

2. Lack of Business Context

• CVSS 3.0’s environmental metrics are optional and often not used. The default score doesn’t know if your server is public-facing, business-critical, or just a test box.
• Example:Two companies might have the same Apache Struts vulnerability (CVE-2017-5638). However, for one, it’s a customer portal, which is high risk. For the other, it’s an internal HR tool, which is lower risk. Without manual adjustment, both might treat the vulnerability the same way.

3. Dependency and Configuration Gaps

• Even with environmental metrics, many organizations don’t map their assets and configurations accurately.
• Example:Citrix NetScaler ADC (CVE-2023-4966) was only exploitable with certain configs. Organizations that didn’t inventory their systems missed the risk. They got breached, including big names like British Airways and the BBC.

The Bottom Line

CVSS 3.0 is a big step forward, but it’s not the end of the story. Organizations need to:

• Keep asset inventories up to date.
• Use threat intelligence to spot actively exploited vulnerabilities.
• Adjust CVSS scores for their specific environment and business context.
• Regularly assess and prioritize risks based on potential business impact and likelihood of exploitation.
• Establish clear risk management processes to ensure vulnerabilities are remediated according to their true risk to the organization.

Prioritizing vulnerabilities isn’t just about the score—it’s about understanding your unique risks and acting fast where it matters most.

While CVSS 3.0 represents an advancement in vulnerability scoring, it is essential to integrate these metrics with asset criticality. Additionally, incorporating threat intelligence and proactive risk mitigation ensures true security.