Back to Home

CVSS v4.0: vulnerability metrics for IT

Article breaks down CVSS v4.0: base, temporal and contextual metrics for CVE assessment. Examples of real vulnerabilities and prioritization rules for IT specialists. Integration into DevSecOps.

CVSS Masterclass: vulnerability assessment v4.0
Advertisement 728x90

CVSS v4.0: Metrics and Vulnerability Scoring for Developers

CVSS provides a standardized score from 0 to 10 to assess vulnerabilities. The base score reflects the vulnerability's inherent qualities, independent of any specific environment. NVD publishes these scores for public CVEs, and version 4.0 refines the metrics for greater precision.

Developers rely on CVSS to prioritize patches: scores above 7 demand immediate action, especially with proof-of-concept exploits available. Focusing on attack vectors and impact helps distinguish theoretical risks from real threats.

Base Metrics: The Core of Scoring

The base group captures the fixed attributes of a vulnerability.

Google AdInline article slot
  • Attack Vector (AV): Network (N) — remote attack; Adjacent (A) — local network; Local (L) — direct access; Physical (P) — physical tampering.
  • Attack Complexity (AC): Low — straightforward; High — requires conditions like man-in-the-middle.
  • Privileges Required (PR): None — no authentication; Low — basic rights; High — admin access.
  • User Interaction (UI): None — fully automated; Required — user click or file open.

Impact is evaluated across the CIA triad:

  • Confidentiality (C): None/Low/High — data leak severity.
  • Integrity (I): None/Low/High — modification potential.
  • Availability (A): None/Low/High — denial-of-service impact.

Example: CVE-2021-44228 (Log4Shell) with AV:N/AC:L/PR:N/UI:N and High across all CIA scores a perfect 10.0.

Temporal Metrics: Accounting for Threat Evolution

Temporal metrics adjust the base score based on current conditions.

Google AdInline article slot

| Metric | Description | Score Impact |

|--------|-------------|---------------|

| Exploit Code Maturity (E) | None/PoC/High | Increases with available code |

Google AdInline article slot

| Remediation Level (RL) | None/Workaround/Official | Decreases with patches |

| Report Confidence (RC) | Low/Medium/High | Lowers with uncertainty |

EternalBlue (CVE-2017-0144, base 8.1) turned critical after PoC exploits surfaced in WannaCry, thanks to High E.

Environmental Metrics: Tailoring to Your Setup

Environmental metrics let you tweak base metrics (like Modified AV, AC) for your environment. Additional requirements include:

  • Confidentiality Requirement (CR): High for PCI DSS data.
  • Integrity Requirement (IR): High for config files.
  • Availability Requirement (AR): High for mission-critical services.

In an air-gapped network, AV:N drops to AV:L, cutting the score by 2–3 points.

CVSS Scoring Scale and Prioritization Rules

| Range | Level | Action |

|-------|-------|--------|

| 0 | None | Ignore |

| 0.1–3.9 | Low | Monitor |

| 4.0–6.9 | Medium | Assess context |

| 7.0–8.9 | High | Patch urgently |

| 9.0–10.0 | Critical | Patch immediately |

Rules for mid/senior devs:

  • CVSS ≥9.0 + PoC = top priority patch.
  • Any score in unused components = remove them.
  • Validate Modified metrics in your CI/CD pipelines.

Real-World Examples

  • Log4Shell: Full RCE via logs, base 10.0.
  • Follina (CVE-2022-30190): 7.8, escalated to High with APT exploits.
  • CVE-2024-40711 (Veeam): Auth bypass RCE, critical for backups.

Integrate CVSS into scanners like Trivy or Dependency-Check.

Trusted Data Sources

For CVE verification:

  • cve.org — official registry.
  • NVD — CVSS, CWE, CPE details.
  • Exploit-DB — PoC exploits.
  • OWASP — Top 10, Testing Guide.
  • PortSwigger Academy — web attack labs.

Steer clear of unverified hype sources.

Key Takeaways

  • Base score is your starting point; Temporal and Environmental make it real-world relevant.
  • Network + No privileges + High CIA = always ≥9.0.
  • Bake CVSS into repo scanning automation.
  • Verify PoCs before sounding alarms.
  • For production, always use Modified metrics.

— Editorial Team

Advertisement 728x90

Read Next