Skip to main content

Common Vulnerability Scoring System

The Common Vulnerability Scoring System (CVSS) is a standardized framework for rating the severity of software and hardware security vulnerabilities on a numerical scale to support consistent risk assessment and prioritization.

Expanded Explanation

1. Technical Function and Core Characteristics

The CVSS defines a method to calculate numerical scores, usually from 0.0 to 10.0, for security vulnerabilities based on defined metrics. It uses metric groups such as Base, Temporal, and Environmental to capture intrinsic, time-dependent, and deployment-specific characteristics.

The framework specifies metrics for exploitability, impact on confidentiality, integrity and availability, scope of affected components, and conditions required for successful exploitation. It publishes vector strings that encode metric values in a machine-readable and human-readable format to support automation and interoperability.

2. Enterprise Usage and Architectural Context

Enterprises use the CVSS to prioritize remediation activities across vulnerability management, patch management, and risk management workflows. Security teams map CVSS scores from vulnerability scanners and threat intelligence feeds into ticketing, Service Level Agreements (SLAs), and risk registers.

Architects and security managers apply CVSS Environmental metrics to adjust scores based on asset value, exposure, and compensating controls in their environment. The scoring system integrates with vulnerability databases such as the National Vulnerability Database and underpins automation in Security Information and Event Management (SIEM), Security Orchestration Automation Response (SOAR), and Governance, Risk, and Compliance (GRC) platforms.

3. Related or Adjacent Technologies

The CVSS operates alongside identifiers such as Common Vulnerabilities and Exposures (CVE) and classification schemes like Common Weakness Enumeration. Vulnerability databases and scanners use CVE Intrusion Detection System (IDS) with CVSS scores to describe and rate specific issues.

Standards and frameworks such as NIST security publications, risk management frameworks, and secure configuration baselines consume CVSS scores to inform risk ratings and remediation guidance. Many security products, including endpoint, cloud, and application security tools, embed CVSS-based scoring in their reporting.

4. Business and Operational Significance

The CVSS provides a consistent, transparent basis for comparing vulnerabilities across vendors, technologies, and environments. It supports resource allocation decisions by mapping technical vulnerability characteristics to a normalized severity scale understood by security, IT, and business stakeholders.

Regulators, industry groups, and internal policy owners reference CVSS scores when defining remediation timelines or severity thresholds. The framework enables automation in vulnerability triage, supports audit and compliance reporting, and helps organizations align technical findings with Enterprise Risk Management (ERM) processes.

Related Perspectives

CISA issues alert on Mitsubishi Electric MELSEC iQ-F Series vulnerability

November 27, 2025

A vulnerability classified under CVE-2025-10259 affects Mitsubishi Electric's MELSEC iQ-F Series, causing potential denial of service via improper validation in TCP communication. The issue impacts various versions worldwide, with mitigation advice including VPN use and restricted physical and network access.