CVSS (Common Vulnerability Scoring System)

The Common Vulnerability Scoring System (CVSS) is an open, vendor-neutral framework for rating the severity of software vulnerabilities on a numeric scale from 0.0 to 10.0. Maintained by FIRST (the Forum of Incident Response and Security Teams), it produces a single score plus a structured vector string that captures how a flaw can be exploited and what the impact would be. CVSS is the scoring language behind most CVE entries in databases like the NVD.

Why it matters

A scanner can surface hundreds of issues, but engineering time is finite. CVSS gives teams a consistent, defensible way to rank vulnerabilities so the worst ones get fixed first instead of whatever was found last. Because the scoring rules are public and reproducible, two people assessing the same flaw should land on a similar number — which makes CVSS useful for SLAs, compliance reporting, and cross-team prioritization. For practical guidance on turning scores into a remediation order, see how to prioritize vulnerabilities.

How it works

CVSS (currently v4.0, with v3.1 still widely used) builds a score from several metric groups:

• Base — intrinsic, unchanging traits: attack vector (network, adjacent, local, physical), attack complexity, privileges required, user interaction, and impact on confidentiality, integrity, and availability.
• Temporal / Threat — factors that shift over time, such as whether exploit code is publicly available.
• Environmental — adjustments for your specific deployment, e.g. an asset that holds no sensitive data.

Scores map to qualitative ratings: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), and Critical (9.0–10.0). A key caveat: the Base score reflects worst-case impact in isolation, not the real risk to your environment. Internet-facing exposure and exploit availability change the picture, which is why the Base number alone should never be your only input.

A concrete example

Consider a vector like CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Decoded, this is a network-reachable flaw (AV:N) that is easy to exploit (AC:L), needs no privileges (PR:N) and no user interaction (UI:N), and fully compromises confidentiality, integrity, and availability. That combination yields a Base score of 9.8 (Critical) — the profile of a remotely exploitable, unauthenticated bug that warrants immediate patching.

How it shows up on your attack surface

On an external attack surface, the Base metric AV:N (network) is often the one that matters most: a vulnerability is far more dangerous when the affected service is reachable from the public internet. FortWatch's CVE scanner uses vulnerability scanning with Nuclei templates that carry CVSS data, so each detected CVE arrives with its score already attached. Rather than displaying a raw number in isolation, FortWatch maps CVSS-derived severity onto its own Critical/High/Medium/Low scale and weighs real exposure — an open port confirming the service is internet-facing, the absence of a CDN shielding it — before generating an issue and AI remediation steps. The result is prioritization grounded in your exposure, not just the textbook score. For the broader context of why public reachability changes risk, see what is external attack surface management.