PentaTrail Logo
CTEM & Threat Intelligence#CTEM#Vulnerability Management#Risk Assessment

Understanding CVSS Scores — And Their Limitations

PentaTrail Team··6 min read
Table of Contents

What is CVSS?

CVSS (Common Vulnerability Scoring System) is the industry standard for rating the severity of software vulnerabilities on a scale of 0.0 to 10.0. Managed by FIRST, it's currently at version 4.0.

CVSS scores are assigned to all CVEs in the National Vulnerability Database (NVD) and serve as the primary metric for security teams to assess vulnerability severity.

CVSS Score Components

Base Metrics

The core metrics that evaluate intrinsic vulnerability characteristics:

  • Attack Vector: Network, adjacent, local, or physical access required
  • Attack Complexity: Whether special conditions are needed for exploitation
  • Privileges Required: Level of authentication needed
  • User Interaction: Whether victim action is required
  • Scope: Whether other components are impacted
  • Confidentiality/Integrity/Availability Impact: The degree of damage in each area

Temporal Metrics

Factors that change over time:

  • Exploit Code Maturity: Availability and sophistication of exploit code
  • Remediation Level: Whether patches or workarounds exist
  • Report Confidence: Reliability of the vulnerability report

Environmental Metrics

Organization-specific adjustments based on your infrastructure and business context.

Reading CVSS Scores

Score Range Severity Response
9.0-10.0 Critical Immediate action
7.0-8.9 High Urgent response
4.0-6.9 Medium Planned remediation
0.1-3.9 Low Consider risk acceptance

The Limitations of CVSS

1. Lack of Context

CVSS evaluates technical severity but doesn't reflect organization-specific business context. A CVSS 9.0 vulnerability on an internet-facing system has vastly different real-world risk than the same vulnerability on an air-gapped system.

2. Ignoring Exploitability

Even among high-CVSS vulnerabilities, only 2-5% are actually exploited in the wild. CVSS alone can't distinguish between "truly dangerous" and "theoretically severe but practically unexploitable" vulnerabilities.

3. Score Inflation

The proportion of Critical-rated (9.0+) vulnerabilities has been increasing over the years. Treating all Criticals with the same urgency is impossible, requiring additional prioritization.

4. Static Assessment

Base CVSS scores don't change after publication. But real-world risk shifts dynamically with exploit code releases, active attack campaigns, and patch availability.

Beyond CVSS

Modern vulnerability management recommends combining multiple signals:

  • EPSS: Probability of exploitation within 30 days
  • KEV: Confirmed actively exploited vulnerabilities
  • Business Impact (BI) Score: Business criticality of the affected system
  • Exposure: External accessibility of the vulnerable asset

PentaTrail/CTEM combines CVSS with EPSS and the BI Score to derive the Threat Discovery Level (TDL), then classifies findings into the TER band (S/A/B/C/D) to identify what truly requires action.

To try prioritization that combines CVSS with EPSS, Start Your 14-Day Free Trial.

Visualize your attack surface with PentaTrail/CTEM

From discovery to vulnerability validation and remediation — all powered by the CTEM framework.

Get Started

Related Articles

What is Threat Discovery Level (TDL)? — Vulnerability Ranking from CVSS × EPSS

What is EPSS? Prioritizing Vulnerabilities by Exploitation Probability

What is a Business Impact (BI) Score?

← Back to Blog