CVSS score

• 2 min to read •

What is a CVSS Score?

The CVSS (Common Vulnerability Scoring System) is an independently assigned score (out of 10) which is based on a large number of factors to determine the importance of a vulnerability.

To compare CVSS scores, let’s look at how Microsoft scores their vulnerabilities. Microsoft’s rating system is relatively simple:

  • Critical – A vulnerability that could allow remote code execution without user interaction or where code executes without warnings or prompts.
  • Important – Vulnerabilities where the client is compromised with warnings or prompts and whose exploitation could result in compromise of data.
  • Moderate – The impact is mitigated by numerous factors such as authentication or non-default applications being affected.
  • Low – The impact is comprehensively mitigated by the characteristics of the mitigated component.
  • NA – Not Available

Generating the CVSS score is highly complex, but it takes into consideration the following important questions:

  • How easy is the vulnerability to be exploited?
  • Do you need network or physical access and do you need elevated privileges?
  • Can you exploit over the internet or do you need physical access?
  • Is specific software or configuration of software needed?
  • Does it impact everything?
  • How much end-user interaction is needed?

Each of the above (and much more) are arranged in a sub score that is calculated together. The CVSS score is then calculated out of 10. Industry experts believe this offers the most accurate way to determine the priority of how quickly you must take action if any of these vulnerabilities exist within your environment.

Discovery: Syxsense-Issued Severity Rating

 

None 0.0
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0

 

 

Last Update: July, 2024

Copyright ©2024 by Syxsense, Inc. All Rights Reserved