What is Common Vulnerability Scoring System (CVSS)?

Common Vulnerability Scoring System, or CVSS, is an open framework used to rate the technical severity of cybersecurity vulnerabilities. It gives each vulnerability a numerical score, usually from 0.0 to 10.0, so security teams can compare vulnerabilities in a consistent way. It helps answer: How severe is this vulnerability from a technical standpoint? Security teams often use CVSS scores when reviewing CVEs, vulnerability scanner results, vendor advisories, and patch priorities.

How Does CVSS Scoring Work?

CVSS scores come from different metrics that describe how a vulnerability can be exploited and what impact it may have. These metrics may look at factors such as attack complexity, required privileges, user interaction, and impact on confidentiality, integrity, and availability.

A higher score usually means a more severe vulnerability. For example:

Main CVSS Metric Groups

CVSS versions use metric groups to calculate or adjust severity. In CVSS v4.0, the main groups are:

• Base metrics: Describe the core technical characteristics of the vulnerability.
• Threat metrics: Add information about real-world threat activity.
• Environmental metrics: Adjust severity based on an organization’s environment.
• Supplemental metrics: Provide extra context that can support decision-making.

Why is CVSS Important?

CVSS helps teams communicate vulnerability severity clearly. Instead of relying only on vague terms like “serious” or “minor,” teams can use a standard scoring system to support triage and remediation planning.

It is useful for:

• Comparing vulnerabilities across vendors and systems
• Prioritizing patching work
• Supporting vulnerability reports
• Tracking remediation SLAs
• Helping security and IT teams speak a common language

What CVSS Does Not Tell You

CVSS measures severity, not complete business risk. A vulnerability with a high score may not be exploitable in your environment, while a medium-score issue may be urgent if it affects a critical, internet-facing system. Teams should combine CVSS with asset importance, exploit availability, exposure, compensating controls, and business impact before deciding what to fix first.

Turning Severity Scores into Endpoint Action

CVSS helps teams understand vulnerability severity, but organizations still need visibility into where affected software exists. Hexnode UEM can help IT teams track device and app inventory, monitor compliance, and manage endpoint policies.

Hexnode XDR adds vulnerability management, threat investigation, and remediation support for endpoint risks. Meanwhile, Hexnode IdP can help limit access from risky or non-compliant devices using identity-aware controls such as SSO, MFA, RBAC, and device posture checks.