Don’t let overlooked obligations become incidents. Learn how.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Close search
Huntress Logo in Teal
  • Platform Overview
    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed ITDR: Identity Threat Detection and Response

    Protect your Microsoft 365 and Google Workspace identities and email environments.

    Managed ITDR: Identity Threat Detection and Response

    Protect your Microsoft 365 and Google Workspace identities and email environments.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed Security Awareness Training Software

    Empower your teams with science-backed security awareness training.

    Managed Security Awareness Training Software

    Empower your teams with science-backed security awareness training.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Integrations
    Integrations
    Support Documentation
    Support Documentation
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
  • Threats We Stop
    Phishing
    Phishing
    Business Email Compromise
    Business Email Compromise
    Ransomware
    Ransomware
    Infostealers
    Infostealers
    View Allright arrowView Allright arrow
    Industries We Serve
    Education
    Education
    Financial Services
    Financial Services
    State and Local Government
    State and Local Government
    Healthcare
    Healthcare
    Law Firms
    Law Firms
    Manufacturing
    Manufacturing
    Utilities
    Utilities
    View Allright arrowView Allright arrow
    Tailored Solutions
    MSPs
    MSPs
    Resellers
    Resellers
    SMBs
    SMBs
    Compliance
    Compliance
    What Gets Overlooked Gets Exploited

    Most days, nothing happens. But one day, something will.

    Huntress Cybersecurity
    Cybercriminals Have Evolved

    Get the intel on today’s cybercriminal groups and learn how to protect yourself.

    Huntress Cybersecurity
  • Pricing
  • Community Series
    The Product Lab

    Shape the next big thing in cybersecurity together.

    The Product Lab

    Shape the next big thing in cybersecurity together.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    Resources
    Upcoming Events
    Upcoming Events
    Ebooks
    Ebooks
    On-Demand Webinars
    On-Demand Webinars
    Videos
    Videos
    Whitepapers
    Whitepapers
    Datasheets
    Datasheets
    Cybersecurity Education
    Cybersecurity 101
    Cybersecurity 101
    Cybersecurity Guides
    Cybersecurity Guides
    Threat Library
    Threat Library
    Real Tradecraft, Real Results
    Real Tradecraft, Real Results
    2026 Cyber Threat Report
    2026 Cyber Threat Report
    The Huntress Blog
    When Cybersecurity and Cyber Insurance Don’t Quite Connect—And What We’re Doing Differently with Acrisure
    Huntress Cybersecurity
    When Cybersecurity and Cyber Insurance Don’t Quite Connect—And What We’re Doing Differently with Acrisure
    Huntress Cybersecurity
    How EvilTokens Turbocharges Old School Phishing with AI
    Huntress Cybersecurity
    How EvilTokens Turbocharges Old School Phishing with AI
    Huntress Cybersecurity
    “Service Agreement” Email Kickstarts Rogue RMM Tiflux Triple Threat
    Huntress Cybersecurity
    “Service Agreement” Email Kickstarts Rogue RMM Tiflux Triple Threat
    Huntress Cybersecurity
  • Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    The Huntress SOC

    24/7 Security Operations Center

    The Huntress SOC

    24/7 Security Operations Center

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Community

    Get in touch with the Huntress Community team

    Community

    Get in touch with the Huntress Community team

    Compare Huntress
    Bitdefender
    Bitdefender
    Blackpoint
    Blackpoint
    Breach Secure Now!
    Breach Secure Now!
    Crowdstrike
    Crowdstrike
    Datto
    Datto
    SentinelOne
    SentinelOne
    Sophos
    Sophos
    Compare Allright arrowCompare Allright arrow
  • HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    Partners
    MSPs

    Join our partner community to deliver expert-led managed security.

    MSPs

    Join our partner community to deliver expert-led managed security.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Tech Alliances

    Driving innovation through global technology Partnerships

    Tech Alliances

    Driving innovation through global technology Partnerships

    Microsoft Partnership

    A Level-Up for Your Business Security

    Microsoft Partnership

    A Level-Up for Your Business Security

  • Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Awards
    Awards
    Contact Us
    Contact Us
  • Portal Login
  • Support
  • Blog
  • Contact
  • Search
  • Get a Demo
  • Start for Free
Portal LoginSupportBlogContact
Search
Close search
Get a Demo
Start for Free
HomeCybersecurity 101
Common Vulnerability Scoring System

What Is CVSS? Your Guide to Vulnerability Scoring

Written by: Lizzie Danielson

Published: 9/8/2025

woman at laptop
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page
Understanding CVSS: The Basics
The Three Pillars of CVSS Scoring
The Evolution of CVSS: why version matters
CVSS limitations: what it doesn't tell you
CVSS vs. CVE: understanding the relationship
Using CVSS effectively in your security program
Key takeaways for smart vulnerability management

CVSS (Common Vulnerability Scoring System) is a standardized framework that assigns numerical scores from 0-10 to security vulnerabilities, helping cybersecurity professionals prioritize which threats to tackle first. Higher scores indicate more severe vulnerabilities that pose greater risks to your systems.

Understanding CVSS: The Basics

Think of CVSS as a report card for vulnerabilities. Just like grades help teachers identify which students need the most attention, CVSS scores help security teams figure out which vulnerabilities deserve immediate action.

The scoring system ranges from 0 to 10, with severity levels that look like this:

  • 0.0: None

  • 0.1-3.9: Low

  • 4.0-6.9: Medium

  • 7.0-8.9: High

  • 9.0-10.0: Critical

But here's the thing—CVSS isn't just pulling numbers out of thin air. These scores are calculated using specific metrics that evaluate how exploitable a vulnerability is and what kind of damage it could cause.

The Three Pillars of CVSS Scoring

Base Metrics: The Foundation

Base metrics focus on the inherent characteristics of a vulnerability. They're like the DNA of the security flaw—these qualities don't change regardless of your specific environment.

Exploitability factors include:

  • Attack Vector: Can attackers exploit this remotely, or do they need physical access?

  • Attack Complexity: Is this vulnerability easy to exploit, or does it require advanced skills?

  • Privileges Required: Does the attacker need admin rights, or can anyone exploit this?

  • User Interaction: Must a user click something, or can this be exploited automatically?

Impact factors measure:

  • Confidentiality: How much sensitive data could be exposed?

  • Integrity: Can attackers modify or delete important information?

  • Availability: Will this vulnerability disrupt system access or functionality?

Temporal Metrics: The Reality Check

Temporal metrics acknowledge that vulnerabilities evolve over time. A brand-new vulnerability might seem scary on paper, but if there's no known exploit code and a patch is already available, the real-world risk drops significantly.

These metrics consider:

  • Exploit Code Maturity: Are working exploits publicly available?

  • Remediation Level: Is there an official patch, workaround, or just temporary fixes?

  • Report Confidence: How certain are we that this vulnerability actually exists and works as described?

Environmental Metrics: Your Specific Context

This is where CVSS gets personal. Environmental metrics let you adjust scores based on your organization's unique situation—because a "critical" vulnerability on an isolated test server isn't the same as one on your customer database.

Key considerations:

  • Security Requirements: How important is the affected system to your business?

  • Modified Base Metrics: Do your existing security controls reduce the vulnerability's impact?

The Evolution of CVSS: why version matters

CVSS has been around since 2003, evolving through several versions. Currently, most organizations use CVSS v3.1 (released in 2019), though CVSS v4.0 launched in 2023 with improved accuracy.

Here's why this matters: the same vulnerability can receive different scores depending on which CVSS version is used. According to SANS, one CVE showed a score of 5.5 (Medium) in CVSS v3 but only 2.1 (Low) in CVSS v2. That's a significant difference that could affect your remediation timeline!

CVSS limitations: what it doesn't tell you

While CVSS provides valuable standardization, it has some blind spots that security teams need to understand:

Context is everything: CVSS doesn't know your business. A "medium" vulnerability in your payment processing system might be more urgent than a "high" vulnerability in a development environment.

It's not a crystal ball: CVSS can't predict which vulnerabilities are actively being exploited in the wild. This is where complementary systems like EPSS (Exploit Prediction Scoring System) come in handy.

One size doesn't fit all: Your organization's risk tolerance, existing security controls, and asset criticality all influence how you should interpret CVSS scores.

CVSS vs. CVE: understanding the relationship

Here's a quick clarification that trips up many people: CVE and CVSS aren't the same thing, but they work together.

  • CVE (Common Vulnerabilities and Exposures): A unique identifier for specific vulnerabilities (like CVE-2014-0160 for Heartbleed)

  • CVSS: The scoring system that rates how severe each CVE is

Think of CVE as the name tag and CVSS as the danger rating. You need both to make informed decisions about vulnerability management.

Using CVSS effectively in your security program

Smart security teams don't rely on CVSS scores alone. Here's how to use them as part of a comprehensive approach:

  • Start with CVSS, but don't stop there: Use Base scores for initial triage, then factor in Temporal and Environmental metrics.

  • Consider your business context: A vulnerability affecting customer data deserves more attention than one on an internal wiki.

  • Look for active exploitation: Check threat intelligence feeds to see if vulnerabilities are being actively exploited.

  • Evaluate your existing controls: Network segmentation, WAFs, and other security measures can significantly reduce actual risk.

Key takeaways for smart vulnerability management

CVSS provides essential standardization for vulnerability assessment, but it's most effective when combined with business context and threat intelligence. Use Base scores for initial prioritization, but don't forget to factor in your organization's specific risk profile and existing security controls.

Remember: the goal isn't to chase perfect CVSS scores—it's to reduce real-world risk to your organization. Sometimes that means tackling a "Medium" vulnerability that affects critical business systems before addressing a "Critical" vulnerability that's well-contained.

Want to see how Huntress can help you move beyond simple CVSS scoring to comprehensive threat detection and response? Our platform combines vulnerability insights with real-time threat hunting to keep your organization secure.

ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page
Understanding CVSS: The Basics
The Three Pillars of CVSS Scoring
The Evolution of CVSS: why version matters
CVSS limitations: what it doesn't tell you
CVSS vs. CVE: understanding the relationship
Using CVSS effectively in your security program
Key takeaways for smart vulnerability management

Frequently asked questions about CVSS

The Base Score only considers the vulnerability's inherent characteristics. The overall CVSS score can include Temporal and Environmental adjustments that reflect real-world conditions and your specific environment.

Not necessarily. While Critical vulnerabilities (9.0-10.0) are severe, you should also consider factors like asset criticality, exposure, and available exploits. A Critical vulnerability on an isolated system might be less urgent than a High vulnerability on a public-facing server.

Base scores typically don't change once assigned, but Temporal scores can shift as exploit code becomes available or patches are released. Environmental scores are unique to your organization and should be reassessed when your infrastructure changes.

You shouldn't change Base scores, but you can and should calculate Environmental scores that reflect your specific context. This might lower the effective score if you have strong compensating controls, or raise it if the affected asset is business-critical.

Most vulnerability scanners automatically pull CVSS Base scores from databases like the

National Vulnerability Database (NVD). However, they typically don't calculate Temporal or Environmental scores—that's up to your security team.

Glitch effectBlurry glitch effect
Glitch effect

Additional Resources

  • Read more about Vulnerability Management Lifecycle: Steps & Best Practices
    Vulnerability Management Lifecycle: Steps & Best Practices
    Vulnerability Management Lifecycle: Steps & Best Practices
    Learn the steps in vulnerability management, how to assess and prioritize risks, the best tools, and tips for a strong vulnerability management lifecycle.
  • Read more about What is Infrastructure as a Service (IaaS)? | Guide
    What is Infrastructure as a Service (IaaS)? | Guide
    What is Infrastructure as a Service (IaaS)? | Guide
    Learn what Infrastructure as a Service (IaaS) is, how it works, and why it's essential for modern cybersecurity. Complete guide with examples.
  • Read more about What is a Vulnerability in Cybersecurity? Types & Prevention
    What is a Vulnerability in Cybersecurity? Types & Prevention
    What is a Vulnerability in Cybersecurity? Types & Prevention
    Discover what a vulnerability is in cybersecurity, why it matters, and best practices for managing and reducing security risks.
  • Read more about What are Cyber Operations? Complete Guide
    What are Cyber Operations? Complete Guide
    What are Cyber Operations? Complete Guide
    Cyber operations are actions taken to protect, defend, or exploit systems and networks in the digital realm. Learn more in this complete guide.
  • Read more about What is an Exploit Pack? Definition & Defense Guide
    What is an Exploit Pack? Definition & Defense Guide
    What is an Exploit Pack? Definition & Defense Guide
    Learn how exploit packs work, why they're dangerous, and how to protect your organization from these automated cyberattack tools.
  • Read more about What is Extended Detection and Response (XDR)? Complete Guide
    What is Extended Detection and Response (XDR)? Complete Guide
    What is Extended Detection and Response (XDR)? Complete Guide
    Learn what XDR is, how it differs from EDR and SIEM, and why it's essential for modern cybersecurity. Complete guide for security professionals.
  • Read more about What Is a Honey Token? A Cybersecurity Trap for Intruders
    What Is a Honey Token? A Cybersecurity Trap for Intruders
    What Is a Honey Token? A Cybersecurity Trap for Intruders
    Learn what honey tokens are, how they work in cybersecurity, and why they’re essential for catching insider threats and unauthorized access. Learn more here.
  • Read more about What is an Asset in Cybersecurity? | Complete Guide
    What is an Asset in Cybersecurity? | Complete Guide
    What is an Asset in Cybersecurity? | Complete Guide
    Learn what constitutes a cybersecurity asset and why proper asset management is crucial for protecting your organization from cyber threats.
  • Read more about What is a Clientless VPN? Security Guide
    What is a Clientless VPN? Security Guide
    What is a Clientless VPN? Security Guide
    Learn what clientless VPNs are, their security limitations, and why context-aware access offers better protection for modern enterprises.
Glitch effectGlitch effect

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free
Huntress Managed Security PlatformManaged EDRManaged EDR for macOSManaged EDR for LinuxManaged ITDRManaged SIEMManaged Security Awareness TrainingManaged ISPMManaged ESPMBook a Demo
PhishingComplianceBusiness Email CompromiseEducationFinanceHealthcareManufacturingState & Local Government
Managed Service ProvidersResellersIT & Security Teams24/7 SOCCase Studies
BlogResource CenterCybersecurity 101Upcoming EventsSupport Documentation
Our CompanyLeadershipNews & PressCareersContact Us
Huntress white logo

Protecting 250k+ customers like you with enterprise-grade protection.

Privacy PolicyCookie PolicyTerms of UseCookie Consent
Linkedin iconTwitter X iconYouTube iconInstagram icon
© 2025 Huntress All Rights Reserved.

Join the Hunt

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.

By submitting this form, you accept our Terms of Service & Privacy Policy