Common vulnerability scoring system (CVSS)
Published | May 31, 2025 |
The good, bad and what's better
CVSS gives you a standard way to measure vulnerability severity, but doesn’t show you what’s truly risky in your unique environment. This guide explains how CVSS works, its limitations and why combining it with real-world signals like exploit likelihood, asset value and cloud exposure is crucial for smarter prioritization.
Expose key concepts
- What is CVSS in cybersecurity?
- How CVSS works: metrics, weights and score ranges
- Why CVSS matters, and why it’s not enough
- CVSS and risk-based prioritization
- CVSS in cloud and identity-aware environments
- CVSS vs other scoring models
- Vulnerability scoring and vulnerability management
- Vulnerability scoring and exposure management
- CVSS in compliance and audit reporting
- CVSS implementation challenges, and how to solve them
- Tenable One scoring: What CVSS alone can’t show you
- CVSS FAQs
- Bringing it all together: Scoring smarter
- CVSS Resources
- CVSS Products
What is CVSS in cybersecurity?
You face too many vulnerabilities to fix them all.
NIST recently reported that in 2024, it received 32% more vulnerability submissions than the previous year, a trend it expects to continue throughout 2025.
Common Vulnerabilities and Exposures increased similarly (20%) in 2024. And, by the end of May 2025, there were more than 280,000 CVEs in the national CVE database.
With staggering numbers like these, your teams can’t possibly address every vulnerability — nor do they have to.
What you actually need is a way to focus on what matters most.
This is where CVSS comes in.
The Common Vulnerability Scoring System (CVSS) assesses a vulnerability’s technical severity.
Maintained by FIRST, CVSS assigns each vulnerability a score between 0.0 and 10.0, using a combination of exploitability and impact metrics. These scores help teams prioritize and communicate risk.
CVSS scoring is embedded in most vulnerability scanners, threat advisories and patch management workflows. It gives security teams a consistent method to compare vulnerabilities across systems and vendors.
Yet, while CVSS is foundational, it’s far from enough on its own.
CVSS doesn’t tell you what’s actually exploitable in your environment. It doesn’t account for business risk. And, it doesn’t adapt to attacker behavior.
That’s why Tenable uses CVSS as a starting point, but then builds on it with a Vulnerability Priority Rating (VPR), real-time threat signals, cloud identity context and unified scoring through Tenable One.
Let’s break down how CVSS works, where it falls short, and how to use it within a smarter risk-based approach to vulnerability management.
How CVSS works: metrics, weights and score ranges
CVSS scores use a standardized formula of metrics: base, temporal and environmental.
Base metrics
Inherent vulnerability characteristics:
- Attack vector (AV)
- Can an attacker exploit the vulnerability over a network, locally or physically?
- Remote flaws (AV: N) score higher.
- Attack complexity (AC)
- Does the exploit require configuration quirks, timing or uncommon system states?
- Privileges required (PR)
- How much access does an attacker need before they can exploit the vulnerability?
- User interaction (UI)
- Does the attack require a user to click a link, open a file or take other actions?
- Scope (S)
- Does the vulnerability affect only the component or have a cross-boundary impact?
- Impact (CIA)
- Measures confidentiality, integrity and availability loss.
Temporal metrics
These adjust the score based on the current exploit landscape:
- Exploit code maturity
- Is there public exploit code?
- Remediation level
- Is a patch available?
- Report confidence
- How well-verified is the vulnerability?
Environmental metrics
These help you modify scores based on your environment:
- Security requirements
- How important are confidentiality, integrity and availability to your business?
- Modified base metrics
- Use these when controls or mitigations reduce severity.
Severity bands
CVSS scores then fall into these severity bands:
- None (0.0)
- Low (0.1–3.9)
- Medium (4.0–6.9)
- High (7.0–8.9)
- Critical (9.0–10.0)
Want to see how CVSS fits into a modern vulnerability management program? Explore Tenable Vulnerability Management to see how it pairs static scoring with automation-ready prioritization.
Why CVSS matters, and why it’s not enough
CVSS gives you a shared language to describe severity. It helps your security teams triage, infrastructure teams prioritize and executives understand what’s critical — in theory.
When everyone works from the same score, you can:
- Automate patching thresholds
- Set service-level agreements (SLAs) based on severity levels
- Standardize dashboards and reporting
- Align remediation teams around common definitions of risk
But severity isn’t risk. CVSS doesn’t tell you:
- Whether an attacker could exploit a vulnerability in your environment
- Whether it affects your most sensitive assets
- Whether attackers are actively using it
That’s where a vulnerability priority rating changes the game.
CVSS and risk-based prioritization
If CVSS tells you how bad a vulnerability could be, risk-based prioritization tells you what you should fix first. That distinction is crucial.
Tenable uses CVSS as a baseline, then layers on VPR to help you understand:
- Are attackers exploiting this vulnerability in the wild?
- Does it expose business-critical systems?
- Is it reachable from the outside?
- Could a threat actor use it as part of a privilege escalation or lateral movement path?
Tenable VPR includes:
- Exploit availability and activity from real-world sources
- Threat intelligence and attacker behavior mapping
- Asset criticality based on business importance
- Exposure paths, including identity misuse and cloud configuration risk
- Example:
- CVSS says a vulnerability’s score is 9.8. Using the CVSS score alone, you’d think you should address the vulnerability immediately.
- The VPR difference: The VPR shows you that the vulnerability affects an internal test server with no user data, limiting its impact if an attacker exploits it. Suddenly, a vulnerability with a 9.8 CVSS doesn’t seem so urgent.
- Meanwhile, the VPR flags a vulnerability with a lower CVSS, but since it’s on a public-facing workload tied to customer records and threat actors are actively scanning for it, it takes priority over the vulnerability with the higher CVSS.
That’s the value of risk-based prioritization and scoring methods, and why you shouldn’t use CVSS in isolation.
Learn more about how the Tenable Vulnerability Priority Rating (VPR) builds on CVSS to factor in exploitability, attacker behavior and asset importance.
CVSS in cloud and identity-aware environments
In modern cloud environments, CVSS alone can be dangerously misleading.
Cloud assets are dynamic. Workloads spin up and down by the minute. A container that’s gone in 10 minutes doesn’t carry the same risk as a persistent database server.
Attack paths depend on identity. A medium-severity vulnerability on an asset associated with a highly privileged role can be more dangerous than a high-severity issue on an isolated endpoint.
Misconfigurations amplify exposure, especially in the cloud.
CVSS doesn’t account for:
- Cloud-specific misconfigurations
- Overly-exposed identities
- Network reachability and lateral movement
- Ephemeral assets that temporarily expose high-value data
That’s where Tenable Cloud Security adds essential context. It integrates CVSS scoring with real-time cloud posture, so you can:
- See which vulnerabilities have external exposures
- Understand which identities can access them
- Detect chained risks across cloud and on-premises infrastructure
CVSS tells you, “This is a critical flaw.”
Tenable tells you, “This is a publicly exposed and exploitable critical flaw that’s tied to admin credentials.”
That’s the one you fix first.
Tenable Cloud Security connects the dots between CVSS, cloud misconfigurations and IAM risk. Secure your cloud attack surface with continuous context.
CVSS vs other scoring models
CVSS is just one piece of the vulnerability prioritization puzzle. Let’s look at how it compares to other common models.
Exploit Prediction Scoring System (EPSS)
EPSS estimates the likelihood an attacker may exploit a vulnerability in the next 30 days. It’s probabilistic, not severity-based.
- What it adds: Attacker behavior and statistical modeling
- What it misses: It doesn’t reflect business impact or environmental context
- How it works with CVSS: Combine them. CVSS tells you how bad; EPSS tells you how likely.
A CVSS 6.8 vulnerability with a 94% EPSS likelihood is probably more urgent than a 9.8 that an attacker has never exploited.
Common Vulnerabilities and Exposures (CVEs)
A CVE is an identifier, not a score. It helps you track a specific vulnerability across tools, vendors and advisories.
- What it adds: Consistent tracking and documentation
- What it misses: It doesn’t tell you anything about risk
- How it works with CVSS: Pair the CVE (what) with the CVSS (how bad)
OWASP Risk Rating
Used mostly in app sec, OWASP’s model is more manual and subjective. It evaluates detectability, ease of exploit, and impact, which is great for modeling, less so for large-scale prioritization.
So, what should you use?
CVSS + VPR + EPSS + asset context gives you a more complete risk picture.
Tenable One uses this model, integrating severity, likelihood, business impact and exposure into a single, prioritized view.
Vulnerability scoring and vulnerability management
Vulnerability management starts with identification, but it doesn’t stop there.
Once your scanning tool finds a vulnerability, you need a way to evaluate its severity and prioritize it for response.
That’s where vulnerability scoring plays a central role.
CVSS has long been the backbone of vulnerability scoring. It gives your teams a consistent way to assign severity levels based on exploitability and impact. It powers dashboards, patching SLAs, escalation rules and remediation plans.
But modern vulnerability management requires more than technical severity:
- You need to know if attackers are exploiting the vulnerability in the wild.
- You need to determine if it affects business-critical systems or exposes sensitive data.
- You need to align remediation with real-world risk, not theoretical scores.
That’s why Tenable integrates CVSS into a broader risk-based vulnerability management approach.
By combining CVSS with VPR and extending scoring with Tenable One, you can shift from chasing high CVSS numbers to acting on what’s exploitable, exposed and material.
Vulnerability scoring is central, but it’s now part of a dynamic system that adapts to attacker behavior and business needs.
Vulnerability scoring and exposure management
Scoring vulnerabilities is useful, but without understanding how those vulnerabilities contribute to your exposure, you’re only solving part of the problem.
Exposure management looks at all your preventable risks (vulnerabilities, misconfigurations, excessive permissions) together to identify the attack paths threat actors could exploit to cause the most damage, whether in the form of business disruption or exfiltration of sensitive data.
Exposure management also identifies and reduces the conditions that weaken your security posture. Those conditions include vulnerabilities and:
- Misconfigured cloud services
- Over-permissioned identities
- Insecure external assets
- Open ports, expired certificates, forgotten APIs
In this context, CVSS scoring provides the baseline severity of a vulnerability, but Tenable takes it further by integrating scoring into a broader continuous exposure management framework.
This is where Tenable One connects the dots between vulnerability risk and real-world exposure.
What does that look like?
- A CVSS 5.5 vulnerability might be ignored in isolation, but if it’s tied to an internet-facing system with weak IAM controls, Tenable One flags it as high risk.
- Conversely, a CVSS 9.8 might not create material exposure for your organization, so you may be able to deprioritize it unless its threat context changes.
This integration of scoring with exposure intelligence helps you:
- Focus remediation on the vulnerabilities that create high-risk attack paths
- Visualize how technical flaws intersect with identity risk and network posture
- Measure and report on reductions in true attack surface risk, as opposed to reporting on CVSS scores
When scoring is part of exposure management, it stops being a number and becomes a signal that drives action.
CVSS in compliance and audit reporting
Many compliance frameworks rely on CVSS to define and enforce vulnerability management requirements, but how regulatory bodies apply it varies.
Examples of CVSS in compliance:
- PCI DSS v4.0 requires remediation of vulnerabilities with a CVSS score of 7.0 or higher within a defined time frame.
- HIPAA doesn’t mandate a response to vulnerabilities with a specific CVSS score in a specific timeframe, but risk assessments using CVSS are widely accepted as part of a covered entity’s security program.
- NIST 800-53 and NIST Cybersecurity Framework map controls to CVSS-based thresholds for vulnerability tracking and remediation response.
- ISO/IEC 27001 recognizes CVSS as a tool for risk assessment in Annex A.12.6.1 (technical vulnerability management).
Auditors use CVSS to:
- Verify you’ve triaged vulnerabilities and acted on them based on defined thresholds
- Confirm SLAs are in place for high/critical scores
- Check that you meet and track remediation timelines
- Support documentation of compensating controls or risk acceptances for unresolved issues
Example: A quarterly audit may require evidence that you patched most vulnerabilities with CVSS 7.0+ within 30 days — or formally accept risk.
By layering CVSS with the asset criticality and exploitability signals in Tenable One, you can also justify risk-based exceptions that meet compliance intent even when perfect remediation isn’t possible.
CVSS makes compliance defensible. Tenable makes it actionable.
CVSS implementation challenges, and how to solve them
While many organizations employ CVSS, using it effectively is challenging. This is especially true for large enterprises with complex attack surfaces and multiple IT, security and compliance teams.
But even smaller organizations often face similar issues.
Here are five common CVSS implementation challenges and ways to overcome them:
1. Scoring inconsistencies across tools
Problem: Different scanners may assign different CVSS scores or vectors for the same vulnerability, causing teams to get confused about which score to trust.
Solution: Normalize scoring across your environment using a single trusted feed (e.g., the National Vulnerability Database (NVD)) and validate vector strings. The unified data model Tenable uses avoids discrepancies by consolidating findings across tools and environments.
2. Overreliance on CVSS for prioritization
Problem: CVSS is a measure of severity, not exploitability, reachability or business impact. Teams that only patch vulnerabilities with high CVSS scores often miss real risk.
Solution: Use dynamic risk signals from Tenable One, including VPR, exploit data and asset criticality. Combine CVSS with likelihood and exposure context to focus on what truly matters.
3. Neglected environmental metrics
Problem: Many organizations skip customizing CVSS to reflect their own security priorities, which leads to inaccurate prioritization.
Solution: Establish policies for environmental scoring. For example, if availability is mission-critical (e.g., in healthcare), raise its weighting in your customized CVSS formula. Tenable lets you automate score adjustments.
4. Siloed teams and fragmented tools
Problem: Without shared scoring logic or visibility, security, infrastructure and compliance teams operate in silos. Prioritization is subjective or duplicated.
Solution: Centralize visibility through Tenable One. It provides dashboards and alerts that incorporate CVSS but go further, with signals all teams can act on: cloud exposure, identity access paths, lateral movement risk and more.
5. Scaling CVSS requires context
In enterprise environments, CVSS is truly effective when paired with:
- Threat intelligence and exploit prediction
- AI and analytics to reduce false positives
- Business impact scoring
- Real-time cloud context and asset value
Tenable delivers all of this, turning static scoring into a dynamic, risk-based prioritization engine.
Tenable One scoring: What CVSS alone can’t show you
Tenable One combines the foundation provided by CVSS with real-world signals, asset intelligence and business context, creating a unified scoring model designed to prioritize what actually matters to your organization.
Why static CVSS scores fall short:
- They treat every environment the same
- They don’t know which systems are public-facing
- They don’t consider whether attackers are actively exploiting a vulnerability
- They don’t take into consideration asset value, privilege levels and attack paths
CVSS says: “This is technically severe.”
Tenable One asks: “Is this technically severe, exploitable, exposed and business-critical — right now?”
Tenable One scoring includes:
Factor | CVSS | VPR | Tenable One |
---|---|---|---|
Technical severity (base metrics) | ✅ | ✅ | ✅ |
Exploit likelihood and weaponization | ❌ | ✅ | ✅ |
Asset criticality and sensitivity | ❌ | ❌ | ✅ |
Identity and misconfiguration risk | ❌ | ❌ | ✅ |
Cloud-native context and attack paths | ❌ | ❌ | ✅ |
Prioritization by business impact | ❌ | ❌ | ✅ |
Scoring example: Prioritization in action
Let’s say you detect 120 vulnerabilities in your AWS environment:
- 45 have CVSS scores between 7.0 and 9.8
- Tenable One flags 22 as high-risk based on real-world signals
- Only seven intersect with your most sensitive workloads or exposed cloud identities
Tenable One helps you:
- Focus on the seven that actually create risk
- Reduce alert fatigue and patch backlog
- Align remediation with what your executive team truly cares about: revenue loss and reputational damage
Tenable One doesn’t replace CVSS. It enhances it, powering decisions with context, not just scores.
Ready to move beyond static scoring? Unify your view with Tenable One and prioritize based on exposure, exploitability and business impact.
CVSS FAQs
What is a CVSS score?
A CVSS score is a numeric rating from 0.0 to 10.0 that reflects the technical severity of a software vulnerability based on standardized metrics.
Is CVSS the same as risk?
No. CVSS shows severity, not likelihood or business impact. Risk depends on exploitability, exposure and context.
What’s the difference between CVSS and EPSS?
CVSS measures the severity of a vulnerability. EPSS estimates the likelihood a threat actor may exploit it within the next 30 days. Use both for better prioritization.
Can I customize CVSS scores?
Yes. You can apply environmental metrics to adjust for importance and compensating controls specific to your environment.
Does CVSS scoring differ between tools?
It can. CVSS vector interpretation is subjective. Always review the full vector string, not just the numeric score.
Is CVSS accepted in compliance audits?
Yes. CVSS scoring is recognized by PCI DSS, NIST, ISO 27001 and many other frameworks. Teams often use it to define patch SLAs and risk thresholds.
Can I use CVSS in DevSecOps workflows?
Absolutely. You can use CVSS in CI/CD pipelines to block builds, trigger automated remediation or enforce SLAs.
What’s the latest version of CVSS?
FIRST released CVSS v4.0 in 2023, offering more granularity and automation support. Organizations still widely use CVSS v3.1 today.
Where can I calculate a CVSS score?
Use the official CVSS calculator to plug in base, temporal and environmental values.
What is a CVSS assessment?
A CVSS assessment is the process of applying CVSS metrics to a known vulnerability to calculate its severity score, which you can use for triage or compliance purposes.
What is CVSS certification?
There is no formal CVSS certification, but many security certifications and courses (e.g., Certified Information Systems Security Professional (CISSP) may include CVSS scoring as part of vulnerability analysis training.
What is CVSS test?
A CVSS test usually involves testing how teams score or confirm a vulnerability. It may also involve using a CVSS calculator to simulate potential impact.
What is a CVSS vulnerability?
A CVSS vulnerability is a publicly disclosed vulnerability analyzed and scored using the CVSS framework, typically with a CVE ID.
CVE vs CVSS: What’s the difference?
A CVE is an identifier that tracks a specific vulnerability. CVSS is the scoring system that rates its severity.
Bringing it all together: Scoring smarter
CVSS is an essential starting point, but not the final answer.
It gives you a way to measure vulnerability severity consistently across systems, in a way that everyone understands, regardless of technical expertise.
However, today’s attack surfaces—spanning cloud, identity, OT and ephemeral assets—require an adaptable scoring model. One that sees exposure, not just theoretical impact. One that prioritizes based on business risk, not a number on a scale.
That’s what Tenable One delivers.
CVSS tells you how bad it could be. Tenable One tells you what to fix first.
CVSS Resources
CVSS Products
Cybersecurity news you can use
- Tenable One
- Tenable Security Center
- Tenable Vulnerability Management