CVE and CVSS Scoring: A Practical Guide
What makes a vulnerability Critical vs High vs Medium? Learn how the CVSS scoring system works and how to use it to prioritize your patch management.
What is a CVE?
A CVE (Common Vulnerabilities and Exposures) is a unique identifier for a specific, publicly known security vulnerability. Maintained by MITRE Corporation under contract with the US Department of Homeland Security, the CVE system provides a common language for discussing vulnerabilities across tools, vendors, and organizations.
A CVE ID looks like this: CVE-2021-44228. The year (2021) indicates when the CVE was assigned, and the number (44228) is a sequential identifier. The famous Log4Shell vulnerability in Apache Log4j carries this identifier.
When a security researcher discovers a vulnerability, they report it to a CVE Numbering Authority (CNA) — which could be MITRE, a software vendor, or a national CERT. The CNA reserves a CVE ID and publishes it along with a standardized description.
The NIST National Vulnerability Database
MITRE maintains the CVE list, but the NIST National Vulnerability Database (NVD) enriches each CVE entry with additional data:
- CVSS scores — standardized severity ratings
- CPE configurations — affected product versions in a machine-readable format
- CWE classifications — the underlying weakness type (e.g., CWE-79 for XSS)
- References — patches, advisories, proof-of-concept exploits
The NVD contains over 200,000 CVE entries and is updated continuously. It's the primary authoritative source for vulnerability data used by security tools, scanners, and patch management systems.
CVSS scoring explained
CVSS (Common Vulnerability Scoring System) provides a numerical score from 0 to 10 representing the severity of a vulnerability. The current version is CVSSv3.1.
The score is calculated from multiple metrics grouped into three categories: Base (intrinsic characteristics), Temporal (current exploit status), and Environmental (organization-specific impact). In practice, most tools display only the Base score.
Base metrics
| Metric | Options | What it measures |
|---|---|---|
| Attack Vector (AV) | Network, Adjacent, Local, Physical | How far away must the attacker be? |
| Attack Complexity (AC) | Low, High | How difficult is the attack to execute? |
| Privileges Required (PR) | None, Low, High | What access does the attacker need first? |
| User Interaction (UI) | None, Required | Does a user need to take action? |
| Scope (S) | Unchanged, Changed | Does the vulnerability affect other components? |
| Confidentiality (C) | None, Low, High | Impact on data exposure |
| Integrity (I) | None, Low, High | Impact on data modification |
| Availability (A) | None, Low, High | Impact on service availability |
Log4Shell (CVE-2021-44228) scored 10.0 — the maximum — because it was remotely exploitable (Network), required no special privileges or user interaction, and enabled full system compromise (High for all three impact metrics).
Severity bands
| Rating | Score range | Typical meaning |
|---|---|---|
| Critical | 9.0 – 10.0 | Remote code execution, no interaction, full system compromise |
| High | 7.0 – 8.9 | Significant exposure with limited constraints on attacker |
| Medium | 4.0 – 6.9 | Meaningful impact but requires privileges, interaction, or local access |
| Low | 0.1 – 3.9 | Limited impact or very difficult to exploit |
| None | 0.0 | No security impact |
Limitations of CVSS
CVSS scores are widely used but have significant limitations that make them insufficient as the sole basis for patch prioritization:
- CVSS doesn't know your environment. A Critical RCE vulnerability in software you don't run is less urgent than a Medium vulnerability in your internet-facing login system.
- CVSS doesn't reflect exploit availability. A 9.8 vulnerability with no public exploit may be less urgent than a 7.2 with a weaponized Metasploit module.
- CVSS scores change. Scores are sometimes revised as more information emerges. A vulnerability initially scored Medium can be upgraded to Critical after a reliable exploit is published.
- CVSS ignores compensating controls. A network-exploitable vulnerability behind a WAF or in a network segment with no external access has different real-world risk.
Patch prioritization in practice
A practical vulnerability prioritization framework combines CVSS with additional signals:
- EPSS (Exploit Prediction Scoring System) — a probability score for whether a CVE will be exploited in the wild within 30 days, based on threat intelligence data.
- CISA KEV (Known Exploited Vulnerabilities) — CISA's catalog of CVEs actively exploited in the wild. If a CVE is on this list, treat it as highest priority regardless of CVSS score.
- Asset criticality — vulnerabilities in internet-facing, authentication, or data-handling systems are higher priority than internal dev tools.
- Exploit availability — is there a public PoC? A Metasploit module? Automated exploit?
A vulnerability with a CVSS score of 7.5 that's on CISA KEV and has a Metasploit module should be patched before a 9.8 vulnerability with no public exploit in software you run on an isolated internal server.
Search and explore CVE data using our CVE Vulnerability Search — query the NIST NVD database by CVE ID or keyword and view CVSS scores, descriptions, and affected product configurations.