What is CVSS?
CVSS (Common Vulnerability Scoring System) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical score between 0.0 and 10.0 to represent the severity of a vulnerability, with 10.0 being the most severe.
CVSS Severity Levels
| Score Range | Severity | Color | Action Required |
|---|---|---|---|
| 0.0 | None | — | No action |
| 0.1 – 3.9 | Low | Yellow | Monitor |
| 4.0 – 6.9 | Medium | Orange | Plan remediation |
| 7.0 – 8.9 | High | Red | Prioritize fix |
| 9.0 – 10.0 | Critical | Dark Red | Immediate action |
CVSS v3.1 Metrics
CVSS v3.1 uses three metric groups:
Base Metrics (Intrinsic Properties)
- Attack Vector (AV) — Network, Adjacent, Local, Physical
- Attack Complexity (AC) — Low, High
- Privileges Required (PR) — None, Low, High
- User Interaction (UI) — None, Required
- Scope (S) — Unchanged, Changed
- Impact — Confidentiality, Integrity, Availability (each: None, Low, High)
Temporal Metrics (Change Over Time)
Account for factors that evolve — exploit code availability, remediation level, and report confidence.
Environmental Metrics (Context-Specific)
Allow organizations to customize the score based on their specific environment and the importance of affected assets.
CVSS v4.0
The latest version (CVSS v4.0, released 2023) introduces additional granularity with new metrics including Attack Requirements, Provider Urgency, and supplemental metrics for Safety and Automatable exploits.
Search on Zondex
Use the cvss: filter to search by CVSS score:
cvss:>=9.0— find hosts with critical vulnerabilitiescvss:>=7.0— find hosts with high-severity or abovecve.count:>5— find hosts with many known CVEs