CVSS 4.0 is shaking up vulnerability management. Here’s what’s changed

Illustration: Si Weon Kim

CVSS 4.0 urges companies to go beyond base scores, allowing them to more accurately judge the threat posed by particular vulnerabilities based on threat intelligence and environmental factors.

Companies using the Common Vulnerability Scoring System (CVSS) to prioritize software flaws for remediation have a problem: Of the more than 25,000 vulnerabilities disclosed in 2022, more than half are considered high-severity or critical as measured by their base scores, according to National Vulnerability Database (NVD) data, a comprehensive listing of software flaws.

Nearing two decades old, the Common Vulnerability Scoring System (CVSS) is intended to allow companies to gauge the risk that software vulnerabilities pose, but tends to be used incorrectly, with most organizations focused on the Base score, without doing the work to determine how their use of the software and the current threat landscape changes the flaw's threat profile, according to experts.

The Forum of Incident Response and Security Teams (FIRST) released the latest CVSS specification in November hoping to fix many of the issues and push users to go beyond the basics. More than previous versions, the latest CVSS requires that organizations go beyond the base score, Christopher Turner, a senior advisor with the NVD program at the U.S. National Institute of Standards and Technology (NIST), told README.

"Organizations really tend to only rely on the base metrics, and that's simply incorrect — that's not the way the specification was intended to be used," he said. "One of our big pushes in CVSS v4 is trying to really drive home the importance of using what is now called the Threat metric group and the Environmental metric group when performing holistic CVSS assessments."

The latest version of the spec revamped the standard in many areas, including the addition of more details for companies to better gauge the risks posed by these vulnerabilities. The new Threat metric enables organizations to consider whether a particular flaw is currently being exploited, for example, while the Environment metric specifies whether it affects an asset shielded from the internet. Proponents say using the updated standard will offer organizations a more nuanced view of their vulnerabilities, helping gauge where patching is most sorely needed. But it’s unclear if companies have a deep enough bench of cyber professionals – or enough knowledge of their own network infrastructure –to successfully engage with all the new metrics.

Adding Safety and more granularity

The previous version of CVSS — version 3.1 — added Scope to the scoring system, a measurement of whether a vulnerability in one component of a system affects other resources. Yet, that version retained the same three major scoring categories — Base, Temporal, and Environmental — used in previous incarnations of the rankings.

The latest version changes up the metrics, explicitly breaking out the impact to the vulnerable system and supplemental systems. Another major change is that CVSS 4 has more applicability to Internet of Things (IoT) and operational-technology (OT) devices with the addition of Safety metrics. An organization can determine whether an attack on the vulnerability could result in a physical system being compromised in a way that undermines safety – a metric that’s come under increased scrutiny recently following an Iranian-linked cyberattack on a U.S. water utility’s OT gear. The increase in vulnerabilities discovered in industrial control systems and operational technology — up 78% between 2020 and 2022, according to Microsoft — makes measurements of the impact of a vulnerability even more important.

Organizations need to be able to tell the difference between a vulnerable application that can cause harm or just inconvenience, Dave Dugal, CVSS special interest group (SIG) co-chair at FIRST, told README.

"Over time, we realized that the world changed some more," he said. "There are PLCs (programmable logic controllers) running Linux that could either make your fish tank a little too warm or cause a thermonuclear meltdown."

In addition, the CVSS Environmental score (CVSS-E) includes more information about the exploitability of the vulnerability, which differs from the Threat score's measure of whether an exploit exists, so it will have to keep up with the times, said Clint Merrill, product management lead for vulnerability intelligence at threat-intelligence firm Flashpoint.

"Because exploitability metrics change over time — unlike CVSS 3, where the score can be calculated once and left alone — CVSS 4's base score is inherently going to have to be recalculated more often because of new information specifically about exploitability," he said.

What's the use? Prioritization

CVSS scores are not static measurements — companies need to do work to make the scores useful. In the past, reported vulnerabilities tended to skew to higher severity levels because the majority of issues can be exploited remotely, do not require a complex process to exploit and do not require authentication. Using only the base score means that companies do not know which issue to patch first, FIRST's Dugal told README. By adding the Threat score (CVSS-T), organizations can add consideration of whether there is published proof-of-concept code or whether the vulnerability is being exploited in the wild and is listed on the Known Exploitable Vulnerabilities (KEV) catalog.

"Now you can look at the threat landscape and say, 'Well, I'm sure there's no active exploitation of this one, but this one has proof of concept, and this one is on the KEV the known exploit vulnerability list,' so I'm going to patch that one first," he said. "And the numbers reflect that."

The Environmental score should be used the same way. Companies, for example, need to maintain an up-to-date list of software assets and threat intelligence to determine the true risk posed by a vulnerability using the CVSS. An asset management database is necessary to calculate the Environmental metric, while threat intelligence is necessary to gauge the impact of a vulnerability by its Threat metric, said Mayuresh Dani, a manager of threat research at Qualys.

"Of the five new metrics, [only] Base and Supplemental are to be provided by the supplier whereas the remaining three ... rely on the end user," Dani said in a statement sent to README. "Unless organizations have manpower to add this data for use in vulnerability management processes, these fields will not be used, which will in turn just leverage the supplier provided scores."

If a company does not know whether a vulnerability affects a critical asset, then the specification directs the organization to use the worst-case scenario. Moreover, the way the CVSS implements Environmental means that companies can add the information as they delve into their infrastructure and do additional assessments.

"The nice thing about that is that once you do the assessment, you can apply that to every CVSS score that you receive," said FIRST's Dugal. "It's really a 'do it once and then you can apply it to all 200,000 CVEs that come down the pike,' but it isn't an all or nothing, thankfully, so if you want to focus on your top-10 [weaknesses] that you want to score first and leave the rest unknown, and take care of those later, that works as well."

Will the laggard leave CVSS 2 behind?

FIRST hopes that the improvements will mean quick adoption of CVSS 4. Companies are typically slow to adopt the newest versions of any technology, and the vulnerability-rating standards are no different. In fact, as much as 20% of companies are still using the much older — more than 15 years old — CVSS version 2, said Flashpoint's Merrill.

"It's oftentimes, the more nimble and exploratory companies that will adopt a new standard and give it a run," he said. "The more mature organizations have a lot of automation tied to scoring levels, and their responses have a lot of connections within their security automation environment, and so, ironically, the bigger and more complex and mature you can be a hindrance to adopting a new standard."

While patch prioritization is the obvious application of the standards, companies could also use it for more granular risk mitigation, Merrill said. By determining what changes in an environment have the greatest impact on a risk score, companies could proactively adopt strategies such as micro-segmentation or virtual patching using application firewalls.

"One of the mitigations could be having dynamic firewall rules which close off an asset from its peers, or maybe remove access from the internet for a period of time while that asset is considered to be at risk," he said.

In the end, the improvements to the CVSS specification mean little if organizations do not use them, he added.