Security teams continue to rely on the Common Vulnerability Scoring System (CVSS) as a useful, standardized framework for assessing software vulnerabilities’ potential severity and impact. Since its first release in 2005, the CVSS has undergone several iterations to reflect feedback from the broader security community, evolutions over time in IT environments, and changes in the cyberthreat landscape.
With an official publication date set for Oct. 1, 2023, CVSS 4.0 brings sweeping changes to the standard that aims to enable companies to better manage, prioritize and patch vulnerabilities before threat actors exploit them. This article overviews some of the fundamental changes introduced in CVSS 4.0.
Before delving into the specifics of CVSS 4.0, it’s worth running through a brief primer on how the scoring system generally works.
The professional body that publishes and improves on the CVSS is known as FIRST (Forum of Incident Response and Security Teams). The international group of incident response teams in FIRST spans governments, commercial enterprises, academic institutions and other nonprofit entities. A collaborative approach involving input from multiple stakeholders, including vendors, security practitioners and other organizations, ensures the standard is practical and widely accepted.
CVSS offers a uniform scoring system that allows security professionals to quickly understand the severity of a vulnerability based on a numeric score that ranges in severity from 0 to 10. The actual score given to a specific vulnerability combines three different types of metrics that account for different aspects of vulnerabilities:
Sharing CVSS scores between organizations, vendors and security teams aids in efficient and effective communication regarding vulnerabilities’ severity and potential impact.
The most recent version, CVSS 3.1, was published in June 2019.
There’s no doubt about CVSS’s usefulness, but the threat landscape, coding practices and IT environments can change a lot in four years. Furthermore, the statistics show that it still takes companies an average of 60 days to patch critical vulnerabilities, demonstrating ongoing struggles in contextualizing and triaging patches.
In the spirit of the continuous improvement that the cybersecurity community strives for, CVSS 4.0 is on the way. Here’s what to expect.
New Base Metrics
One criticism aimed at CVSS 3.1 was a heavy reliance on base metrics that lacked insufficient granularity or nuance. CVSS 4.0 introduces new base metrics to address some of these shortcomings.
The Attack Requirements (AT) metric enables more accurate assessments of exploit complexities by adding the prerequisite conditions of vulnerable components that will allow specific attacks on them. This new metric reflects the fact that some vulnerabilities require multiple events in specific sequences for successful exploitation, while others don’t depend on such requirements.
Another change to base metrics comes with the addition of new impact metrics. This subset group of base metrics measures the effect of a vulnerability on the integrity, availability and confidentiality of an affected system or data. However, with CVSS 4.0, three new impact metrics also measure the effect of a vulnerability on the integrity, confidentiality, and availability of subsequent systems. This marks a significant improvement given that so many modern cyberattacks tend to exploit one system’s vulnerabilities to impact a connected subsequent system (the 2023 MOVEit attack is a good example).
Out with Temporal Metrics, in with Threat Metrics
CVSS 4.0 eliminates temporal metrics and renames this category to threat metrics. There is also only one metric in this category now (down from three in the previous version of CVSS). The single metric is exploit maturity, and it aims to capture the likelihood that a malicious actor will attempt an attack against the vulnerable system. Despite the updated name and distilled metric, here, the goal is still to use intelligence-gleaned info such as publicly available proof of concept code or attacks observed in the wild to help better gauge the severity of a vulnerability over time.
User Interaction Tweaks
A minor tweak to user interaction metrics (a subset of base metrics) provides more granularity. This set of metrics alters the vulnerability score by determining whether successful exploitation of a vulnerability requires a human user to take some form of action, such as clicking on a link, opening a file, etc. In CVSS 3.1, the two values were either None or Required.
The binary nature of this breakdown doesn’t account for the nuances of user interactions with systems, from simple, easily overlooked actions to more complex interactions that are less likely to occur. The new three-metric system classifies user interaction as None, Passive or Active.
Passive user interaction means exploitation requires limited interactions between a user and the targeted system, such as visiting a malicious website. Active means that exploitation requires a more concrete set of user interactions with the vulnerable system and the attacker’s payload, such as placing files into a specific directory.
New Supplemental Metric Group
One of the most interesting proposed changes is a new supplemental metric group that allows you to optionally refine your risk analysis and vulnerability remediation efforts based on extrinsic vulnerability attributes. These metrics don’t actually impact calculating the CVSS score for a vulnerability; you are free to use them when they seem relevant regarding vulnerability severity or prioritization.
Among the metrics in this new category are:
Smartly using these metrics carries good promise for adding conditional contextual information that companies often lack when prioritizing what to patch.
On the face of it, CVSS 4.0 looks set to help overcome some of the main criticisms and limitations of the previous version. Whether this translates into more effective vulnerability management is something that only time will tell.