What CVSS represents
CVSS describes technical severity characteristics for a vulnerability. Base metrics describe attack vector, attack complexity, privileges required, user interaction, scope, and confidentiality, integrity, and availability impacts. A vector string records those choices. Where a source provides a version, keep the version with the score because versions and scoring practices can differ.
Read the vector before the number
- Attack vector: network, adjacent, local, or physical reachability changes the investigation question.
- Attack complexity and prerequisites: conditions can affect whether an observed configuration matters.
- Privileges and user interaction: show whether an attacker needs an account or user action.
- Scope and impacts: describe technical consequences, not the value of a particular business service.
Operational interpretation
Use CVSS to understand the technical shape of a finding, then add affected-version evidence, exposure, asset importance, vendor guidance, KEV, EPSS, available controls, and a safe change path. The same CVE can have very different operational significance on an internet-facing service, an isolated test system, or a product that is not deployed.
Practical workflow
- Record the source, CVSS version, score, vector, and any vendor rationale.
- Check whether vendor and third-party scores differ. Differences can reflect scope, assumptions, or revision timing; they need not mean one source is wrong.
- Validate product, version, configuration, and reachable path before assigning a remediation lane.
- Use the score in the rationale, not as the entire rationale. State what evidence would change priority.
Common mistakes
A missing CVSS score does not imply low risk. A high score does not prove exposure or compromise. A low score can still matter when it affects a critical service, supports a chained attack, or conflicts with stronger local evidence.
Example
Two systems have the same network-reachable CVE. One is an authenticated internal test service with a compensating boundary; the other is an externally reachable production gateway with confirmed affected version. The technical severity may be identical, while exposure, business impact, owner urgency, and remediation sequencing differ.