Understanding CVE and CVSS Scores: The Complete Vulnerability Assessment Guide
Security bulletins are filled with CVE identifiers and CVSS scores. This guide demystifies vulnerability identification and scoring so you can read any security advisory and make informed decisions.
"CVE-2025-62221 with a CVSS score of 7.8 is being actively exploited."
If that sentence means nothing to you, you're not alone. Security bulletins are filled with these identifiers and numbers, but most people—even many IT professionals—don't fully understand what they represent or how to use them for decision-making.
This guide demystifies vulnerability identification and scoring. By the end, you'll be able to read any security advisory, understand the risk it represents, and make informed decisions about your response. Whether you're a home user trying to understand update urgency or an IT professional triaging dozens of patches, this knowledge is essential.
Part 1: Understanding CVE
What is CVE?
CVE stands for Common Vulnerabilities and Exposures. It's a standardized system for identifying and naming security vulnerabilities in software and hardware. Think of CVE as a universal language for vulnerabilities. Before CVE existed, the same flaw might have different names from different vendors, researchers, and security companies. This made communication and tracking nearly impossible.
The CVE Identifier Format
Every CVE follows the same format: CVE-YYYY-NNNNN. The 'CVE' prefix is always present, YYYY is the year the CVE was assigned (not when discovered), and NNNNN is a sequential number (originally 4 digits, now up to 7). For example: CVE-2025-62221 was assigned in 2025 with number 62221. Famous examples include CVE-2021-44228 (Log4Shell), CVE-2017-0144 (EternalBlue used by WannaCry), and CVE-2014-0160 (Heartbleed).
Important clarification: The year in a CVE ID is when the ID was assigned, not necessarily when the vulnerability was discovered, exploited, patched, or publicly disclosed. A vulnerability discovered in December 2024 might receive a CVE-2025-XXXXX identifier if the ID is assigned in January 2025.
Who Assigns CVE IDs?
The CVE Program is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and operated by MITRE Corporation. However, MITRE doesn't assign all CVEs directly. Instead, they authorize CVE Numbering Authorities (CNAs) to assign IDs within their scope.
Major CNAs include Microsoft (for Windows, Office, Azure, all Microsoft products), Google (for Chrome, Android, Google Cloud), Apple (for iOS, macOS, Safari), Red Hat (for Linux, enterprise software), Cisco (for networking equipment and software), Oracle (for databases, Java, enterprise software), and Adobe (for Creative Cloud, Acrobat). MITRE handles anything not covered by other CNAs.
What's in a CVE Entry?
Each CVE entry contains: the unique CVE ID, a description of what the vulnerability is and how it works, references with links to vendor advisories and patches, affected products listing which software and versions are vulnerable, and CWE (Common Weakness Enumeration) categorizing the vulnerability type.
CVE vs. Other Identifiers
You might encounter other vulnerability identifiers: MS Bulletin (Microsoft legacy format like MS17-010), KB Article (Microsoft knowledge base like KB5072033), GHSA (GitHub Security Advisories), USN (Ubuntu Security Notices), and RHSA (Red Hat Security Advisories). CVE is the universal standard—vendor-specific identifiers often map back to CVEs.
Part 2: Understanding CVSS
What is CVSS?
CVSS stands for Common Vulnerability Scoring System. It provides a numerical score (0.0 to 10.0) representing the severity of a vulnerability. CVSS helps answer the question: 'How bad is this vulnerability?'
Current Version: CVSS v3.1
CVSS has evolved over time: v1 (2005) was the original version, v2 (2007) brought improved metrics, v3.0 (2015) was a major overhaul, v3.1 (2019) is the current standard with refinements, and v4.0 (2023) is the latest version with adoption ongoing. Most current advisories use CVSS v3.1.
CVSS Score Ranges
Score ranges: 0.0 is None (informational, no security impact), 0.1-3.9 is Low (minor impact, difficult to exploit), 4.0-6.9 is Medium (moderate impact or difficulty), 7.0-8.9 is High (serious impact, reasonably exploitable), and 9.0-10.0 is Critical (devastating impact, easily exploitable).
Important context: A CVSS score alone doesn't tell you everything. A 7.0 being actively exploited is more urgent than a theoretical 9.5. A 10.0 in software you don't use isn't your priority. Environmental factors matter—internet-facing vs. isolated systems.
How CVSS Scores Are Calculated
CVSS v3.1 uses multiple metric groups. The Base Metrics represent intrinsic characteristics that don't change over time or across environments.
Exploitability Metrics include: Attack Vector (AV) describing how the attacker reaches the vulnerability—Network (N) for remotely exploitable scores highest, Adjacent (A) requires same LAN, Local (L) requires local access, Physical (P) requires physical access and scores lowest. Attack Complexity (AC) describes difficulty—Low (L) means no special conditions needed, High (H) requires specific conditions. Privileges Required (PR)—None (N) scores highest, Low (L) needs basic user, High (H) needs admin. User Interaction (UI)—None (N) means fully automated, Required (R) means user must click or interact.
Impact Metrics include: Confidentiality (C)—High (H) means complete confidentiality loss, Low (L) is some disclosure, None (N) is no impact. Integrity (I)—High (H) means complete compromise, Low (L) is some modification possible, None (N) is no impact. Availability (A)—High (H) means complete disruption, Low (L) is degraded performance, None (N) is no impact. Scope (S) indicates whether exploitation affects resources beyond the vulnerable component—Changed (C) impacts other resources, Unchanged (U) is limited to the component.
Reading a CVSS Vector String
CVSS scores come with a 'vector string' showing how they were calculated. For example: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H breaks down as: CVSS:3.1 (Version 3.1), AV:L (Attack Vector: Local), AC:L (Attack Complexity: Low), PR:L (Privileges Required: Low), UI:N (User Interaction: None), S:U (Scope: Unchanged), C:H (Confidentiality Impact: High), I:H (Integrity Impact: High), A:H (Availability Impact: High). This vector produces a score of 7.8 (High).
Real-World CVSS Examples
CVE-2021-44228 (Log4Shell) scored CVSS 10.0 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. It was Network exploitable (remote), Low complexity (easy), No privileges needed, No user interaction, Scope changed (affects other systems), and Complete compromise. This is why Log4Shell was such a big deal—it scored maximum severity across all metrics.
CVE-2025-62221 (Windows Cloud Files) scored CVSS 7.8 with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It's Local only (not remote), Low complexity, Requires low privileges (authenticated user), No user interaction, Scope unchanged. Despite high impact, the local-only attack vector keeps the score under 8.0.
Temporal and Environmental Metrics
Beyond base metrics, CVSS includes optional adjustments. Temporal Metrics change over time: Exploit Code Maturity (is exploit code public?), Remediation Level (is there a patch?), Report Confidence (how verified is the vulnerability?). Environmental Metrics are specific to your organization: Security Requirements (how critical is CIA in YOUR environment?), Modified Base Metrics (adjustments based on your specific implementation). Most published CVSS scores are base scores. Organizations doing risk assessments may calculate environmental scores.
Part 3: Using CVE and CVSS for Decision-Making
The Prioritization Framework
When faced with multiple vulnerabilities, prioritize based on urgency tiers:
Tier 1: Immediate (24-48 hours) — Any actively exploited vulnerability (regardless of CVSS), any vulnerability in CISA KEV catalog, Critical (9.0+) on internet-facing systems, Zero-days with public PoC exploits.
Tier 2: Urgent (Within 1 week) — High (7.0-8.9) vulnerabilities, Critical vulnerabilities on internal systems, any vulnerability with PoC exploit available.
Tier 3: Standard (Within 30 days) — Medium (4.0-6.9) vulnerabilities, High vulnerabilities on isolated systems, lower-risk systems.
Tier 4: Scheduled (Regular maintenance) — Low (0.1-3.9) vulnerabilities, air-gapped systems, test/development environments.
CVSS Isn't Everything: Context Matters
Exploitation Status Trumps Score: A CVSS 6.5 being actively exploited in the wild is more urgent than a CVSS 9.8 that's theoretical. Always check: Is it actively exploited? Is PoC exploit code public? Is it in CISA's KEV catalog?
Your Environment Matters: A critical SQL Server vulnerability doesn't matter if you don't run SQL Server. Consider: Do you have the affected software? Is it exposed (internet-facing vs. internal)? What data/systems could be compromised?
Attack Chain Potential: Lower-severity vulnerabilities can be chained together. Initial access flaw (Medium) + Privilege escalation flaw (Medium) = Full compromise. Don't ignore Medium vulnerabilities on critical systems.
Where to Find CVE and CVSS Information
Official Sources: NIST National Vulnerability Database (NVD) at nvd.nist.gov is the most comprehensive CVE database with CVSS scores and analysis. CVE.org is the official CVE list with basic information. CISA KEV Catalog at cisa.gov/known-exploited-vulnerabilities-catalog lists vulnerabilities actively exploited.
Vendor Sources: Microsoft Security Update Guide at msrc.microsoft.com/update-guide provides detailed Microsoft vulnerability information. Most vendors maintain security advisory pages with often more detail than NVD.
Community Sources: Zero Day Initiative at zerodayinitiative.com provides detailed technical analysis. Security news sites like BleepingComputer, SecurityWeek, and The Register provide context and exploitation news.
Common Mistakes to Avoid
Mistake 1: Only Patching 'Critical' — Organizations sometimes ignore High-severity vulnerabilities because they're 'not critical.' This leaves serious gaps.
Mistake 2: Ignoring Context — Patching everything at 9.8 while ignoring that 7.5 on your internet-facing VPN gateway is backwards prioritization.
Mistake 3: Treating CVSS as Exact — CVSS 7.8 vs. 7.5 isn't meaningfully different. Don't over-optimize on decimal differences.
Mistake 4: Waiting for Perfect Information — 'We'll wait to see if it's really being exploited' often means 'We'll wait until we're compromised.'
Mistake 5: Not Tracking What's Patched — Without documentation, you can't prove compliance or verify coverage.
Conclusion
CVE identifiers and CVSS scores are essential tools for understanding and prioritizing security vulnerabilities. They provide a common language and quantitative framework for discussing risk.
Key takeaways:
When you see 'CVE-2025-XXXXX (CVSS 8.4) actively exploited,' you now understand: It's a specific, tracked vulnerability (CVE), it's high severity (8.4), attackers are using it right now (actively exploited), and you need to act immediately.
That understanding transforms you from passive recipient of security news to informed decision-maker. And in cybersecurity, informed decisions save systems.
