Finding, managing and patching security vulnerabilities on any network, no matter the size, is a tall task.

In the first week of 2024 alone, there were 621 new common IT security vulnerabilities and exposures (CVEs) disclosed worldwide, covering a range of applications, software and hardware that could be on any given network.

Just looking at the raw number of security vulnerabilities that need to be mitigated or patched is going to be overwhelming for any IT team. So, at its most basic level, it's easy to see why administrators and security researchers are drawn to the appeal of a singular data point that measures how severe a vulnerability is, distilled down to a scale of 0 - 10.

Most casual cybersecurity observers will be familiar with the basic terms like "critical," "severe" or "moderate" when it comes to measuring how serious a particular vulnerability is - these are usually used in news articles or technical write-ups about a security issue when it becomes public and is based on a vulnerability's CVSS score.

Now, the way those vulnerabilities are scored is changing, and many organizations are likely to adopt the newly created CVSS 4.0 this year with the hope of providing new context around how, exactly, vulnerabilities can be exploited and what type of risk they present to targets.

CVSS was created and is managed by the Forum of Incident Response and Security Teams (FIRST), a non-profit organization made up of incident response teams from government organizations and private companies.

FIRST describes the CVSS scoring system as "a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes."

And while distilling risk down to a simple numerical score is helpful for many in the security space, it is also an imperfect system that can often leave out important context and does not paint the whole picture of how to best manage vulnerable systems on a network.

What's new in CVSS 4.0?

CVSS 3.1, the current model used by many organizations to measure vulnerability severity, has been around for about four years now. With CVSS 4.0, the creators are hoping to add additional context around how an attacker could exploit a certain vulnerability and what specific requirements need to be met before an adversary could carry out the exploit.

Jerry Gamblin, a principal threat detection and response engineer for Cisco Vulnerability Management, said in a recent episode of Talos Takes that the main takeaway for users who just want to focus on the severity score (and whether an issue is particularly critical) will be in a new "attack requirements" field for scoring a vulnerability. Vulnerabilities that require a targeted software be configured in a certain way outside of its default state to be vulnerable are likely to have lower severity scores under CVSS 4.0, according to Gamblin.

FIRST also says that CVSS 4.0 offers "finer granularity through the addition of new base metrics and values," including providing readers and administrators with new information about what attack requirements exist for an adversary to be successful, and whether user interaction is required or not for a vulnerability to be exploited.

The formula also includes a greater focus on resiliency on the internet-of-things and industrial control systems space, which has become a great focus of the cybersecurity community.

Once CVSS 4.0 is out in the wild for long enough, FIRST is also likely to release an update in 4.1 that will fix any inconsistencies discovered during the rollout or to add additional missing context, though there is no concrete timeline for when that will happen.

CVSS 4.0 won't start appearing on most vulnerability advisories users are used to reading until later this year, when organizations that handle the release and disclosure of vulnerabilities start adopting CVSS 4.0, like the National Vulnerability Database, which won't happen until later this year.

Yves Younan, the leader of Talos' Vulnerability Research Team, which discovers and discloses hundreds of new vulnerabilities every year, said it could be a year or more before Talos vulnerability advisories start using CVSS 4.0 as any problems are addressed. Talos also did not initially adopt CVSS 3.0 when it was released five years ago.

What does a severity score mean, anyway?

Generally, a higher CVSS score means a vulnerability is more serious than others and should be addressed sooner than others with lower severity scores.

For example, Log4shell (CVE-2021-44228), a critical remote code execution vulnerability in the popular Apache Foundation Log4j library, was assigned a maximum score of 10 out of 10 in December 2021 when it was first discovered. The infamous vulnerability was widely exploited across the globe and continues to still be an issue today.

While this score seems objective in measuring how serious an issue is, a CVSS score can be influenced by the researcher reporting the vulnerability and the vendor that needs to patch the issue.

Talos uses the CVSS calculator to create its own severity scores, according to Younan. Eventually, Talos waits for MITRE Corp. to assign a CVE and communicates with the affected vendor about releasing a patch. However, certain aspects of how the CVSS is calculated can be subjective to the organization scoring it, such as whether they consider a vulnerability particularly "easy" or "difficult" to exploit. One major advantage of CVSS 4.0 is that this determination has a much lower impact on the score compared to CVSS 3.1 where it would cause a significant change in the score.

That end score that makes it out into the public is particularly important, though, because a security issue being covered in the press or spread widely on social media can often lead to more attackers trying to exploit the issue on unpatched software or hardware, and therefore increased urgency for the need to patch the issue from admins.

The severity score on one individual vulnerability doesn't tell the whole story about a potential exploit, either. Younan said many attacks and breaches are the result of adversaries chaining multiple vulnerabilities together to target a particular product or service. As Talos highlights in many of its Vulnerability Deep Dive posts, attackers can use a series of vulnerabilities with relatively low severity scores to eventually carry out a more serious attack or even completely take over a system.

How do severity scores affect vulnerability management?

Though severity scores are what will eventually make headlines, patching cadence and vulnerability management must take several factors into consideration.

Each organization will have its own approach for how to address patching and updating their systems with their individual needs, Gamblin said, meaning it's not as simple as patching 10-out-of-10 severity vulnerabilities first, then 9.9 out of 10, etc.

Certain technologies, such as Cisco Vulnerability Management, can help administrators prioritize patching on their systems and see what vulnerabilities their networks are exposed to. Cisco Vulnerability Management has its own risk score that it uses to prioritize patching, and while the base CVSS score is a part of that calculation, Gamblin said the Cisco Risk Score won't change because of the release of CVSS 4.0.

Gamblin urges all users and administrators to first patch for vulnerabilities in any software or hardware that's directly exposed to the internet first, without consideration for whether the vulnerability received a "critical" score or not.

"Anything exposed to the internet should be patched because that's where we see most attacks," he said in the Talos Takes episode. "There are very few physical or local attacks these days."

After that, patching should focus on specific vulnerabilities that could lead to remote code execution, because those are the issues attackers are most likely to exploit, he said. While remote code execution vulnerabilities do generally receive higher severity scores, this isn't always the case.

It's also important to prioritize patching any systems that customers or employees access on a day-to-day basis at an organization, Gamblin said, such as email clients or any software that employees have dedicated credentials to and stores sensitive information.

As we pointed out in the 2023 Year in Review report, network infrastructure is also being targeted more frequently, so it's important to patch any edge devices that touch the internet like routers and switches.

For more on this topic, listen to a previous Talos Takes episode on patching strategies below, and read our recent post on securing network infrastructure.