The
Common Vulnerability Scoring System (CVSS) is a standardized framework used to assess the severity of software vulnerabilities. Developed and maintained by FIRST.org, CVSS assigns a numerical value — ranging from 0.0 (no risk) to 10.0 (maximum severity) — that reflects the potential impact of a vulnerability on a system’s confidentiality, integrity, and availability.
A CVSS score of
9.8 is considered "Critical", which means the vulnerability is:
- Remotely exploitable — No physical access to the device or system is required.
- Accessible without authentication — Attackers don't need an account or prior permissions.
- Low complexity — The exploit requires no specialized conditions or advanced technical skills.
- User interaction not required — The attacker doesn’t need to trick users into clicking links or downloading files.
- System-wide impact—A successful exploit can lead to full control over the affected application or server, including theft of sensitive data, defacement, service disruption, or malware injection. The potential impact of these vulnerabilities is grave and should not be underestimated.
CVSS Vector Breakdown Example:Let’s take the vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which is common across all the vulnerabilities discussed above:
- AV:N (Attack Vector: Network) – The attack can be carried out over the internet, making it scalable.
- AC:L (Attack Complexity: Low) – The attacker requires no special circumstances.
- PR:N (Privileges Required: None) – No prior access or login credentials are needed.
- UI:N (User Interaction: None) – The exploit works without the need for a victim to click or interact.
- S:U (Scope: Unchanged) – The impact is limited to the vulnerable component.
- C:H, I:H, A:H – High impact on: Confidentiality – Data exposure or theft. Integrity – Data modification or destruction. Availability – Service outages or site defacement.
A score of
9.8 means the window between exposure and exploitation is narrow, especially in automated attacks or when CVE exploits are added to public malware kits and botnets.