CVE & CVSS Scoring

🐛 What Are CVEs and CVSS Scores?

A CVE (Common Vulnerabilities and Exposures) is a standardized identifier assigned to a publicly known security vulnerability in software or hardware. Each CVE gets a unique ID — like CVE-2021-44228 (the critical Log4Shell vulnerability) — so that security researchers, vendors, and defenders can all reference the same flaw without confusion. A CVSS (Common Vulnerability Scoring System) score is a numerical rating, from 0.0 to 10.0, that measures how severe a vulnerability is. The score takes into account factors like how easy the flaw is to exploit, whether it requires authentication, and how much damage it can cause. Together, CVEs and CVSS scores help organizations prioritize which vulnerabilities to fix first.

🧪 Real-World Example

A security researcher discovers a bug in a popular web server software that allows remote code execution without any login. It gets assigned a CVE ID and a CVSS score of 9.8 out of 10 — critical. Your security team sees the alert, searches your environment for the affected software, and patches it within hours. Without this standardized system, the same vulnerability might be described a dozen different ways across different reports, causing dangerous delays.

✅ Key Takeaways

• CVEs are unique identifiers for known vulnerabilities, managed by MITRE and published in the National Vulnerability Database (NVD).
• CVSS scores range from 0.0 (none) to 10.0 (critical) and help teams prioritize patching.
• A score of 7.0 or higher is generally considered high or critical severity.
• CVSS scores measure exploitability, impact on confidentiality, integrity, and availability, and other factors.
• Not every high-scoring CVE is equally dangerous in your environment — context and exposure matter.
• Tools like EPSS (Exploit Prediction Scoring System) complement CVSS by estimating the likelihood a vulnerability will actually be exploited.