Blog HackRTU

‹ Regresar

CVSS, THE BENCHMARK STANDARD FOR VULNERABILITY IMPACT ASSESSMENT

 

CNA

 

 

The Common Vulnerability Scoring System or CVSS is an open standard developed by the Forum of Incident Response and Security Teams (FIRST).

The main objective of the standard is to provide a structured, consistent and quantifiable impact of vulnerabilities by using the main characteristics of a vulnerability and encapsulating them in a numerical score (from 0 as a vulnerability with no impact to 10 as a critical threat), reflecting the severity and in a textual representation that can then be translated into a qualitative representation (as a low, medium, high or critical vulnerability).

This standard allows cybersecurity teams, developers, vendors, suppliers, business managers or anyone else to know the numerical threat value of the vulnerability.

 

HISTORY OF THE CVSS

In 2005, FIRST published the first version of the standard, CVSS 1.0, as a starting point to help identify the impact of vulnerabilities. This first version had few technical aspects and therefore, in 2007, the CVSS 2.0 version was published, which included many more technical concepts, but still lacked the accuracy required for a standard of this category and importance.

Between 2015 and 2019, FIRST published the CVSS 3.x versions, which were much more precise and whose final result was the publication of CVSS 4.0 in November 2023.

 

CVSS 4.0 – A NEW REALITY

Since its release at the end of 2023, the new version of the standard is the most widely used due to its new implementations and improvements in terms of vulnerability context. Previous versions did not take into account aspects such as how, where and how easily the vulnerability can be exploited.

These small changes are listed below, but they represent a major step forward in the categorisation of the impact of vulnerabilities:

• Greater precision in the context of the attack:
  • The technical complexity of the attack and the requirements of the environment are separated.
  • Improvements are implemented for vulnerability analysis in OT and IoT environments.
• Improved system for categorising user involvement in vulnerability exploitation.
  • Differentiation between active and passive user interaction.
• New metrics to provide knowledge on whether the vulnerability is being actively exploited or not.
• New environmental metrics to determine and adjust the risk according to the specific environment.
• Inclusion of new complementary metrics including the physical impact of the vulnerability, whether it is possible to automate the attack, how urgent it might be for the vendor, how long it would take for the system to recover, etc.
• Four new types of scoring to provide greater accuracy:
  • CVSS-B: Base metrics only.
  • CVSS-BT: Base metrics plus threat.
  • CVSS-BE: Base metrics plus environment.
  • CVSS-BTE: Base metrics plus threat plus environment.

 

All these changes make it possible for cyber security researchers, suppliers, cyber security or business managers to categorise more precisely how the vulnerability will affect their systems, and in the case of the industrial world, to determine whether, for example, it could have a safety impact on workers or the time needed to recover the system after the vulnerability has been exploited.

 

CVSS 4.0 EXAMPLE

In this case, and to give a context of the different fields that the CVSS has, we will use the vulnerability CVE-2025-41362 detected by one of our researchers.

Before calculating the value and explaining the technical reasons for the result, it should be noted that this vulnerability is a code injection in both IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04 and with CWE-94 (Code Injection), which would allow an attacker to store a malicious payload in the software and then execute it in the victim's browser. Furthermore, to exploit this vulnerability, it is necessary to authenticate on the device and execute certain commands that can be executed with view permissions without requiring administrator privileges.

Since the vulnerability was discovered during the analysis of the device (more information about the service here) in a lab environment, the environmental and supplementary metrics were not determined when calculating the CVSS and only the CVSS-Base (CVSS-B) was calculated, resulting in a value of 5.3 or in other words an MEDIUM criticality.

The resulting vector that summarises and computes all the metrics entered would be: CVSS-B:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N (5,3-Medium).

• Exploitability metrics:
  • Attack vector (AV): This metric reflects the context in which the attack can be exploited. In this case the result is Network (N) as the vulnerability could be exploited remotely if the attacker wanted to.
  • Attack Complexity (AC): This metric indicates how difficult it is for an attacker to evade the defensive measures imposed in order to obtain a functional exploit. In the case of CVE-2025-41362, the complexity is Low (L) since it was not necessary to evade any type of defence.
  • Attack Requirements (AT): This metric comprises the conditions or variables necessary prior to carrying out the attack. As in the previous case, the attack did not depend on performing any action prior to exploiting the vulnerability, so the result is None (N).
  • Privileges required (PR): Describes the level of privileges that the attacker must possess before successfully exploiting the vulnerability. For the vulnerability CVE-2025-41362 and as indicated above, no administrator permissions were required, only viewer permissions, therefore, the required privileges are Low (L).
  • User Interaction (UI): Allows to assess the requirement for a human user, other than the attacker, to participate in the successful exploitation of the vulnerable system. For the exploitation of the vulnerability CVE-2025-41362 no action is required from the user, None (N).
• Impact metrics of vulnerable systems:
  • Confidentiality (VC): Low impact (L) as there is a certain loss of confidentiality and the attacker may have access to restricted data and information.
  • Integrity (VI): Also, low impact (L) as the attacker may modify data, but has no control over the consequences of the modification.
  • Availability (VA): In the case of the vulnerability CVE-2025-41362 there is no impact (None (N)) on availability as the system was still operational after the exploitation of the CVE.
• Downstream systems impact metrics: In this case there is no impact whatsoever as the vulnerability did not affect downstream systems.

If the analysed equipment was within a system, the environment and complementary metrics could be applied, providing the equipment manager and the supplier with the risk of exploitation of the vulnerability based on the new metrics enabled by the CVSS 4.0 vector.

 

IVSS, A VULNERABILITY SCORING SYSTEM SPECIFIC TO INDUSTRIAL ENVIRONMENTS

Although the CVSS is the standard par excellence for calculating the impact and criticality of vulnerabilities, there are currently other specific scoring systems for some devices and environments, such as the industrial environment.

Specifically for industrial devices and systems, there is the Industrial Vulnerability Scoring System (IVSS), a derivative of the CVSS created by ThreatGEN and LOGIIC. The IVSS is specifically designed for vulnerabilities in industrial control systems (ICS) as the CVSS focuses on confidentiality, integrity and availability (CIA) for computer systems, devices and networks. The IVSS, on the other hand, takes into account aspects such as the impact of vulnerabilities on the control, visualisation and monitoring of industrial processes, as well as the impact on the production, security and accuracy of industrial systems.

Although the IVSS base score uses the same ‘Base Score’ points as the CVSS, it is in the ‘environmental’ and surrounding conditions where new concepts based on industrial systems are applied, even taking into account aspects such as network segmentation based on IEC 62443 3-3. The following image shows the assessment of the CVE-2025-41362 vulnerability analysed above with the CVSS and the parameters of the industrial environment that would complement this base result.

At HackRTU, we believe that the use of specific tools and standards allows a better analysis of vulnerabilities and although in certain cases, such as when vulnerabilities are identified in a laboratory environment, there is a limitation when calculating the criticality and risk that the vulnerability may present, it is always necessary to contextualise the vulnerability within the industrial environment where the affected asset or system resides, taking into account factors such as the architecture, criticality of the subsequent assets or the cascade effect that could occur if the vulnerability is exploited.

 

 

HACKRTU TEAM