Read more: Boosty

• New Supplemental Metric Group: This group is

introduced for Enhanced Extrinsic Attributes, providing
additional insight into the characteristics of a
vulnerability
• Changes to Vector String: The Vector String has been
updated to begin with CVSS:4.0 rather than CVSS:3.1.
Although no other changes have been made to the
Vector String, CVSS v4.0 contains changes to the
definition of some of the metric values and to the
formulas
• Improved Guidance: CVSS v4.0 provides improved
guidance to CVSS analysts to produce consistent scores.
It also provides guidance on scoring vulnerabilities in
software libraries and supports multiple CVSS scores
for the same vulnerability that affects different platforms
or operating systems
• Enhanced Clarity and Simplicity: CVSS v4.0 aims to
provide a more streamlined scoring process, reducing
subjectivity through clearer metric guidance and
definitions
• Focus on Resiliency: The latest iteration of CVSS
introduces a renewed focus on resiliency, particularly in
the early stages of an exploit, addressing the increasing
I. INTRODUCTION concerns around the security of operational technology
The Common Vulnerability Scoring System (CVSS) version (OT), industrial control systems (ICS), and the Internet
4.0 is the latest iteration of the industry-standard scoring system of Things (IoT)
for assessing and quantifying the severity and impact of software • Renaming of Key Metrics: The Temporal metrics in
vulnerabilities. CVSS 3.1 have been renamed to Threat Metrics in
CVSS v4.0 introduces several significant changes and CVSS 4.0
improvements over the previous version (v3.1) to provide a • User Interaction: CVSS 4.0 has made the User
more granular, accurate, and comprehensive assessment of Interaction metric more granular. While CVSS 3.1 had
vulnerabilities. the values None (N) or Required (R) for this metric,
This analysis will delve into various facets of CVSS v4.0, CVSS 4.0 has expanded the options to Active, Passive,
including its enhanced metrics, the introduction of new and None
categories, and the implications these changes have for • New Base Metrics and Values: CVSS 4.0 introduces
cybersecurity professionals and organizations. By dissecting the new base metrics and values, providing a more granular
CVSS v4.0 specification, we will offer a qualitative summary and accurate assessment of vulnerabilities
that encapsulates the core improvements and modifications from
its predecessor, CVSS v3.1, thereby equipping readers with a • Assessing Effects on Vulnerable and Subsequent
nuanced understanding of its impact on vulnerability Systems: CVSS 4.0 provides clearer insight into the
management processes. Through a meticulous examination of impact of vulnerabilities on both the vulnerable system
the CVSS v4.0 framework alongside insights from cybersecurity and subsequent systems
experts, this analysis endeavors to provide a clear, actionable
guide for effectively leveraging CVSS v4.0 in enhancing • Simplifying Threat Metrics: The Threat metrics in
organizational security postures. CVSS 4.0 have been simplified to focus only on Exploit
Maturity
II. KEY CHANGES
• New Supplemental Metric Group: CVSS 4.0
Key Updates in CVSS v4.0 as for now: introduces a new Supplemental Metric Group for
Enhanced Extrinsic Attributes
• New Base Metrics and Values: CVSS v4.0 introduces
new base metrics that capture additional aspects of risk, • Attack Requirements: CVSS 4.0 introduces a new base
such as the potential consequences of a successful metric, "Attack Requirements", which gets the value
attack, including explicit assessment of impact to "Present" if there is a pre-attack requirement
Vulnerable System (VC, VI, VA) and Subsequent
Systems (SC, SI, SA) • Scope Changes: The "Scope" feature from CVSS v3.1
was retired and replaced with the concepts of
• Simplified Threat Metrics: The Temporal Score has "Vulnerable System" and "Subsequent System"
been renamed to Threat Metric Group and now includes
only one metric, which is Exploit Maturity
 Read more: Boosty
• Support for Multiple Scores: CVSS 4.0 is designed to impact scoring, accommodating a wider range of
support multiple CVSS scores for the same vulnerability perspectives and aligning the scoring process more
that affects different platforms, operating systems, etc closely with real-world scenarios
• Guidance for Other Sectors: CVSS 4.0 provides • Enhanced Fidelity in Vulnerability Assessment – The
guidance to extend the CVSS framework for other objective behind CVSS v4.0 is to offer enhanced fidelity
industry sectors such as privacy, automotive, etc in vulnerability assessment for the industry and the
public, incorporating various refinements to improve the
III. BENEFITS OF USING CVSS V4.0 OVER PREVIOUS accuracy of vulnerability scoring
VERSIONS
CVSS v4.0 improves vulnerability assessments by IV. FINER-GRAINED METRICS IN CVSS V4.0 & SCORING
PROCESS
introducing several enhancements that provide a more nuanced
and accurate representation of the risks associated with software CVSS v4.0 introduces several finer-grained metrics to
vulnerabilities: provide a more nuanced understanding of the technical
characteristics of vulnerabilities. One of the key changes is a
• More Granular Base Metrics – CVSS v4.0 includes more granular breakdown of the Base Metrics, which includes
new base metrics and values that capture additional new values for User Interaction, categorized as either Passive or
aspects of risk, such as the potential consequences of a Active. The User Interaction (UI) metric in CVSS v4.0 provides
successful attack. This includes explicit assessment of more granularity to the amount of interaction required.
impact to Vulnerable System (VC, VI, VA) and Additionally, CVSS v4.0 introduces a new Attack Requirement
Subsequent Systems (SC, SI, SA), which allows for a metric, which provides more granularity in capturing the
more detailed understanding of the vulnerability's prerequisite conditions enabling an attack.
impact
CVSS v4.0 simplifies the scoring process in several ways.
• Integration of Threat Intelligence – The Threat The Threat Metrics, previously known as Temporal Metrics,
Metrics group in CVSS v4.0 adjusts the severity of a have been simplified and renamed to emphasize real-time
vulnerability based on real-time factors, such as the vulnerability assessment. Remediation Level (RL) and Report
availability of proof-of-concept code or active Confidence (RC) have been retired, and Exploit "Code"
exploitation. This integration of threat intelligence Maturity has been renamed to Exploit Maturity (E). The
ensures that the scoring reflects the current threat Temporal Metrics have been simplified to help consumers better
landscape and the likelihood of an attack understand the risk of vulnerabilities. The scoring system in
• Environmental Metrics – CVSS v4.0's Environmental CVSS v4.0 is simpler and more flexible compared to previous
Metrics further refine the severity score to a specific versions, aiming to provide a universal framework for scoring
computing environment. They consider factors such as different vulnerabilities.
the presence of mitigations and the criticality of the V. LIST OF METRICS
affected system within the user's environment, allowing
for a more tailored risk assessment The Common Vulnerability Scoring System (CVSS) version
4.0 consists of four metric groups: Base, Threat, Environmental,
• Simplified Threat Metrics – The Threat Metrics group, and Supplemental.
previously known as Temporal Metrics, has been
simplified to focus on the most critical aspect of real- The Base metric group represents the intrinsic
time vulnerability assessment—Exploit Maturity. This characteristics of a vulnerability that are constant over time and
simplification helps users better understand the risk of across user environments. The Base Score is calculated using a
vulnerabilities specific formula that examines factors such as the vulnerability's
impact on integrity, confidentiality, availability, exploitability,
• Enhanced Clarity and Simplicity – CVSS v4.0 aims and scope.
to reduce ambiguities and inconsistencies in
vulnerability assessments that were common in previous The Threat metric group, previously known as the
versions. The new version provides clearer metric Temporal Metrics Group, provides additional context to the
guidance and definitions, which should lead to more Base metrics. However, the Threat metrics do not significantly
consistent scoring impact the final CVSS score.
The Environmental metric group represents the
• Support for Multiple Scores – The new framework is
characteristics of a vulnerability that are unique to a user's
designed to support multiple CVSS scores for the same
environment. These metrics allow organizations to customize
vulnerability when it affects different platforms or
the CVSS scores based on their specific environment. However,
operating systems, providing a more comprehensive
the Environmental metrics are specified by users and do not
assessment
directly impact the publicly visible CVSS scores, which are
• Focus on Resiliency – CVSS v4.0 introduces a renewed based solely on the Base Score.
focus on resiliency, particularly in the early stages of an The Supplemental metric group is a new addition in CVSS
exploit, which is increasingly important for the security v4.0. It includes metrics that provide additional context, such as
of operational technology (OT), industrial control Automatable, Value Density, Recovery, Provider Urgency, and
systems (ICS), and the Internet of Things (IoT) Vulnerability Response Effort. However, the Supplemental
• Vendor-Supplied Severity and Impact Scoring – The metrics are optional and do not have any impact on the final
framework now integrates vendor-supplied severity and calculated CVSS score.
 Read more: Boosty
A. Base Metrics Availability) and subsequent system impact metrics. The Base
The Base Metrics represent the intrinsic qualities of a metrics produce a score ranging from 0 to 10, which reflects the
vulnerability. They include: technical severity of a vulnerability when considered in
isolation. This score is essential when analyzing a vulnerability
• Attack Vector (AV) and helps in prioritizing vulnerabilities based on their inherent
characteristics
• Attack Complexity (AC)
B. Threat Metrics
• Privileges Required (PR)
The Threat Metrics, previously known as Temporal Metrics,
• User Interaction (UI) adjust the severity of a vulnerability based on real-time factors.
They include:
• Scope (S)
• Exploit Maturity (E)
• Impact Metrics: Vulnerable System Confidentiality
(VC), Integrity (VI), Availability (VA), and Subsequent • Remediation Level (RL)
System(s) Confidentiality (SC), Integrity (SI),
Availability (SA) • Report Confidence (RC)

1) Purpose 1) Purpose
The Base metric group represents the intrinsic qualities of a The purpose of the Threat metric group is to adjust the
vulnerability that are constant over time. It is composed of two severity of a vulnerability based on factors such as the
sets of metrics: the Exploitability metrics and the Impact availability of proof-of-concept code or active exploitation. This
metrics. The Exploitability metrics reflect the ease and technical group captures vulnerability characteristics related to a threat,
means by which the vulnerability can be exploited, while the which may change over time.
Impact metrics reflect the direct consequences of a successful For example, it can capture information such as whether the
exploit. The Base metrics help determine the initial severity vulnerability has been exploited or if there is any proof-of-
score for a vulnerability. In CVSS v3.1, the base metric group concept exploit available. The values found in this metric group
consisted of four main metrics: Attack Vector (AV), Attack may change over time, reflecting the evolving threat landscape.
Complexity (AC), Privileges Required (PR), and User
Interaction (UI). CVSS 4.0 introduced a metric called the Attack 2) Impact on Score
Requirements (AT) to increase the granularity of the scoring The Threat metric group impacts the final CVSS score by
system adjusting the severity of a vulnerability based on the threat
landscape. The absence of explicit Threat metric selections will
2) Impact on Score still result in a score, but the inclusion of the “T” in the
The Base metrics produce a score ranging from 0 to 10, nomenclature is appropriate if any Threat metrics are used to
which can then be modified by scoring the Threat and adjust the score
Environmental metrics. The Base score only reflects the
technical severity of a vulnerability when considered in 3) Usage
isolation. It's important to note that the Base score is only the The Threat metric group is used to refine the severity score
starting point for building a full picture of the risk associated of a vulnerability based on applicable threat intelligence. It is
with a vulnerability. used in combination with the Base metric group, which
represents the intrinsic qualities of a vulnerability that are
3) Usage constant over time, and the Environmental metric group, which
The Base metric group is used to assess the fundamental represents the characteristics of a vulnerability that are unique to
qualities of a vulnerability that maintain their constancy over a specific computing environment.
time. It is used to evaluate the severity of vulnerabilities and their
impact on organizations without considering temporal or 4) Calculation
environmental factors The Threat Metrics in the Common Vulnerability Scoring
System (CVSS) version 4.0 adjust the severity of a vulnerability
4) Calculation based on factors such as the availability of proof-of-concept
The Base Metrics are divided into Exploitability Metrics and code or active exploitation. These metrics reflect the
Impact Metrics. When these Base Metrics are assigned values characteristics of a vulnerability related to threat that may
by an analyst, they result in a score ranging from 0.0 to 10.0. change over time.
The CVSS v4.0 calculator, which is a reference In CVSS v4.0, the Threat Metrics replaced the Temporal
implementation of the CVSS standard, can be used for Metrics from previous versions, resulting in clearer and
generating scores based on the values of these metrics. The simplified metrics. The Remediation Level (RL) and Report
calculator applies the formula specified in the CVSS version 4.0 Confidence (RC) metrics, which were part of the Temporal
standard to produce the Base Score Metrics in previous versions, have been removed in CVSS v4.0.
5) Prioritizing vulnerabilities The values assigned to the Threat Metrics are used in the
Base metrics represent the intrinsic qualities of a calculation of the final score, along with the Base and
vulnerability that are constant over time and across user Environmental Metrics. If explicit Threat Metric values are not
environments. They include exploitability metrics (such as provided, default values that assume the highest severity are
Attack Vector, Attack Complexity, Attack Requirement, used.
Privileges Required, and User Interaction) and vulnerable
system impact metrics (such as Confidentiality, Integrity, and
 Read more: Boosty
The CVSS v4.0 calculator, which is a reference Base Score of a vulnerability to reflect the impact within a
implementation of the CVSS standard, can be used for specific organizational context. These metrics account for the
generating scores based on the values of these metrics. The protection goals of the affected system and the presence of
calculator applies the formula specified in the CVSS version 4.0 security controls that mitigate vulnerability.
standard to produce the final score, which includes the Threat
Metrics. The Environmental Metrics are calculated by first
determining the Modified Base Metrics, which are the Base
5) Prioritizing vulnerabilities Metrics adjusted for the presence of mitigations or compensating
Threat metrics, previously known as Temporal Metrics, controls. The Security Requirements are used to indicate the
adjust the severity of a vulnerability based on factors such as the importance of the affected IT asset to the organization, which
availability of proof-of-concept code or active exploitation. can amplify or reduce the severity based on the asset's criticality.
These metrics reflect the characteristics of a vulnerability that The Collateral Damage Potential metric reflects the potential for
change over time, such as whether the vulnerability has been non-direct damage to the environment or entities beyond the IT
exploited or if any proof-of-concept exploit exists. The values in asset.
this metric group may change over time, and they help in real-
time vulnerability assessment. By considering the likelihood of The final Environmental Score is derived by combining the
exploitation and the potential impact of a successful attack, Modified Base Metrics with the Security Requirements and
CVSS v4.0 aims to offer a more holistic and accurate assessment Collateral Damage Potential, using a formula specified in the
of vulnerabilities. CVSS v4.0 Specification Document. This score provides a more
tailored assessment of the vulnerability's severity within the
C. Environmental Metrics specific environment of the organization
The Environmental Metrics allow organizations to 5) Prioritizing vulnerabilities
customize the CVSS scores based on their specific environment. Environmental metrics further refine the resulting severity
They include: score to a specific computing environment. They consider
• Modified Base metrics factors such as the presence of mitigations in that environment
and the criticality of the systems. These metrics are specified by
• Collateral Damage Potential (CDP) users and can lead to a disconnect between the score and the
actual risk in the real world due to their subjective nature.
• Security Requirement metrics: Confidentiality However, they are crucial in providing a more precise
Requirement of the vulnerable system (CR), Integrity assessment of vulnerabilities in a specific environment, thus
Requirement of the vulnerable system (IR), and enhancing vulnerability prioritization and risk management.
Availability Requirement of the vulnerable system (AR)
D. Supplemental Metrics
1) Purpose
The Environmental Metric Group in CVSS v4.0 represents The Supplemental Metrics provide additional context and
the characteristics of a vulnerability that are unique to a user's describe aspects of a vulnerability that are outside the core
environment. It allows organizations to adjust the Base Score of CVSS standard. They include:
a vulnerability to reflect its impact within their specific context. • Automatable (A)
This group accounts for the presence of security controls that
may mitigate some or all consequences of a vulnerability and the • Value Density (VD)
relative importance of a vulnerable system within a technology
infrastructure. • Recovery (R)

2) Impact on Score • Provider Urgency (PU)

The Environmental Metrics enable analysts to customize the • Vulnerability Response Effort (VRE)
CVSS score with inputs regarding IT asset importance and the
presence of mitigations, which can increase or decrease the 1) Purpose
severity of a vulnerability. These metrics are modifiers to the The purpose of the Supplemental Metric Group is to provide
base metric group and are designed to account for aspects of an users with contextual information that allows for a more
enterprise that might influence the severity of a vulnerability. . nuanced understanding of vulnerabilities. These metrics offer
The Environmental Metric Group impacts the final CVSS score valuable insights into extrinsic aspects of vulnerabilities,
by allowing adjustments based on the specific environment allowing consumers to delve deeper into specific contextual
where the vulnerability exists. considerations. They are designed to provide a more complete
understanding of vulnerabilities by describing and measuring
3) Usage additional extrinsic attributes
The Environmental Metric Group is used to tailor the CVSS
score to an organization's unique environment, considering 2) Impact on Score
factors such as the importance of the affected IT asset and the Unlike core CVSS metrics, Supplemental metrics do not
effectiveness of existing security controls. These metrics are the contribute to the calculation of CVSS scores. They do not have
modified equivalent of the Base Metrics and are specified by any impact on the final calculated CVSS score. Instead, they
users to provide a more accurate assessment of the risk posed by serve as supplementary information for a more nuanced
a vulnerability in their specific operational context. vulnerability assessment. Organizations may then assign
importance and/or effective impact of each metric, or
4) Calculation set/combination of metrics, giving them more, less, or absolutely
The Environmental Metrics in the Common Vulnerability no effect on the final risk analysis
Scoring System (CVSS) version 4.0 are designed to adjust the
 Read more: Boosty
3) Usage • Purpose: These groups contain metrics that directly
The usage of each metric within the Supplemental metric contribute to the calculation of the CVSS score,
group is determined by the scoring consumer. This contextual reflecting the intrinsic qualities of a vulnerability
information may be employed differently in each consumer’s (Base), the real-time threat landscape (Threat), and the
environment. The information consumer can then use the values specific impact within an organizational context
of these Supplemental Metrics to take additional actions if they (Environmental)
so choose, applying locally significant importance to the metrics
and values • Impact on Score: The metrics in these groups directly
affect the final CVSS score, with each group providing
4) Calculation a different perspective on the severity and impact of the
The Supplemental Metrics in the Common Vulnerability vulnerability
Scoring System (CVSS) version 4.0 are a new addition designed
to provide additional context and describe extrinsic attributes of • Usage: The Base Metrics are provided by the
a vulnerability. These metrics are optional and do not contribute organization maintaining the vulnerable system or a
to the calculation of the final CVSS score. Instead, they serve as third party, while the Threat and Environmental
supplementary information for a more nuanced vulnerability Metrics are intended for end consumers to enrich the
assessment. Base metrics with additional context
The usage and response plan of each metric within the VI. OPERATIONAL TECHNOLOGY EXPOSURE METRICS IN
Supplemental metric group is determined by the scoring CVSS V4.0
consumer. This contextual information may be employed In CVSS v4.0, new metrics have been introduced to address
differently in each consumer’s environment. Organizations may the exposure and impact of vulnerabilities in Operational
then assign importance and/or effective impact of each metric, Technology (OT). These metrics are particularly relevant due to
or set/combination of metrics, giving them more, less, or the increasing concerns around the security of OT, industrial
absolutely no effect on the final risk analysis. control systems (ICS), and the Internet of Things (IoT). The
5) Prioritizing vulnerabilities updates aim to provide a more accurate assessment of the risks
Supplemental metrics are a new addition in CVSS v4.0. associated with vulnerabilities in these environments
They measure extrinsic attributes of a vulnerability and provide A. Safety Metrics
contextual information. These metrics do not affect the
vulnerability score but can be used to inform the companies that Safety metrics have been added to both the Supplemental
purchase the products. They include concepts such as and Environmental metric groups in CVSS v4.0. These metrics
“Automatable,” “Recovery,” and “Mitigation Effort,” which assess the potential safety impact of exploiting a vulnerability,
provide additional context for vulnerability and remediation which is especially important in sectors like healthcare or
teams industrial control systems where safety is a critical concern
E. Differences B. OT-Specific Considerations
The Supplemental Metric Group is used to provide The new metrics for Operational Technology exposure
additional context and does not affect the CVSS score, whereas include considerations for whether the "consequences of the
the Base, Threat, and Environmental Metric Groups contribute vulnerability meet the definition of IEC 61508," which is a
directly to the scoring process and are essential for calculating standard for the functional safety of
the severity of a vulnerability. The Supplemental Metric Group electrical/electronic/programmable electronic safety-related
in CVSS v4.0 is distinct from the Base, Threat, and systems . This inclusion reflects the growing concern about OT
Environmental Metric Groups in several ways: cyber risk and the need for a scoring system that can adequately
capture the unique risks associated with OT environments
Supplemental Metric Group:
C. Impact on Vulnerable and Subsequent Systems
• Purpose: Provides additional context and describes CVSS v4.0 also emphasizes evaluating the impact of
extrinsic attributes of a vulnerability that are outside the vulnerability exploitation on both the vulnerable system and
core CVSS standard subsequent systems. This is particularly relevant for OT
• Impact on Score: The metrics in this group do not environments where a vulnerability in one component could
impact the final calculated CVSS score. They are potentially have cascading effects on other interconnected
optional and are used to convey additional information systems
that may influence an organization's risk analysis and D. Use of Supplemental and Environmental Metrics
response plan
While the Supplemental metrics do not directly impact the
• Usage: The usage and response plan of each metric final CVSS score, they provide valuable contextual information
within the Supplemental Metric Group is determined that can be used by organizations to inform their risk analysis
by the scoring consumer, and this contextual and response plans. The Environmental metrics allow for
information may be employed differently in each customization of the CVSS scores based on the specific
consumer’s environment environment, which can include OT settings
Base, Threat, and Environmental Metric Groups: