CVE Score
CVE Score is the numerical value assigned to a specific security vulnerability to indicate its severity. While "CVE" stands for Common Vulnerabilities and Exposures (the list of unique identifiers for publicly known cybersecurity flaws, like CVE-2023-12345), the score itself comes from the Common Vulnerability Scoring System (CVSS).
In cybersecurity, this score provides a standardized method for organizations to assess a vulnerability's potential impact and prioritize which patches to apply first.
What is a CVE Score?
A CVE Score is a decimal number ranging from 0.0 to 10.0 that represents the severity of a vulnerability. A higher score indicates a more critical vulnerability that could lead to significant damage if exploited.
These scores are typically generated by the National Vulnerability Database (NVD) or by the software vendor (Numbering Authority) that identifies the flaw. The score is calculated from several metrics, such as the ease of exploiting the flaw and the impact on the system's confidentiality, integrity, and availability.
CVE Score Severity Ratings
The industry standard for categorizing these scores comes from CVSS v3.1. These qualitative ratings help security teams quickly understand the urgency of a threat without needing to analyze the technical details immediately.
None (0.0): No impact or risk.
Low (0.1 – 3.9): Minimal impact; often requires physical access or highly complex conditions to exploit.
Medium (4.0 – 6.9): Moderate impact; may require some user interaction (like clicking a link) or local network access.
High (7.0 – 8.9): Significant impact; often exploitable remotely but might require privileges or complex conditions.
Critical (9.0 – 10.0): Severe impact; typically exploitable remotely without user interaction or authentication, leading to full system compromise.
How is a CVE Score Calculated?
The score is derived from three distinct metric groups. While the Base Score is the one most commonly seen in public databases, the other two allow organizations to tailor the score to their specific environment.
1. Base Metrics (The Standard Score)
This represents the intrinsic qualities of the vulnerability that do not change over time or across different environments. It includes:
Attack Vector: How the attacker reaches the vulnerability (e.g., via the Internet, local network, or physical access).
Attack Complexity: The level of difficulty involved in exploiting the flaw.
Privileges Required: The level of access the attacker needs (e.g., none, standard user, or admin) to launch the attack.
User Interaction: Whether a user needs to perform an action (like opening a file) for the exploit to work.
Scope: Whether the vulnerability in one component can impact other unrelated components (a "Changed" scope increases the score).
Impact Metrics: The potential loss of Confidentiality, Integrity, and Availability (the CIA Triad).
2. Temporal Metrics
These metrics modify the Base score based on factors that change over time.
Exploit Code Maturity: Is there a known method or code available to exploit this? (e.g., "Proof-of-Concept" vs. "High Functional" code).
Remediation Level: Is there a patch, workaround, or temporary fix available?
Report Confidence: How reliable is the report of the vulnerability?
3. Environmental Metrics
These metrics customize the score for a specific organization.
Security Requirements: Organizations can raise the score if the affected system is critical (e.g., a patient database vs. a cafeteria menu server).
Modified Base Metrics: If the organization has mitigations in place (like an air-gapped network), they can lower the potential impact scores for their specific context.
Common Questions About CVE Scores
Is a CVE score the same as risk? No. A CVE score measures severity (technical impact), not risk. Risk also includes the likelihood of an attack happening to your specific organization. A "Critical" vulnerability on a server that is turned off poses zero risk, even though its severity score remains 10.0.
Who assigns the CVE Score? Scores are typically assigned by CVE Numbering Authorities (CNAs), which include major IT vendors (such as Microsoft, Oracle, and Cisco) and research organizations. The National Vulnerability Database (NVD) then analyzes the vulnerability and provides an official CVSS score.
What is the difference between CVSS v3.1 and v4.0? CVSS v3.1 is the currently widely adopted standard. CVSS v4.0 is a newer version that adds greater granularity, specifically by introducing "Attack Requirements" and removing the "Scope" metric to reduce confusion. It provides a more accurate assessment of modern threats, but vendors are still adopting it.
Why do some vulnerabilities have two different scores? Sometimes the software vendor and the National Vulnerability Database (NVD) calculate scores differently because they interpret the vulnerability differently. Security teams often prioritize higher safety scores or rely on vendor scores, since they have intimate knowledge of the code.
Gemini said
Operationalizing CVE Scores with ThreatNG and Vulnerability Intelligence
ThreatNG transforms static, theoretical CVE Score data into dynamic, actionable intelligence. While a CVE Score indicates the severity of a software flaw, it does not account for the context of that flaw within an organization's specific digital footprint. ThreatNG bridges this gap by discovering where these vulnerabilities exist on the external attack surface, assessing their actual exposure, and determining if threat actors are actively targeting them using specialized intelligence repositories.
External Discovery
A high CVE score is only relevant if the organization knows it is using the vulnerable software. ThreatNG’s External Discovery module performs a comprehensive, outside-in sweep of the entire digital infrastructure to find every asset, including those unknown to the IT department.
Identifying Shadow IT: ThreatNG locates forgotten subdomains, development servers, and cloud buckets that may be running outdated software with Critical (9.0+) CVE scores. Without this discovery, these high-severity vulnerabilities would remain invisible to internal patch management teams.
Supply Chain Mapping: The solution identifies third-party vendors and partners connected to the organization’s network. If a vendor is running a web server with a known high-CVE vulnerability, ThreatNG flags this third-party risk, helping ensure the organization is not compromised via a trusted connection.
External Assessment
Once an asset is found, ThreatNG goes beyond simple version detection. It applies a contextual assessment to understand the true risk associated with a CVE score in a specific environment.
Contextual Analysis: ThreatNG identifies a web server running an older version of PHP associated with a CVE score of 9.8 (Critical). However, the External Assessment module determines that the specific vulnerable function is not exposed to the public internet or is mitigated by a configuration setting. ThreatNG adjusts the "Cyber Risk Exposure" rating accordingly, allowing the team to focus on unmitigated threats first.
Web Application Hijack Susceptibility: A discovered subdomain might have a low-severity CVE associated with its SSL configuration. However, ThreatNG’s assessment indicates that the subdomain points to a claimed cloud service (a "dangling DNS" record). Even though the software CVE is low, the assessment highlights a high susceptibility to Subdomain Takeover, which a standard vulnerability scanner might deprioritize based on the CVE score alone.
Reporting
ThreatNG addresses the "vulnerability overload" problem by correlating CVE scores with external exposure data to generate prioritized reports.
Risk-Based Prioritization: Instead of providing a flat list of thousands of CVEs, ThreatNG reports highlight the intersection of High Severity (high CVE score) and High Exposure (publicly accessible). This ensures that remediation teams address "Critical" vulnerabilities on public-facing production servers before addressing "Medium" vulnerabilities on internal-only assets.
Executive Visibility: The reporting module translates technical CVE metrics into business-risk language, showing stakeholders how specific vulnerabilities (such as a widespread zero-day) affect the organization's overall security posture and compliance status.
Continuous Monitoring
New CVEs are published daily. ThreatNG ensures that an organization’s security posture is re-evaluated in real-time as new threats emerge.
Zero-Day Detection: When a new high-score CVE is announced for a common technology (e.g., Log4j or an Exchange Server flaw), ThreatNG’s continuous monitoring immediately scans the known attack surface to identify every instance of that technology. This provides an instant "impact assessment" without waiting for a scheduled weekly or monthly scan.
Drift Detection: If a system administrator inadvertently exposes a previously internal server hosting legacy software with known vulnerabilities, ThreatNG detects the change immediately. It alerts the team that a "dormant" high-CVE risk has suddenly become an active external threat.
Investigation Modules
ThreatNG provides deep-dive capabilities to investigate the implications of a CVE beyond the surface level.
Sensitive Code Exposure: ThreatNG scans a repository and identifies source code that exposes the implementation details of a software library known to have a CVE. By analyzing the code, the module confirms that the vulnerable method is indeed being called and that hardcoded API keys are present nearby. This elevates the finding from a "potential" vulnerability to a "confirmed" critical risk requiring immediate code refactoring.
Domain Intelligence: A scan identifies a typosquatted domain (e.g.,
company-support.cominstead ofcompany.com) hosting a cloned login page. While the phishing site itself might not have high CVE scores on its server software, the Domain Intelligence module identifies it as a malicious asset. This distinction ensures that security teams prioritize the takedown of the phishing site even if it doesn't trigger traditional vulnerability alerts.
Intelligence Repositories
ThreatNG enriches bare CVE scores with threat intelligence to reveal the "exploitability" of a vulnerability. This is where DarCache becomes critical.
DarCache Vulnerability Intelligence: This repository focuses on the operational status of CVEs. It determines if a theoretical vulnerability has a working Proof-of-Concept (PoC) exploit code available in the wild. If ThreatNG finds an asset with a CVE score of 7.0, but the DarCache Vulnerability repository confirms that a "weaponized" exploit kit is currently circulating for it, ThreatNG elevates the priority above a CVE 9.0 vulnerability that has no known method of exploitation. This allows teams to patch what is hackable rather than just what is severe.
DarCache Dark Web Intelligence: ThreatNG checks if a specific CVE is being discussed in underground forums. If a vulnerability is actively being traded or requested by threat actors in the DarCache dark web repository, ThreatNG flags it as an imminent target, regardless of its technical score.
Ransomware Intelligence: This repository correlates specific CVEs with known ransomware entry vectors. If a discovered asset has a vulnerability (like BlueKeep or EternalBlue) that is a known precursor to ransomware deployment, ThreatNG flags it as an enterprise-critical threat.
Cooperation with Complementary Solutions
ThreatNG acts as the "Targeting System" for the broader cybersecurity ecosystem. It identifies the external risks and feeds that intelligence to complementary solutions to execute the defense.
Complementary Solution (Vulnerability Management): ThreatNG integrates with Vulnerability Management (VM) platforms by providing a complete inventory of external assets. ThreatNG identifies "unknown" assets that the VM platform misses, ensuring the VM tool scans 100% of the infrastructure for CVEs rather than just the known 80%.
Complementary Solution (SIEM): ThreatNG pushes alerts about exposed high-CVE assets to Security Information and Event Management (SIEM) systems. This allows the SOC to correlate external exposure data with internal network logs. If ThreatNG reports "Server A has a Critical CVE" and the SIEM detects "Traffic from Russia hitting Server A," the incident is escalated to the highest priority.
Complementary Solution (WAF & API Gateways): When ThreatNG identifies a web application vulnerable to a specific CVE (e.g., SQL Injection), it provides the necessary intelligence to Web Application Firewalls (WAFs) and API Gateways. WAF administrators can then apply "virtual patches"—specific rules to block exploit traffic—buying time for developers to apply the actual software patch.
Complementary Solution (SOAR): ThreatNG triggers workflows in Security Orchestration, Automation, and Response (SOAR) platforms. If ThreatNG detects a critical, easily exploitable vulnerability on a non-production port, the SOAR platform can automatically block that port at the firewall level until a human analyst reviews the finding.
Examples of ThreatNG Helping
Helping prioritize patch cycles: During a major vulnerability disclosure (such as a new SSL/TLS flaw), ThreatNG helps an organization instantly identify which of their hundreds of subdomains are actually running the affected protocol version. Using DarCache Vulnerability Intelligence, the team confirms that exploit code is available, allowing them to patch the exposed servers before updating internal systems.
Helping validate third-party risk: ThreatNG helps a company assess a potential acquisition target by discovering that the target's primary e-commerce platform is running on a software version with multiple unpatched Critical CVEs. This intelligence enables the acquiring company to recalculate the merger cost to include immediate remediation expenses.
Helping prevent exploitation of "Low" severity bugs: ThreatNG helps identify a chain of "Low" CVEs that, when combined with a misconfigured cloud bucket, create a "Critical" risk path. By highlighting this composite risk and verifying the exploitability via DarCache, ThreatNG prevents a breach that standard scoring mechanisms would have missed.
