Understanding CVSS Scores: Reading Vulnerability Severity
How to interpret CVSS scores, what Base/Temporal/Environmental metrics mean, and using severity to prioritize patching
When you look up a CVE on the National Vulnerability Database, one of the first things you see is a numeric score between 0.0 and 10.0. That is the CVSS score – the Common Vulnerability Scoring System – and it is the industry standard for communicating how severe a vulnerability is. For Mac administrators deciding what to patch first, CVSS is one of your most important prioritization inputs.
The CVSS Scale
CVSS produces a score from 0.0 to 10.0, mapped to qualitative severity ratings:
| Score Range | Severity | Mac Admin Action |
|---|---|---|
| 0.0 | None | No action required |
| 0.1 – 3.9 | Low | Patch during regular maintenance cycles |
| 4.0 – 6.9 | Medium | Patch within standard SLA (e.g., 30 days) |
| 7.0 – 8.9 | High | Prioritize for next available maintenance window |
| 9.0 – 10.0 | Critical | Deploy immediately; consider emergency change process |
Tip: CVSS alone does not tell you whether a vulnerability is being exploited. Always cross-reference with KEV status for a complete risk picture.
CVSS Versions: v3.1 and v4.0
The most widely used version today is CVSS v3.1, which is the version the NVD currently assigns to most CVE records. CVSS v4.0 was released in 2023 and introduces refinements, but adoption across tools and databases is still growing. The core concepts are similar across both versions.
This article focuses on CVSS v3.1 concepts, with notes on v4.0 differences where relevant.
The Three Metric Groups
CVSS is not a single calculation. It consists of three metric groups, each adding context:
Base Score
The Base Score reflects the intrinsic characteristics of the vulnerability that do not change over time or across environments. This is the score you see most often on the NVD and in security advisories. It is calculated from eight metrics divided into two categories:
Exploitability Metrics
These describe how the vulnerability is exploited:
| Metric | What It Measures | Higher Severity When… |
|---|---|---|
| Attack Vector (AV) | How the attacker reaches the vulnerable component | Network (remote) vs. Physical (requires hands-on access) |
| Attack Complexity (AC) | Conditions beyond the attacker’s control that must exist | Low complexity (easy to exploit reliably) |
| Privileges Required (PR) | Level of access needed before exploitation | None (no authentication needed) |
| User Interaction (UI) | Whether a user must take action | None (no user action needed) |
Impact Metrics
These describe the consequences of successful exploitation:
| Metric | What It Measures | Higher Severity When… |
|---|---|---|
| Scope (S) | Whether the vulnerability affects resources beyond its component | Changed (impacts other components) |
| Confidentiality (C) | Impact on information secrecy | High (all information disclosed) |
| Integrity (I) | Impact on data trustworthiness | High (all data modifiable) |
| Availability (A) | Impact on system accessibility | High (complete denial of service) |
Temporal Score
The Temporal Score adjusts the Base Score based on factors that change over time:
- Exploit Code Maturity – Does a working exploit exist? A theoretical vulnerability scores lower than one with public exploit code.
- Remediation Level – Is a patch available? Unavailable fixes increase the temporal score.
- Report Confidence – How well-verified is the vulnerability? Confirmed flaws score higher than unverified reports.
Temporal scores are optional and less commonly published. When absent, the Base Score is typically used as the primary metric.
Environmental Score
The Environmental Score lets you customize the CVSS rating for your specific environment. This is where Mac admins can add the most value:
- Modified Base Metrics – Adjust any Base Score metric to reflect your deployment. For example, if a vulnerability requires network access but the affected service is only available on an isolated VLAN, you can lower the Attack Vector.
- Confidentiality/Integrity/Availability Requirements – Weight the impact metrics based on what matters most for your fleet. A vulnerability affecting availability on a kiosk Mac may score differently than the same flaw on a developer workstation with access to source code.
Tip: CVSS v4.0 merges the Temporal and Environmental groups into a more flexible supplemental metric system. The core concept remains: adjust the score based on your context.
Reading a CVSS Vector String
Every CVSS score includes a vector string that encodes all metric values. Learning to read it lets you quickly understand a vulnerability without visiting the NVD page.
Example vector string for a WebKit vulnerability:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Breaking this down:
| Component | Value | Meaning |
|---|---|---|
AV:N | Network | Exploitable remotely (via web content) |
AC:L | Low | No special conditions required |
PR:N | None | No authentication needed |
UI:R | Required | User must visit a malicious page |
S:U | Unchanged | Impact limited to the vulnerable component |
C:H | High | Complete confidentiality loss |
I:H | High | Complete integrity loss |
A:H | High | Complete availability loss |
This vector produces a Base Score of 8.8 (High) – consistent with a WebKit type confusion flaw that requires a user to visit a crafted webpage but then grants full code execution.
Practical Prioritization: CVSS + KEV
CVSS scores are a necessary but insufficient prioritization tool. A CVSS 6.5 vulnerability that is on the KEV catalog is a more urgent patching target than a CVSS 9.0 vulnerability with no known exploitation.
The recommended prioritization matrix:
| KEV Status | CVSS Critical/High | CVSS Medium | CVSS Low |
|---|---|---|---|
| On KEV list | Patch immediately | Patch within 48-72 hours | Patch within 1 week |
| Not on KEV | Patch within 1 week | Patch within 30 days | Patch in next cycle |
This approach combines the severity signal from CVSS with the threat signal from KEV status, giving you a practical framework for triage.
Example: Scoring an Apple CVE
Consider a hypothetical kernel privilege escalation vulnerability in macOS:
- Attack Vector: Local – The attacker needs code execution on the device (e.g., through a malicious app).
- Attack Complexity: Low – The exploit works reliably.
- Privileges Required: Low – A standard user account is sufficient.
- User Interaction: None – No additional user action beyond running the malicious app.
- Scope: Unchanged – The kernel is the target component.
- CIA Impact: High/High/High – Full system compromise.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.8 (High)
This 7.8 score reflects a serious local privilege escalation. If this CVE also appears on the KEV catalog, it becomes an immediate patching priority – attackers are actively chaining it with other vulnerabilities (like WebKit flaws) to achieve remote exploitation.
Using CVSS in Your Patching Workflow
Integrate CVSS into your Mac fleet management:
- Set SLAs by severity – Define patching deadlines for Critical, High, Medium, and Low severity CVEs in your security policy.
- Cross-reference KEV status – Adjust SLAs downward (faster patching) for any CVE on the KEV catalog.
- Apply Environmental scoring – Use the Environmental metrics to adjust scores for your fleet. A server running macOS in a data center has different risk than a laptop on public Wi-Fi.
- Automate reporting – Pull CVSS data from the NVD API and correlate with your MDM inventory to generate fleet risk reports.
# Fetch CVSS data for a specific CVE from the NVD API
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-31200" \
| jq '.vulnerabilities[0].cve.metrics.cvssMetricV31[0].cvssData | {score: .baseScore, severity: .baseSeverity, vector: .vectorString}'
Next Steps
- Understand how vulnerability identifiers work: What Is a CVE?
- Track actively exploited vulnerabilities: Understanding CISA KEVs
- Explore the vulnerability database that hosts CVSS data: What Is the NVD?