<!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Navigating CVSS v4.0: Metrics, Changes, and Real-World Impact | Vulners</title><meta name="title" content="Navigating CVSS v4.0: Metrics, Changes, and Real-World Impact | Vulners"><meta name="description" content="Explore the evolution of cybersecurity with a deep dive into CVSS v4.0. Discover its refined metrics, real-world implications, and practical insights for comprehensive vulnerability assessment."><meta name="keywords" content=""><meta name="author" content="Dmitry Uchakin"><meta name="robots" content="index, follow"><link rel="canonical" href="https://vulners.com/blog/cvss-v4/"><link rel="shortcut icon" type="image/png" href="/blog/assets/img/vulners_favicon.svg"><link rel="apple-touch-icon" href="/blog/assets/img/vulners_logo.svg"><link rel="dns-prefetch" href="https://fonts.googleapis.com"><link rel="preconnect" href="https://fonts.googleapis.com"><link rel="dns-prefetch" href="https://fonts.gstatic.com"><link rel="preconnect" href="https://fonts.gstatic.com" crossorigin><link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700;800;900&display=swap" rel="stylesheet"><link rel="stylesheet" href="/blog/assets/css/main.css"><script async src="https://www.googletagmanager.com/gtag/js?id=G-7BZ6D049H6"></script><script>window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-7BZ6D049H6');</script><script type="application/ld+json">{ "@context": "https://schema.org", "@type": "Article", "headline": "Navigating CVSS v4.0: Metrics, Changes, and Real-World Impact | Vulners", "image": [ "/blog/assets/img/cvss_v4_title.png" ], "datePublished": "2023-12-12T00:00:00.000Z", "author": { "@type": "Person", "name": "Dmitry Uchakin", "url": "https://github.com/uchakin" } }</script><script type="text/javascript" src="https://secure.insightful-enterprise-intelligence.com/js/783681.js"></script><noscript><img alt="" src="https://secure.insightful-enterprise-intelligence.com/783681.png" style="display:none;"></noscript></head><body class="flex flex-col h-screen bg-white text-gray-800 break-words"><header id="header" class="header-shadow bg-white px-6 py-5 z-50 fixed w-full top-0 transition-all transform ease-in-out duration-500"><div class="mx-auto flex items-center flex-wrap justify-between"><div class="sm:mr-8"><a class="flex items-center" href="/blog/"><span class="text-xl text-orange-100 font-semibold self-center v-logo"><img src="/blog/assets/img/vulners_logo.svg"></span></a></div><form id="search" action="/blog/search/" class="order-last sm:order-none flex-grow items-center justify-end hidden sm:block mt-6 sm:mt-0"><label class="visually-hidden" for="header-searchbox">Searching through 3M+ vulnerabilities and exploits</label> <input type="text" id="header-searchbox" name="q" placeholder="Search article..." class="w-full sm:max-w-xs bg-gray-200 border border-transparent float-right focus:bg-white focus:border-gray-300 focus:outline-none h-8 p-4 placeholder-gray-500 rounded text-gray-700 text-sm"></form><div id="menu-toggle" class="flex items-center md:hidden text-gray-700 hover:text-orange-100 cursor-pointer sm:ml-6"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-menu"><line x1="3" y1="12" x2="21" y2="12"></line><line x1="3" y1="6" x2="21" y2="6"></line><line x1="3" y1="18" x2="21" y2="18"></line></svg></div></div></header><div class="flex"><div><nav id="menu" class="flex flex-col mt-2 gap-px w-64 h-screen"><ul><a href="https://vulners.com/search" class="flex v-menu-item"><div class="p-3"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M7.25 3.5C5.17893 3.5 3.5 5.17893 3.5 7.25V16.75C3.5 18.8211 5.17893 20.5 7.25 20.5H16.75C18.8211 20.5 20.5 18.8211 20.5 16.75V7.25C20.5 5.17893 18.8211 3.5 16.75 3.5H7.25ZM5 7.25C5 6.00736 6.00736 5 7.25 5H16.75C17.9926 5 19 6.00736 19 7.25V16.75C19 17.9926 17.9926 19 16.75 19H7.25C6.00736 19 5 17.9926 5 16.75V7.25ZM8.25 15C8.25 15.4142 8.58579 15.75 9 15.75C9.41421 15.75 9.75 15.4142 9.75 15L9.75 11.5C9.75 11.0858 9.41421 10.75 9 10.75C8.58579 10.75 8.25 11.0858 8.25 11.5L8.25 15ZM12 15.75C11.5858 15.75 11.25 15.4142 11.25 15V9.5C11.25 9.08579 11.5858 8.75 12 8.75C12.4142 8.75 12.75 9.08579 12.75 9.5V15C12.75 15.4142 12.4142 15.75 12 15.75ZM14.25 15C14.25 15.4142 14.5858 15.75 15 15.75C15.4142 15.75 15.75 15.4142 15.75 15V13.5C15.75 13.0858 15.4142 12.75 15 12.75C14.5858 12.75 14.25 13.0858 14.25 13.5V15Z" fill="#8E8E8E"/></svg></div><span>Database</span> </a><a href="https://vulners.com/scanner/" class="flex v-menu-item"><div class="p-3"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M12 4.75C7.99594 4.75 4.75 7.99594 4.75 12C4.75 16.0041 7.99594 19.25 12 19.25C16.0041 19.25 19.25 16.0041 19.25 12C19.25 10.2513 18.6309 8.64729 17.6 7.39504C17.5846 7.41369 17.5682 7.43177 17.5508 7.44921L15.8216 9.17845C16.405 9.9674 16.75 10.9434 16.75 12C16.75 14.6234 14.6234 16.75 12 16.75C9.37665 16.75 7.25 14.6234 7.25 12C7.25 9.37665 9.37665 7.25 12 7.25C13.0254 7.25 13.9749 7.57493 14.7512 8.12744L16.4901 6.38855C16.5054 6.37327 16.5212 6.35878 16.5374 6.34509C15.2953 5.34713 13.7174 4.75 12 4.75ZM13.6684 9.21032C13.1807 8.91803 12.61 8.75 12 8.75C10.2051 8.75 8.75 10.2051 8.75 12C8.75 13.7949 10.2051 15.25 12 15.25C13.7949 15.25 15.25 13.7949 15.25 12C15.25 11.3585 15.0641 10.7604 14.7433 10.2567L12.5303 12.4697C12.2374 12.7626 11.7626 12.7626 11.4697 12.4697C11.1768 12.1768 11.1768 11.7019 11.4697 11.409L13.6684 9.21032ZM3.25 12C3.25 7.16751 7.16751 3.25 12 3.25C16.8325 3.25 20.75 7.16751 20.75 12C20.75 16.8325 16.8325 20.75 12 20.75C7.16751 20.75 3.25 16.8325 3.25 12Z" fill="#8E8E8E"/></svg></div><span>Scanner</span> </a><a href="https://vulners.com/vscanner/" class="flex v-menu-item"><div class="p-3"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M4.75 8.5C4.75 6.42893 6.42893 4.75 8.5 4.75H15.5C17.5711 4.75 19.25 6.42893 19.25 8.5V9C19.25 9.41421 18.9142 9.75 18.5 9.75C18.0858 9.75 17.75 9.41421 17.75 9V8.5C17.75 7.25736 16.7426 6.25 15.5 6.25H8.5C7.25736 6.25 6.25 7.25736 6.25 8.5V9C6.25 9.41421 5.91421 9.75 5.5 9.75C5.08579 9.75 4.75 9.41421 4.75 9V8.5ZM4.75 15.5C4.75 17.5711 6.42893 19.25 8.5 19.25H15.5C17.5711 19.25 19.25 17.5711 19.25 15.5C19.25 15.0858 18.9142 14.75 18.5 14.75C18.0858 14.75 17.75 15.0858 17.75 15.5C17.75 16.7426 16.7426 17.75 15.5 17.75H8.5C7.25736 17.75 6.25 16.7426 6.25 15.5H4.75ZM4.25 11.5C3.83579 11.5 3.5 11.8358 3.5 12.25C3.5 12.6642 3.83579 13 4.25 13H19.75C20.1642 13 20.5 12.6642 20.5 12.25C20.5 11.8358 20.1642 11.5 19.75 11.5H4.25Z" fill="#8E8E8E"/></svg></div><span>Perimeter scanner</span> </a><a href="https://vulners.com/email/" class="flex v-menu-item"><div class="p-3"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.5 3.75C5.08579 3.75 4.75 4.08579 4.75 4.5C4.75 4.91421 5.08579 5.25 5.5 5.25C12.8178 5.25 18.75 11.1822 18.75 18.5C18.75 18.9142 19.0858 19.25 19.5 19.25C19.9142 19.25 20.25 18.9142 20.25 18.5C20.25 10.3538 13.6462 3.75 5.5 3.75ZM5.5 8.41602C5.08579 8.41602 4.75 8.7518 4.75 9.16602C4.75 9.58023 5.08579 9.91602 5.5 9.91602C10.2404 9.91602 14.0833 13.7589 14.0833 18.4993C14.0833 18.9136 14.4191 19.2493 14.8333 19.2493C15.2475 19.2493 15.5833 18.9136 15.5833 18.4993C15.5833 12.9305 11.0689 8.41602 5.5 8.41602ZM4.75 13.834C4.75 13.4198 5.08579 13.084 5.5 13.084C8.49154 13.084 10.9167 15.5091 10.9167 18.5007C10.9167 18.9149 10.5809 19.2507 10.1667 19.2507C9.75245 19.2507 9.41667 18.9149 9.41667 18.5007C9.41667 16.3375 7.66312 14.584 5.5 14.584C5.08579 14.584 4.75 14.2482 4.75 13.834ZM5.5 19.5C6.05228 19.5 6.5 19.0523 6.5 18.5C6.5 17.9477 6.05228 17.5 5.5 17.5C4.94772 17.5 4.5 17.9477 4.5 18.5C4.5 19.0523 4.94772 19.5 5.5 19.5Z" fill="#8E8E8E"/></svg></div><span>Email notifications</span> </a><a href="https://vulners.com/webhook/" class="flex v-menu-item"><div class="p-3"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M9.82679 19.75H9.86H14.14H14.1732H14.1732C15.0134 19.75 15.6911 19.75 16.2393 19.7038C16.8039 19.6561 17.299 19.5554 17.7547 19.3141C18.4191 18.9624 18.9624 18.4191 19.3141 17.7547C19.5554 17.299 19.6561 16.8039 19.7038 16.2393C19.75 15.6911 19.75 15.0134 19.75 14.1732V14.1732V14.14V9.86V9.82683V9.8268C19.75 8.98657 19.75 8.30888 19.7038 7.76071C19.6561 7.19613 19.5554 6.70097 19.3141 6.24526C18.9624 5.58092 18.4191 5.03763 17.7547 4.68588C17.299 4.44459 16.8039 4.34389 16.2393 4.29624C15.6911 4.24999 15.0134 4.24999 14.1732 4.25H14.1732H14.14H9.86H9.82683H9.8268C8.98657 4.24999 8.30888 4.24999 7.76071 4.29624C7.19613 4.34389 6.70097 4.44459 6.24526 4.68588C5.58092 5.03763 5.03763 5.58092 4.68588 6.24526C4.44459 6.70097 4.34389 7.19613 4.29624 7.76071C4.24999 8.30888 4.24999 8.98657 4.25 9.82679V9.86V14.14V14.1732C4.24999 15.0134 4.24999 15.6911 4.29624 16.2393C4.34389 16.8039 4.44459 17.299 4.68588 17.7547C5.03763 18.4191 5.58092 18.9624 6.24526 19.3141C6.70097 19.5554 7.19613 19.6561 7.76071 19.7038C8.30887 19.75 8.98655 19.75 9.82676 19.75H9.82679ZM7.88684 18.2091C7.41837 18.1695 7.15003 18.0959 6.94716 17.9885C6.54855 17.7774 6.22258 17.4514 6.01153 17.0528C5.90411 16.85 5.83046 16.5816 5.79093 16.1132C5.75062 15.6355 5.75 15.0212 5.75 14.14V10H18.25L18.25 14.14C18.25 15.0212 18.2494 15.6355 18.2091 16.1132C18.1695 16.5816 18.0959 16.85 17.9885 17.0528C17.7774 17.4514 17.4514 17.7774 17.0528 17.9885C16.85 18.0959 16.5816 18.1695 16.1132 18.2091C15.6355 18.2494 15.0212 18.25 14.14 18.25H9.86C8.9788 18.25 8.36451 18.2494 7.88684 18.2091ZM5.79093 7.88684C5.77556 8.06896 5.76596 8.27094 5.75997 8.5H18.24C18.234 8.27094 18.2244 8.06896 18.2091 7.88684C18.1695 7.41837 18.0959 7.15004 17.9885 6.94716C17.7774 6.54855 17.4514 6.22258 17.0528 6.01153C16.85 5.90411 16.5816 5.83046 16.1132 5.79093C15.6355 5.75062 15.0212 5.75 14.14 5.75H9.86C8.9788 5.75 8.36451 5.75062 7.88684 5.79093C7.41837 5.83046 7.15003 5.90411 6.94716 6.01153C6.54855 6.22258 6.22258 6.54855 6.01153 6.94716C5.90411 7.15004 5.83046 7.41837 5.79093 7.88684ZM8.75 13.5C8.33579 13.5 8 13.8358 8 14.25C8 14.6642 8.33579 15 8.75 15H15.25C15.6642 15 16 14.6642 16 14.25C16 13.8358 15.6642 13.5 15.25 13.5H8.75Z" fill="#8E8E8E"/></svg></div><span>Webhook</span> </a><a href="https://vulners.com/plugins" class="flex v-menu-item"><div class="p-3"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M7 4.75C5.75736 4.75 4.75 5.75736 4.75 7V9C4.75 10.2426 5.75736 11.25 7 11.25H17C18.2426 11.25 19.25 10.2426 19.25 9V7C19.25 5.75736 18.2426 4.75 17 4.75H7ZM6.25 7C6.25 6.58579 6.58579 6.25 7 6.25H17C17.4142 6.25 17.75 6.58579 17.75 7V9C17.75 9.41421 17.4142 9.75 17 9.75H7C6.58579 9.75 6.25 9.41421 6.25 9V7ZM7 19.25C5.75736 19.25 4.75 18.2426 4.75 17V15C4.75 13.7574 5.75736 12.75 7 12.75H17C18.2426 12.75 19.25 13.7574 19.25 15V17C19.25 18.2426 18.2426 19.25 17 19.25H7ZM6.25 17C6.25 17.4142 6.58579 17.75 7 17.75H17C17.4142 17.75 17.75 17.4142 17.75 17V15C17.75 14.5858 17.4142 14.25 17 14.25H7C6.58579 14.25 6.25 14.5858 6.25 15V17Z" fill="#8E8E8E"/></svg></div><span>Plugins</span> </a><a href="https://vulners.com/blog" class="flex v-menu-item"><div class="p-3"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.5 2.75C8.98122 2.75 7.75 3.98122 7.75 5.5H9.25C9.25 4.80964 9.80964 4.25 10.5 4.25H16.5C17.7426 4.25 18.75 5.25736 18.75 6.5V14.5C18.75 15.1904 18.1904 15.75 17.5 15.75C17.0858 15.75 16.75 16.0858 16.75 16.5C16.75 16.9142 17.0858 17.25 17.5 17.25C19.0188 17.25 20.25 16.0188 20.25 14.5V6.5C20.25 4.42893 18.5711 2.75 16.5 2.75H10.5ZM7.5 6.75C5.42893 6.75 3.75 8.42893 3.75 10.5V17.5C3.75 19.5711 5.42893 21.25 7.5 21.25H12.5C14.5711 21.25 16.25 19.5711 16.25 17.5V10.5C16.25 8.42893 14.5711 6.75 12.5 6.75H7.5ZM5.25 10.5C5.25 9.25736 6.25736 8.25 7.5 8.25H12.5C13.7426 8.25 14.75 9.25736 14.75 10.5V17.5C14.75 18.7426 13.7426 19.75 12.5 19.75H7.5C6.25736 19.75 5.25 18.7426 5.25 17.5V10.5ZM7 11.25C7 10.8358 7.33579 10.5 7.75 10.5H12.25C12.6642 10.5 13 10.8358 13 11.25C13 11.6642 12.6642 12 12.25 12H7.75C7.33579 12 7 11.6642 7 11.25ZM7.75 13.5C7.33579 13.5 7 13.8358 7 14.25C7 14.6642 7.33579 15 7.75 15H10.25C10.6642 15 11 14.6642 11 14.25C11 13.8358 10.6642 13.5 10.25 13.5H7.75Z" fill="url(#paint0_linear_3431_9491)"/><defs><linearGradient id="paint0_linear_3431_9491" x1="18.7861" y1="3.26073" x2="-15.0748" y2="14.8234" gradientUnits="userSpaceOnUse"><stop stop-color="#FF8B61"/><stop offset="1" stop-color="#D92E7F"/></linearGradient></defs></svg></div><span>Resources</span> </a><a href="https://vulners.com/pricing" class="flex v-menu-item"><div class="p-3"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><g clip-path="url(#clip0_3431_7120)"><path fill-rule="evenodd" clip-rule="evenodd" d="M17.4032 4.10378C18.4848 4.20212 19.3419 5.05915 19.4402 6.14084L19.7938 10.0299C19.8542 10.6949 19.6162 11.3524 19.144 11.8246L11.6523 19.3163C10.7736 20.195 9.34898 20.195 8.4703 19.3163L4.22766 15.0737C3.34898 14.195 3.34898 12.7704 4.22766 11.8917L11.7194 4.4C12.1915 3.92783 12.8491 3.68977 13.5141 3.75023L17.4032 4.10378ZM20.934 6.00503C20.7702 4.20222 19.3418 2.77384 17.539 2.60994L13.6499 2.25639C12.5415 2.15563 11.4457 2.55238 10.6587 3.33934L3.167 10.831C1.70253 12.2955 1.70253 14.6699 3.167 16.1343L7.40964 20.377C8.87411 21.8415 11.2485 21.8415 12.7129 20.377L20.2046 12.8853C20.9916 12.0983 21.3884 11.0025 21.2876 9.89412L20.934 6.00503ZM14.1272 7.64907C14.6153 7.16091 15.4068 7.16091 15.8949 7.64907C16.3831 8.13722 16.3831 8.92868 15.8949 9.41683C15.4068 9.90499 14.6153 9.90499 14.1272 9.41683C13.639 8.92868 13.639 8.13722 14.1272 7.64907ZM16.9556 6.58841C15.8816 5.51447 14.1404 5.51447 13.0665 6.58841C11.9926 7.66235 11.9926 9.40355 13.0665 10.4775C14.1404 11.5514 15.8816 11.5514 16.9556 10.4775C18.0295 9.40355 18.0295 7.66235 16.9556 6.58841ZM10.1594 10.6583C9.86652 10.3655 9.39165 10.3655 9.09876 10.6583C8.80586 10.9512 8.80586 11.4261 9.09876 11.719L12.2807 14.901C12.5736 15.1939 13.0485 15.1939 13.3414 14.901C13.6343 14.6081 13.6343 14.1332 13.3414 13.8403L10.1594 10.6583ZM6.97744 12.7797C7.27033 12.4868 7.7452 12.4868 8.0381 12.7797L9.80586 14.5474C10.0988 14.8403 10.0988 15.3152 9.80586 15.6081C9.51297 15.901 9.0381 15.901 8.7452 15.6081L6.97744 13.8403C6.68454 13.5474 6.68454 13.0726 6.97744 12.7797Z" fill="#8E8E8E"/></g><defs><clipPath id="clip0_3431_7120"><rect width="24" height="24" fill="white"/></clipPath></defs></svg></div><span>Pricing</span> </a><a href="https://vulners.com/company/contacts" class="flex v-menu-item"><div class="p-3"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M5.36719 11.9998C5.36719 8.33565 8.33761 5.36523 12.0018 5.36523C15.666 5.36523 18.6364 8.33565 18.6364 11.9998V12.4101C18.6364 13.1288 18.0538 13.7114 17.3351 13.7114C16.6165 13.7114 16.0339 13.1288 16.0339 12.4101V11.9998C16.0339 9.77301 14.2286 7.9678 12.0018 7.9678C9.77496 7.9678 7.96975 9.77301 7.96975 11.9999C7.96975 14.2267 9.77496 16.0319 12.0018 16.0319C13.3612 16.0319 14.5634 15.3592 15.2938 14.3285C15.8048 14.872 16.5303 15.2114 17.3351 15.2114C18.8822 15.2114 20.1364 13.9572 20.1364 12.4101V11.9998C20.1364 7.50723 16.4944 3.86523 12.0018 3.86523C7.50918 3.86523 3.86719 7.50723 3.86719 11.9998C3.86719 16.4925 7.50918 20.1345 12.0018 20.1345C12.416 20.1345 12.7518 19.7987 12.7518 19.3845C12.7518 18.9703 12.416 18.6345 12.0018 18.6345C8.33761 18.6345 5.36719 15.664 5.36719 11.9998ZM14.5339 11.9998C14.5339 10.6014 13.4002 9.4678 12.0018 9.4678C10.6034 9.4678 9.46975 10.6014 9.46975 11.9999C9.46975 13.3983 10.6034 14.5319 12.0018 14.5319C13.4002 14.5319 14.5339 13.3983 14.5339 11.9998Z" fill="#8E8E8E"/></svg></div><span>Contacts</span></a></ul></nav></div><main class="mx-7 lg:mx-6 mt-28 flex-grow"><div class="v-article-content-box"><article class="max-w-5xl mx-auto"><header id="content-header" class="mb-14"><div class="flex flex-row justify-between border-b-1 py-2 mb-5 v-post-meta"><div class="text-center"><span class="v-color-grey-light">Published</span> 12 December 2023 12:00 AM</div><div class="flex items-center"><svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M7 17L7.48551 19.4276C7.66878 20.3439 7.76041 20.8021 7.99964 21.1448C8.2106 21.447 8.50097 21.685 8.83869 21.8326C9.22166 22 9.6889 22 10.6234 22H13.3766C14.3111 22 14.7783 22 15.1613 21.8326C15.499 21.685 15.7894 21.447 16.0004 21.1448C16.2396 20.8021 16.3312 20.3439 16.5145 19.4276L17 17M7 7L7.48551 4.57243C7.66878 3.6561 7.76041 3.19793 7.99964 2.85522C8.2106 2.55301 8.50097 2.31497 8.83869 2.16737C9.22166 2 9.6889 2 10.6234 2H13.3766C14.3111 2 14.7783 2 15.1613 2.16737C15.499 2.31497 15.7894 2.55301 16.0004 2.85522C16.2396 3.19793 16.3312 3.6561 16.5145 4.57243L17 7M12 9V12L13.5 13.5M19 12C19 15.866 15.866 19 12 19C8.13401 19 5 15.866 5 12C5 8.13401 8.13401 5 12 5C15.866 5 19 8.13401 19 12Z" stroke="#5F5F5F" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/></svg><div class="text-center ml-0.5">6 min. read</div></div></div><h1 class="mt-0 mb-3">Navigating CVSS v4.0: Metrics, Changes, and Real-World Impact</h1><div class="mt-3 text-center"></div><div class="mt-10 -mx-7 md:mx-0"><img class="w-full max-w-2xl mx-auto" src="/blog/assets/img/cvss_v4_title.png" width="960" height="500" alt="This post thumbnail"></div></header><div id="content" class="prose text-gray-800 max-w-none"><h2 id="Introduction" tabindex="-1"><strong>Introduction</strong></h2><p>On November 1, 2023, the cybersecurity community witnessed the official launch of Common Vulnerability Scoring System version 4.0 (<a href="https://www.first.org/cvss/calculator/4.0">CVSS v4.0</a>), an area that last saw a major revision over eight years ago with CVSS v3.1 in June 2019. In this article, we will delve into the intricacies of this new framework and explore the reasons behind its incorporation into the Vulners database.</p><p>CVSS v4 isn't just an upgrade. It's a comprehensive refinement, introducing unprecedented granularity in Base Metrics.</p><p>The success of CVSS v4 depends not only on its technical merits, but also on its adoption by the cybersecurity community. We'll examine the challenges and opportunities of integrating this new framework into existing workflows, including ensuring vendor support and fostering community.</p><h2 id="Expectations-from-a-new-CVSS-version" tabindex="-1"><strong>Expectations from a new CVSS version</strong></h2><p>As the cybersecurity community anticipates the upgrade of the Common Vulnerability Scoring System to version 4 (CVSS v4), some key expectations are emerging:</p><ol><li><strong>Improved granularity:</strong> The community expects CVSS v4 to provide a more detailed breakdown of basic metrics, giving professionals a finer understanding of vulnerabilities for better decision-making.</li><li><strong>Real-world effectiveness:</strong> The practical effectiveness of CVSS v4 is a focus. It is expected that the refined metrics will result in more accurate vulnerability assessments, thereby supporting proactive risk mitigation.</li><li><strong>Timely updates and feedback loop:</strong> A responsive feedback loop is expected to ensure timely updates and refinements to CVSS v4 based on emerging cybersecurity threats and evolving landscapes.</li><li><strong>National Vulnerability Database (NVD) Integration:</strong> Anticipation surrounds the integration of CVSS v4 data into the National Vulnerability Database (NVD), improving standardized vulnerability assessments and supporting broader industry adoption.</li></ol><p>As CVSS v4 evolves, meeting these expectations will be critical to realizing its effectiveness and fostering widespread adoption within the cybersecurity community.</p><h2 id="Technical-Changes-in-CVSS-4.0" tabindex="-1"><strong>Technical Changes in CVSS 4.0</strong></h2><p>The new score consists of 5 groups:</p><ol><li>Base metrics</li><li>Supplemental metrics</li><li>Environmental metrics <strong>(Modified Base Metrics)</strong></li><li>Environmental metrics <strong>(Security Requirements)</strong></li><li>Threat metrics</li></ol><p>Further we provide additional details on what has changed and what remained the same.</p><h3 id="1.-Base-metrics-(Updated)" tabindex="-1"><strong>1. Base metrics (Updated)</strong></h3><p><img src="/blog/assets/img/cvss_v4_ill1.png" alt=""></p><p><strong>Attack Complexity and Attack Requirements (split):</strong> CVSS 4.0 brings a refined approach to the Attack Complexity parameter by splitting it into two components: Attack Complexity and Attack Requirements. This split allows for a more detailed analysis of vulnerability scenarios. Attack Complexity now addresses highly specialized attacks, while Attack Requirements covers situations where successful exploitation depends on specific usage conditions. It is expected that the open-source ecosystem will make less use of Attack Requirements, as it is tailored to specialized attacks.</p><p><strong>Privileges Required (New):</strong> The introduction of the Privileges Required parameter in CVSS 4.0 brings small but important changes for clarity. While the value of the parameter remains largely unchanged, these adjustments are intended to provide more precise and concise wording. Anticipated usage suggests that there will be no significant changes in how this parameter is used for vulnerability assessment. However, the clarifications will contribute to a more effective evaluation of privilege requirements in the vulnerability assessment process.</p><p><strong>User Interaction (Updated):</strong> CVSS 4.0 introduces a notable update to the User Interaction parameter, expanding it to include three values: None, Passive, and Active. This expansion provides a more nuanced assessment of attack conditions.</p><ul><li><strong>None:</strong> Indicates scenarios where the vulnerable system can be exploited without any interaction from a human user apart from the attacker.</li><li><strong>Passive:</strong> Includes attacks that are executed through involuntary actions by the victim.</li><li><strong>Active:</strong> Applied when the attack relies on the victim to perform specific, deliberate interactions with the vulnerable system and the attacker's payload. Alternatively, when the victim's interactions actively subvert protection mechanisms, resulting in the exploitation of the vulnerability. This update introduces a change in how the user interaction parameter is used in vulnerability assessments.</li></ul><p><strong>Scope (retired — replaced by Subsequent System Impact Metrics):</strong> CVSS 4.0 marks the retirement of the Scope parameter, replacing it with Subsequent System Impact Metrics. This change is intended to provide better severity distribution and improve the accuracy of vulnerability impact assessments. The Subsequent System Impact Metrics not only parameterize the change in scope, but also determine the impact on the subsequent system. This change introduces a more accurate impact assessment that provides a comprehensive understanding of the impact of the vulnerability beyond the initial system compromise.</p><h3 id="2.-Supplemental-Metric-Group-(new)" tabindex="-1"><strong>2. Supplemental Metric Group (new)</strong></h3><p><img src="/blog/assets/img/cvss_v4_ill2.png" alt=""></p><p>In a notable addition, CVSS v4.0 introduces the Supplemental Metric Group. This optional metric group is designed to provide a more complete understanding of vulnerabilities by offering additional extrinsic attributes. The Supplemental Metric Group is designed to provide users with contextual information that allows them to take additional steps in risk analysis beyond the core CVSS metrics.</p><p><strong>Key Aspects of the Supplemental Metric Group:</strong></p><ol><li><strong>Optional Nature:</strong></li></ol><ul><li>The Supplemental Metric Group is entirely optional, providing flexibility in its application.</li><li>Unlike core CVSS metrics, Supplemental metrics do not contribute to the calculation of CVSS scores. Instead, they serve as supplementary information for a more nuanced vulnerability assessment.</li></ul><ol start="2"><li><strong>Contextual Insights:</strong></li></ol><ul><li>Supplemental metrics offer valuable insights into extrinsic aspects of vulnerabilities, allowing consumers to delve deeper into specific contextual considerations.</li><li>These metrics act as a complementary layer, enriching the overall risk analysis process by addressing diverse factors associated with vulnerabilities.</li></ul><h3 id="34.-Environmental-Metrics-(updated-and-divided)" tabindex="-1"><strong>3/4. Environmental Metrics (updated and divided)</strong></h3><p><img src="/blog/assets/img/cvss_v4_ill3.png" alt=""></p><p>This strategic split aims to enhance the precision and depth of vulnerability assessments in diverse real-world scenarios.</p><ol><li><p><strong>Environmental (Modified Base Metrics):</strong></p><ul><li><strong>Goal:</strong> This metric focuses on comprehending the influence of vulnerabilities in specific operational setups.</li><li><strong>Details:</strong> It considers elements such as network structure and compensating controls customized for the unique conditions of the environment.</li><li><strong>Importance:</strong> Provides a more accurate assessment of the actual risk presented by a vulnerability.</li></ul></li><li><p><strong>Environmental (Security Requirements):</strong></p><ul><li><strong>Goal:</strong> Evaluating the efficiency of current security measures to meet various security needs</li><li><strong>Details:</strong> Examines present security controls, evaluating their suitability considering the identified vulnerability.</li><li><strong>Importance:</strong> Recognizing the varying implications of a vulnerability depending on the strength of existing security measures.</li></ul></li></ol><h3 id="5.-Threat-Metrics" tabindex="-1"><strong>5. Threat Metrics</strong></h3><p><img src="/blog/assets/img/cvss_v4_ill4.png" alt=""></p><p>In the realm of CVSS 4.0, Threat Metrics introduce significant changes, especially in the part formerly known as Temporal Score. Our primary focus is on Exploit Code Maturity, which is now called Exploit Maturity, presenting a more concise paradigm with four distinct values. One noteworthy alteration is the elimination of the Functional value to consolidate the metric, enabling a more refined assessment.</p><p><strong>The Four Faces of Exploit Maturity.</strong></p><ol><li><strong>Not Defined.</strong> When reliable threat intelligence is difficult to obtain, this value plays a crucial role in recognizing the uncertainty and encouraging vigilance in the absence of clear Exploit Maturity characteristics.</li><li><strong>Attacked (formerly High).</strong> Use this value when attacks have been reported or when the exploit has reached a level of maturity by integrating into solutions such as exploit kits. This indicates a significant change towards a more detailed comprehension of active threats.</li><li><strong>PoC (Proof-of-Concept)</strong>. Deploy when a proof-of-concept is publicly available, or if there is no publicly available solutions or reported attempts to simplify exploitation. This value enhances specificity for a more targeted evaluation.</li><li><strong>Unreported</strong>. In scenarios where threat intel is available but neither PoC nor Attacked are applicable, the Unreported value fills the gap, acknowledging the diversity of threat landscapes and impacting Exploit.</li></ol><p><strong>Maturity Parameter Usage.</strong></p><ul><li>This updated version redefines and consolidates values to streamline the Exploit Maturity parameter. The goal is to enhance the assessment of threats, aligning with the dynamic nature of cybersecurity in the CVSS 4.0 era. As these changes transform the way we gauge the exploit landscape, it's crucial to stay informed, empowering us to fortify our defenses with better decision-making.</li></ul><h2 id="Conclusions" tabindex="-1"><strong>Conclusions</strong></h2><p>In conclusion, the launch of Common Vulnerability Scoring System version 4.0 marks a significant milestone in the cybersecurity community. With its improved granularity and comprehensive refinement of base metrics, CVSS v4.0 is expected to provide professionals with a finer understanding of vulnerabilities, enabling better decision-making in risk assessment and mitigation.</p><p>As the cybersecurity community anticipates the impact of CVSS v4.0, it's important to acknowledge the challenges and opportunities that come with its adoption. Integrating the new framework into existing systems and workflows may pose challenges, but the potential for more accurate vulnerability assessments and proactive risk mitigation makes it a worthwhile endeavor.</p><p>We at Vulners are committed to staying at the forefront of cybersecurity and will integrate CVSS v4.0 into our database as soon as possible, meaning when major players like NIST NVD start using it and publishing the scores. This integration will allow us to add more intelligence to vulnerabilities, providing the cybersecurity community with standardized and up-to-date information for a more comprehensive understanding of potential risks.</p><p>Overall, CVSS v4.0 represents a significant step forward in vulnerability assessment, and we look forward to its widespread adoption and the enhanced cybersecurity practices it will facilitate.</p></div></article><aside class="sticky top-0 h-screen"><nav class="toc"><ol><li><a href="#Introduction">Introduction</a></li><li><a href="#Expectations-from-a-new-CVSS-version">Expectations from a new CVSS version</a></li><li><a href="#Technical-Changes-in-CVSS-4.0">Technical Changes in CVSS 4.0</a></li><li><a href="#Conclusions">Conclusions</a></li></ol></nav></aside></div></main></div><footer id="footer"><div class="sections"><div><img class="v-logo" alt="vulners-logo-small" src="/blog/assets/img/vulners_logo.svg"></div><div class="v-columns"><aside><div><p>Products</p></div><ul><li><a href="https://vulners.com/feed">Security Intelligence</a></li><li><a href="https://vulners.com/assessment">Non-intrusive assessment</a></li><li><a href="https://vulners.com/docs/API_wrapper/api/">Developers SDK</a></li></ul></aside><aside><div><p>Database</p></div><ul><li><a href="https://vulners.com/search?query=viewCount:[50%20TO%20*]%20order:viewCount%20last%207%20days">Vulnerabilities</a></li><li><a href="https://vulners.com/search?query=bulletinFamily:exploit%20order:published">Exploits</a></li><li><a href="https://vulners.com/search?query=bulletinFamily:ioc%20order:published">IOC</a></li><li><a href="https://vulners.com/search?query=bulletinFamily:info">Security News</a></li><li><a href="https://vulners.com/search?query=bulletinFamily:bugbounty%20order:published">BugBounty</a></li><li><a href="https://vulners.com/search?query=enchantments.twitter.counter:[1%20TO%20*]%20order:enchantments.twitter.counter">Popular</a></li><li><a href="https://vulners.com/search?query=enchantments.exploitation.wildExploited:true">Wild Exploited</a></li></ul></aside><aside><div><p>Tools</p></div><ul><li><a href="https://vulners.com/linux-scanner/scan">Linux Security Scanner</a></li><li><a href="https://vulners.com/apiscan-help">API integration</a></li><li><a href="https://vulners.com/subscriptions">Subscriptions</a></li><li><a href="https://vulners.com/products">Plugins</a></li><li><a href="https://vulners.com/audit">Manual Audit</a></li></ul></aside><aside><div><p>Learn More</p></div><ul><li><a href="https://vulners.com/stats">Stats</a></li><li><a href="https://vulners.com/docs/API_wrapper/api/">API</a></li><li><a href="https://vulners.com/docs">Docs</a></li><li><a href="https://vulners.com/api-keys">Api-keys</a></li><li><a href="https://vulners.com/license">License</a></li><li><a href="https://vulners.com/pricing">Pricing</a></li></ul></aside><aside><div><p>Company</p></div><ul><li><a href="https://blog.vulners.com/">Blog</a></li><li><a href="https://vulners.com/contacts">Contacts</a></li><li><a href="https://vulners.com/#customers">Customers</a></li><li><a href="https://github.com/vulnerscom">OpenSource</a></li><li><a href="https://vulners.com/static/docs/eula.pdf">EULA</a></li><li><a href="https://vulners.com/company/branding">Brand Guideline</a></li><li><a href="https://vulners.com/static/docs/privacy_policy.html" target="_blank">Privacy Policy</a></li></ul></aside></div></div><div class="terms"><div>This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy">Privacy Policy</a> and <a href="https://policies.google.com/terms">Terms of Service</a> apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed,<a href="javascript:void(0);"> please contact us</a>. Using Vulners services you are accepting <a target="_blank" href="https://vulners.com/static/docs/eula.pdf">Vulners services end-user license agreement</a></div><br><div>@2025 Vulners Inc</div></div></footer><script src="/blog/assets/js/bundle.js"></script></body></html>