Every week, new security vulnerabilities become public, far more than a company can close in a timely manner. So that everyone involved can talk about the same problems, there are two standards: CVE names vulnerabilities uniquely, and CVSS makes their severity comparable. Anyone who classifies both correctly prioritizes better and ties up fewer resources in the wrong places.
What are CVE and CVSS?
CVE stands for Common Vulnerabilities and Exposures and is a public catalog of specific, disclosed vulnerabilities. Each vulnerability receives a unique identifier following the pattern CVE-year-number, for example CVE-2024-12345. The entries are assigned by authorized bodies known as CNAs, coordinated by the US organization MITRE. An entry describes which product is affected in which versions and references further information from the manufacturer. This makes it unambiguous what is being referred to when an advisory, a scanner or a service provider cites an identifier.
CVSS stands for Common Vulnerability Scoring System and quantifies how serious a vulnerability is. The standard is maintained by the international consortium FIRST. The result is a value between 0.0 and 10.0, supplemented for orientation by the levels low, medium, high and critical. In short: CVE identifies a vulnerability, and CVSS rates it.
How does scoring with CVSS work?
The CVSS value is composed of several metric groups:
- Base metrics: They describe the permanent properties of a vulnerability: is it exploitable over the network or only locally? Does the attacker need privileges or an action by the user? How severely do confidentiality, integrity and availability suffer? From this comes the base score that manufacturers and databases publish.
- Temporal metrics: They reflect the development over time, such as whether exploit code is publicly available and whether the manufacturer already provides a patch. In the current version, CVSS 4.0, this group is called threat metrics.
- Environmental metrics: They adapt the assessment to your own company: how important is the affected system, and which protective measures already exist? Only this adaptation turns the generic value into a company-specific statement.
- Vector string: The assessment is documented as a compact character string. This keeps it traceable how a value came about, and teams can recalculate it for their own environment.
In practice, the base score is usually the one cited. This is exactly where the trap lies: a vulnerability with a value of 9.8 on an isolated test system can be more harmless than a 7.5 on an internet-facing server with customer data. Reachability, exposure, business criticality and active exploitation all play a part. Good vulnerability management therefore combines the CVSS value with context, for example with indications of active exploitation and with reachability analyses from your own network.
Why it matters
- They create a common language between manufacturers, scanners, service providers and authorities, without which a coordinated response would hardly be possible.
- Advisories, scanner findings and patches can be clearly matched to one another.
- CVSS provides a first, comparable estimate of how dangerous a vulnerability is in principle.
- Patch policies and contracts can refer to defined thresholds, for example deadlines for critical vulnerabilities.
- Reports to management and auditors become traceable because they are based on an open standard.
Typical scenarios
- A manufacturer publishes an advisory with a CVE identifier, and the team checks via the inventory which systems use the affected version.
- After its weekly run, the vulnerability scanner reports hundreds of findings, and the team has to decide which to address first.
- A vulnerability with a medium score is being actively exploited and therefore moves ahead of formally critical but practically hard-to-reach findings.
- No patch yet exists for a vulnerability, and until then interim measures such as stricter network rules provide protection. If it is a previously unknown vulnerability, it is called a zero-day .
- The environmental metrics downgrade a vulnerability on a strictly isolated legacy system, documented and with justification.
CVE vs. CWE
CVE refers to a specific vulnerability in a specific product, including the affected versions. CWE (Common Weakness Enumeration), by contrast, catalogs abstract classes of weaknesses, such as SQL injection or buffer overflows. A CWE class thus stands behind many individual CVE entries. For operations, CVE is what counts: which systems need which patch? For development and procurement, CWE is more interesting: which classes of weakness recur in your own or purchased products, and how can they be avoided in the future?
Prioritizing and mitigating vulnerabilities at KAEMI
A score does not replace a decision. KAEMI helps companies turn assessments into effective measures. A central lever is reachability: with Zero Trust microsegmentation , the number of systems that can reach a vulnerable component at all decreases. This mitigates many findings before a patch is applied, and it demonstrably improves the rating in the environmental metrics. For exposed applications, Application Security adds protective mechanisms that intercept known attack patterns while the patch window is still open. If you would like to put your prioritization on a solid footing, contact us via our contact form .