Security News > 2024 > January > Does CVSS 4.0 solve the exploitability problem?

The newest version of the vulnerability scoring system CVSS 4.0 is here! After a lengthy gap between version 3, as of November 2023 version 4.0 is officially live.
Version 3.0 and CVSS in general, while being quite good at measuring the "Impact" of a vulnerability, wasn't very good at scoring its "Exploitability".
Attack complexity - in version 3.0, the attack complexity parameter was binary, set to two options: high or low - nothing in between - and was open to completely subjective interpretation.
In version 4.0 this has been split into two parameters: attack complexity and attack requirements.
While the attack complexity parameter sadly hasn't changed, attack requirements introduces the prerequisite deployment and execution conditions that need to be in place for the attack to succeed - for example: a specific configuration setting of a web server, presence of a specific code dependency, etc.
This is a welcome addition, since version 3.0 had an "All or nothing" approach: if you required a user to interact 4 or 5 times it was treated the same way as a user requiring a single click of a URL. There are other minor changes to other parameters and wording to streamline scoring, but these are the primary ones.
News URL
https://www.helpnetsecurity.com/2024/01/31/cvss-4-0-scoring-system/
Related news
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT (source)
- Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server (source)
- Why CVSS is failing us and what we can do about it (source)