Articles about CVSS

Ignoring vulnerabilities and exposures may not seem like a good idea, but conventional strategies rely heavily on vulnerability severity (CVSS) and exploitability indicators (EPSS), which ignore whether vulnerabilities are exploitable or already mitigated by existing defenses in a specific organization.

More than 40,000 new CVEs were disclosed in 2024, of which 61 percent were labeled as high or critical, but they won't all be a risk to every business. A new tool from Picus Security allows security teams to verify the exploitability of vulnerabilities and determine which pose real-world risks based on their unique environments.

Continue reading →

A new report from CyCognito highlights critical security vulnerabilities across cloud-hosted material, revealing that one in three easily exploitable vulnerabilities or misconfigurations are found on cloud assets.

Though uncommon, critical vulnerabilities (CVSS 9.0 or higher) have been detected on assets hosted by all cloud providers, with assets hosted by Azure showing a slightly higher percentage (0.07 percent) compared to assets hosted by AWS and Google Cloud (0.04 percent).

Continue reading →

As organizations increasingly rely on third-party vendors, open-source components, and cloud services to bolster efficiency and scalability, they also open themselves to risks.

Historically they've relied on CVSS scores to measure the severity of risks, but a new report from Black Kite suggests that this method alone is not enough.

Continue reading →

As we approach the end of the year, a new report from Detectify shows that none of the top three vulnerabilities found across all industries in 2023 were covered by a CVE.

What's more, 75 percent of the total vulnerabilities regularly scanned by Detectify, primarily crowdsourced from its community of ethical hackers, don't have a CVE assigned. This suggests that over-reliance on frameworks like the CVE program can weaken an organization's security posture and give it an unrealistic sense of security.

Continue reading →

The latest vulnerability intelligence report from Flashpoint finds that 52 percent of all vulnerabilities reported in the first half of 2022 that were scored 10.0 -- the most severe level -- on CVSS are likely scored incorrectly.

When scoring, CVSSv2 guidelines take a 'score for the worst' approach if details of some of the metrics used are unclear. But the report points out this has resulted in many vulnerabilities being scored a 10.0, even though they are actually less severe, simply due to vendors providing fewer details.

Continue reading →

A new report into Microsoft vulnerabilities shows 2021 saw a 47 percent decrease in critical vulnerabilities, marking the lowest ever total since the report began.

The 2022 Microsoft Vulnerabilities Report from BeyondTrust also reveals that for the second year running, elevation of privilege was the #1 vulnerability category, accounting for 49 percent of all vulnerabilities.

Continue reading →