CVSS Explained - Vulnerability Scoring and Its Limitations
CVSS explained
The Common Vulnerability Scoring System (CVSS) is a widely used standard for assessing the severity of security vulnerabilities. The system assigns a numerical score between 0.0 and 10.0 to vulnerabilities in order to make risks comparable and to prioritize remediation efforts. The score is based on several technical characteristics of a vulnerability. These include the attack vector, required privileges, attack complexity, and the potential impact on the confidentiality, integrity, and availability of a system.
The three CVSS scoring components
Base Score
The Base Score describes the fundamental technical properties of a vulnerability. For example, it evaluates whether the vulnerability can be exploited over a network, whether authentication is required, and what impact a successful attack could have on the affected system.
Temporal Score
The Temporal Score reflects factors that may change over time. This includes the availability of exploits, published patches, or the maturity of attack techniques.
Environmental Score
The Environmental Score allows organizations to adjust the severity rating according to their specific environment. The same vulnerability may have a different impact depending on where it exists within an infrastructure.
A critical perspective on CVSS
Although CVSS is often presented as an objective standard, many of its metrics rely on assumptions and interpretation. As a result, different analysts may assign different scores to the same vulnerability. Another limitation is that CVSS only partially considers the real context of an IT environment. In practice, risks often emerge through the combination of multiple weaknesses or specific architectural decisions. A vulnerability with a relatively low CVSS score may therefore become critical if it forms part of an attack path or enables access to sensitive systems. Conversely, vulnerabilities with high scores may be difficult to exploit in practice when additional security controls are in place.
For this reason, experienced penetration testers treat CVSS primarily as a prioritization tool. The actual risk assessment should always consider realistic attack scenarios and potential attack paths within the target environment.
Analyzing and calculating CVSS scores
The CVSS 4.0 Decoder can be used to break down CVSS vectors and understand how individual parameters influence the resulting score. To calculate scores manually, the CVSS 4.0 Calculator allows users to adjust individual metrics and explore how different attack scenarios affect the final score.
Even small adjustments to individual parameters can significantly change the resulting score. Therefore CVSS should always be seen as a prioritization aid rather than a complete assessment of real-world security risk.
FAQ
Fequently Asked Questions
An ethical hacker is someone who attacks systems — with permission and with a clear goal: finding vulnerabilities before they are exploited.
Ethical hackers think like real attackers. They don’t look for theoretical issues, but for practical ways to actually break in, access data, or gain control. The difference to a criminal is not the technique, but the mandate.
At Hackeroo, this means: no show, no buzzword bingo. We test in a focused, responsible, and transparent way. Everything we find is documented clearly, assessed realistically, and explained so it can be fixed.
In short: ethical hackers break in so no one else can later.
A penetration test is a controlled attack on your IT systems with one clear goal: finding vulnerabilities before real attackers do.
We think and act like attackers. We don’t just scan the surface — we actively try to exploit security weaknesses in web applications, APIs, networks, cloud environments, and internal systems. We combine automated tooling with deep manual analysis, experience, and creativity.
The result is not a buzzword-filled report, but a clear answer to the most important question: How would someone actually break in — and how do you stop exactly that?
A penetration test exposes real risks, prioritizes them in a way that makes sense, and delivers concrete, actionable recommendations. No marketing. No checklists. Real security.
Red teaming is a realistic attack against your organization — not against a single system, but against the entire security concept.
Unlike classic penetration tests, red teaming does not follow a fixed scope or a checklist. The goal is to get as far as possible using real attacker tactics while staying undetected: technical attacks, abuse of processes, and bypassing controls. Exactly how real attackers would operate.
The focus is not on individual vulnerabilities, but on one key question: How well does your organization detect, prevent, and stop a real attack? Technology, people, and processes are tested together.
Red teaming delivers an honest, no-filter view of where security measures actually work — and where they only exist on paper.
The difference lies in how much information the pentester receives before the engagement starts.
Blackbox:
No prior information. The tester starts with almost no knowledge — similar to an external attacker.
This approach is realistic but inefficient, as significant time is spent on reconnaissance instead of structured vulnerability testing.
Learn more about Blackbox penetration testing.
Greybox:
The tester receives relevant information such as network ranges, subdomains, or test accounts.
This enables an efficient and structured assessment of the defined attack surface.
In practice, this is usually the most practical and cost-effective approach.
Learn more about Greybox penetration testing.
Whitebox:
Full transparency. Documentation, configurations, and often source code are provided.
This allows maximum technical depth but can become audit-like and is not always more efficient.
Learn more about Whitebox penetration testing.
Our recommendation:
In most cases, a well-prepared greybox penetration test offers the best balance between realism, depth, and efficiency.
