This chapter covers the three core vulnerability scoring systems: CVE (Common Vulnerabilities and Exposures), CVSS (Common Vulnerability Scoring System), and EPSS (Exploit Prediction Scoring System). These are essential for vulnerability management and are directly tested in Domain 2.2 of the CS0-003 exam. Expect 5-10% of exam questions to involve interpreting scores, understanding their differences, or applying them in prioritization scenarios.
Jump to a section
Imagine a national health agency that tracks all known diseases. Each disease gets a unique identifier (like CVE). For each disease, doctors create a standardized severity score (like CVSS) based on factors like how contagious it is, how easily it spreads, and what damage it causes. The score ranges from 0 to 10, with 10 being most severe. Separately, epidemiologists build a predictive model (like EPSS) that estimates the probability that a specific disease will cause an outbreak in the next 30 days, based on real-world data like recent cases, travel patterns, and vaccine availability. EPSS gives a probability from 0% to 100%. A disease might have a high CVSS (e.g., 9.0) because it's deadly, but a low EPSS (e.g., 2%) because it's rare and contained. Conversely, a common cold might have low CVSS (2.0) but high EPSS (80%) because it spreads rapidly every winter. Organizations use both: CVSS to prioritize which diseases to research cures for, and EPSS to decide which outbreaks to respond to immediately. This mirrors cybersecurity: CVE identifies vulnerabilities, CVSS measures their inherent severity, and EPSS predicts the likelihood of exploitation in the wild.
What Are CVE, CVSS, and EPSS?
CVE, CVSS, and EPSS are three distinct but complementary systems used to identify, classify, and prioritize vulnerabilities. CVE provides a standardized identifier for each known vulnerability. CVSS assigns a severity score based on intrinsic characteristics of the vulnerability. EPSS predicts the likelihood that a vulnerability will be exploited in the wild within the next 30 days.
CVE (Common Vulnerabilities and Exposures)
CVE is a dictionary of publicly known cybersecurity vulnerabilities. Each CVE entry has a unique identifier in the format CVE-YYYY-NNNNN (e.g., CVE-2024-12345). The year indicates when the CVE was assigned or the vulnerability was disclosed. The identifier is assigned by a CVE Numbering Authority (CNA). CNAs include vendors (Microsoft, Apple), researchers, and organizations like MITRE. The CVE list is maintained by the MITRE Corporation, sponsored by the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).
Key points about CVE:
CVE does NOT contain severity or risk information. It is merely an identifier.
Each CVE corresponds to one vulnerability, but one vulnerability may have multiple CVE IDs if discovered independently.
CVE entries include a description, references, and the date the CVE was assigned.
The CVE list is freely available and used by vulnerability scanners, patch management tools, and security advisories.
CVSS (Common Vulnerability Scoring System)
CVSS is a framework for measuring the severity of vulnerabilities. It produces a numeric score from 0.0 to 10.0, with 10.0 being the most severe. The current version is CVSS v3.1, though CVSS v4.0 has been released and will be tested on future exams. The CS0-003 exam focuses on CVSS v3.1.
CVSS has three metric groups: 1. Base Metrics: Represent the intrinsic characteristics of a vulnerability that are constant over time and across user environments. They are further divided into:
- Exploitability Metrics: Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), User Interaction (UI) - Scope (S): Whether a vulnerability in one component affects resources in another component. - Impact Metrics: Confidentiality (C), Integrity (I), Availability (A) 2. Temporal Metrics: Reflect characteristics that change over time, such as Exploit Code Maturity (E), Remediation Level (RL), Report Confidence (RC). These are optional. 3. Environmental Metrics: Allow organizations to customize the score based on their specific environment, including Modified Base Metrics and Confidentiality Requirement (CR), Integrity Requirement (IR), Availability Requirement (AR).
The base score is calculated using a formula that combines the base metrics. The formula is proprietary but documented in the CVSS specification. The base score ranges from 0.0 to 10.0 with the following severity categories:
None: 0.0
Low: 0.1-3.9
Medium: 4.0-6.9
High: 7.0-8.9
Critical: 9.0-10.0
Key points about CVSS:
CVSS measures severity, not risk. It does not consider the likelihood of exploitation or the value of the affected asset.
The base score is computed from the base metrics and is the most commonly used.
Temporal and environmental metrics can modify the base score, but they are not always provided.
The CVSS vector string encodes all metrics in a standardized format, e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
EPSS (Exploit Prediction Scoring System)
EPSS is a data-driven model that estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. It outputs a probability score from 0% to 100%. EPSS is maintained by FIRST (Forum of Incident Response and Security Teams) and uses machine learning on real-world threat intelligence data, including dark web discussions, exploit kits, and actual exploitation reports.
Key points about EPSS:
EPSS is updated daily.
The score is a probability, not a severity. A high EPSS (e.g., 90%) means there is a high likelihood of exploitation soon.
EPSS is used to prioritize vulnerabilities for remediation. For example, an organization might patch all vulnerabilities with EPSS > 0.9 (90%) within 48 hours.
EPSS complements CVSS: a vulnerability might have a high CVSS but low EPSS (e.g., a theoretical attack that is hard to exploit) and thus may not be prioritized.
EPSS does not consider organizational context (e.g., asset value, compensating controls).
How They Work Together
In vulnerability management, CVE identifies the vulnerability, CVSS provides severity, and EPSS provides exploit likelihood. Together, they help prioritize remediation. For example, a CVE with CVSS 9.0 and EPSS 95% should be patched immediately, while a CVE with CVSS 9.0 but EPSS 2% might be scheduled for the next maintenance window.
CVSS Base Metrics in Detail
Each base metric has defined values:
Attack Vector (AV): Network (N), Adjacent (A), Local (L), Physical (P)
Attack Complexity (AC): Low (L), High (H)
Privileges Required (PR): None (N), Low (L), High (H)
User Interaction (UI): None (N), Required (R)
Scope (S): Unchanged (U), Changed (C)
Confidentiality (C): None (N), Low (L), High (H)
Integrity (I): None (N), Low (L), High (H)
Availability (A): None (N), Low (L), High (H)
The base score formula uses these values. For example, a vulnerability that can be exploited remotely without authentication (AV:N, PR:N, UI:N) and has high impact on all three (C:H/I:H/A:H) gets a base score of 10.0 (Critical).
Temporal Metrics
Exploit Code Maturity (E): Not Defined (X), Unproven (U), Proof-of-Concept (P), Functional (F), High (H)
Remediation Level (RL): Not Defined (X), Official Fix (O), Temporary Fix (T), Workaround (W), Unavailable (U)
Report Confidence (RC): Not Defined (X), Unknown (U), Reasonable (R), Confirmed (C)
Environmental Metrics
Modified Base Metrics: Same as base metrics but allow overriding.
Confidentiality Requirement (CR): Not Defined (X), Low (L), Medium (M), High (H)
Integrity Requirement (IR): same values
Availability Requirement (AR): same values
EPSS Model Details
EPSS uses features such as:
CVE age
Number of references
CVSS base score
Presence of exploit code
Mentions on social media or dark web
Exploitation activity in honeypots
The model outputs a percentile rank and a probability. The percentile tells you how a vulnerability compares to others: a vulnerability at the 95th percentile is in the top 5% of most likely to be exploited.
Common Misunderstandings
CVSS is not a risk score; it does not consider the value of the asset or the likelihood of exploitation.
EPSS is not a severity score; it is a probability.
CVE does not provide any scoring.
A high CVSS does not mean a vulnerability will be exploited; a low CVSS does not mean it won't be.
Exam Focus
On the CS0-003 exam, you must be able to:
Interpret a CVSS vector string and determine the base score.
Understand the difference between CVSS and EPSS.
Know that CVSS measures severity, EPSS measures likelihood.
Identify that CVE is just an identifier.
Recognize that temporal and environmental metrics modify the base score.
Know the severity categories: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0).
Identify the CVE Identifier
When a vulnerability is discovered, it is assigned a CVE ID by a CVE Numbering Authority. This ID is used to uniquely reference the vulnerability across all databases and tools. For example, CVE-2024-12345. The CVE entry includes a description, references, and the date of assignment. This step is the foundation for all subsequent scoring.
Assign CVSS Base Metrics
The CVSS base metrics are evaluated based on the vulnerability's characteristics. For example, if the vulnerability can be exploited over the network without authentication, Attack Vector is Network (AV:N), Privileges Required is None (PR:N), User Interaction is None (UI:N). If exploitation requires no special conditions, Attack Complexity is Low (AC:L). The impact on confidentiality, integrity, and availability is assessed as None, Low, or High. Scope is determined: if the vulnerability affects only the vulnerable component, Scope is Unchanged (S:U); if it can affect resources beyond the component's security scope, Scope is Changed (S:C).
Calculate the CVSS Base Score
Using the CVSS v3.1 formula, the base metrics are plugged into an equation that yields a base score between 0.0 and 10.0. The formula is complex but is implemented in online calculators and tools. For example, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields a base score of 9.8 (Critical). The score is then categorized into severity: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0). This score is the most commonly used metric for prioritization.
Apply Temporal and Environmental Metrics
Temporal metrics adjust the base score based on the current state of exploits and patches. For example, if exploit code is publicly available (E:H), the score increases. If a patch is available (RL:O), the score decreases. Environmental metrics allow organizations to customize the score to their environment. For instance, if the affected asset has high confidentiality requirement (CR:H), the score increases. These adjustments produce a modified score that reflects the current risk in a specific context.
Determine EPSS Score
The EPSS model uses machine learning to predict the probability of exploitation within 30 days. The model is updated daily with new threat intelligence. For each CVE, EPSS outputs a probability (e.g., 0.75 means 75% chance) and a percentile rank (e.g., 95th percentile). Organizations use EPSS to prioritize vulnerabilities with high exploitation likelihood, regardless of CVSS score. For example, a CVE with CVSS 7.5 but EPSS 90% might be patched before a CVE with CVSS 9.0 but EPSS 2%.
Prioritize Remediation Actions
Using both CVSS and EPSS, organizations create a prioritization matrix. High CVSS and high EPSS vulnerabilities are addressed immediately. High CVSS but low EPSS may be scheduled for regular patching. Low CVSS but high EPSS might be monitored or patched quickly if the asset is critical. The combination ensures efficient use of resources. The exam tests understanding that CVSS alone is insufficient for prioritization; EPSS provides the missing likelihood component.
In a typical enterprise, vulnerability management teams use CVE, CVSS, and EPSS together in their patch management process. For example, a large financial institution uses a vulnerability scanner that outputs a list of CVEs with their CVSS base scores. The team then enriches this list with EPSS scores via an API from FIRST. They create a priority matrix: vulnerabilities with CVSS >= 9.0 and EPSS >= 0.9 are patched within 24 hours; those with CVSS >= 7.0 and EPSS >= 0.5 within 72 hours; others within the next patch cycle. This approach balances severity and likelihood, reducing the risk of being exploited while avoiding unnecessary patching of low-risk vulnerabilities.
Another scenario: A cloud service provider uses CVSS environmental metrics to adjust scores for their specific infrastructure. For example, a web server vulnerability might have a base CVSS of 8.0, but because the server is isolated and has compensating controls, the environmental score is reduced to 5.0. They also use EPSS to identify which vulnerabilities are actively being exploited in the wild. During a zero-day outbreak, they monitor EPSS daily and if a CVE's EPSS spikes above 0.5, they expedite patching.
A common mistake is relying solely on CVSS base scores. For instance, an organization patched all Critical CVSS vulnerabilities but ignored a Medium CVSS vulnerability (CVE-2023-12345, CVSS 5.0) that had an EPSS of 0.95 (95% likelihood). This vulnerability was widely exploited in ransomware campaigns, and the organization was breached. This highlights the importance of using EPSS to catch high-likelihood, lower-severity vulnerabilities.
Performance considerations: EPSS data is updated daily and can be integrated via API. The API is free but rate-limited. Organizations with many CVEs (e.g., 100,000+) may need to batch queries. CVSS calculators are widely available in tools like NVD (National Vulnerability Database). The NVD provides CVSS v3.1 base scores for all CVEs. However, temporal and environmental metrics are not provided by NVD; organizations must compute them internally.
Misconfiguration: Some organizations set a fixed threshold for CVSS (e.g., patch all with CVSS >= 7.0) without considering EPSS. This leads to wasted effort on high-severity but low-likelihood vulnerabilities and missed critical low-severity but high-likelihood ones. The exam tests this mistake.
The CS0-003 exam objective 2.2 (Vulnerability Management) specifically tests your ability to 'interpret vulnerability scoring systems and prioritize remediation actions.' Questions will require you to:
Identify the correct CVE format (CVE-YYYY-NNNNN).
Understand that CVSS measures severity, not risk.
Know that EPSS measures likelihood of exploitation.
Recognize that CVE is just an identifier.
Interpret a CVSS vector string and determine the base score or severity category.
Understand that temporal and environmental metrics modify the base score.
Know the severity categories: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0).
Common wrong answers on the exam: 1. 'CVSS measures risk.' This is false; CVSS measures severity. Risk = severity × likelihood × asset value. EPSS provides the likelihood component. 2. 'EPSS is a severity score.' EPSS is a probability, not a severity. 3. 'CVE provides a severity score.' CVE is only an identifier; severity comes from CVSS. 4. 'A high CVSS means the vulnerability is being exploited.' CVSS does not indicate exploitation; EPSS does. 5. 'CVSS base score is the final score used for prioritization.' Organizations should use temporal and environmental metrics for context-specific prioritization, and EPSS for likelihood.
Specific numbers and terms that appear verbatim:
CVSS v3.1
Base Score categories: None, Low, Medium, High, Critical with exact ranges.
EPSS probability range 0-1 (or 0%-100%).
EPSS updated daily.
CVE format: CVE-YYYY-NNNNN (at least 4 digits after year).
Edge cases: The exam might present a scenario where a vulnerability has a high CVSS but low EPSS, and ask how to prioritize. The correct answer is to deprioritize it because exploitation is unlikely. Another edge case: a vulnerability with low CVSS but high EPSS should be prioritized if the asset is critical. Also, temporal metrics like 'Exploit Code Maturity' can increase the score if functional exploit code exists.
To eliminate wrong answers, focus on the definitions: CVSS = severity, EPSS = likelihood, CVE = ID. If an answer says 'CVSS predicts exploitation,' it's wrong. If an answer says 'EPSS measures severity,' it's wrong.
CVE is a unique identifier for vulnerabilities; it does not provide severity or risk information.
CVSS v3.1 measures severity on a scale of 0-10, with categories: None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0).
CVSS base metrics include Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and Impact (Confidentiality, Integrity, Availability).
EPSS predicts the probability of exploitation within 30 days; it is a likelihood score, not a severity score.
EPSS is updated daily and uses machine learning on threat intelligence data.
For effective prioritization, combine CVSS (severity) with EPSS (likelihood) and asset criticality.
Temporal and environmental metrics can modify the CVSS base score to reflect current and context-specific factors.
The exam tests the ability to interpret CVSS vector strings and understand the difference between severity and likelihood.
These come up on the exam all the time. Here's how to tell them apart.
CVSS
Measures severity (0-10).
Based on intrinsic vulnerability characteristics.
Does not consider real-world exploitation.
Static until updated by analysts.
Used for initial prioritization based on potential impact.
EPSS
Measures likelihood of exploitation (0-100%).
Based on real-world threat intelligence and machine learning.
Updated daily based on current threat landscape.
Dynamic and changes as exploit activity evolves.
Used to refine prioritization based on actual risk.
Mistake
CVSS measures the risk of a vulnerability.
Correct
CVSS measures severity, not risk. Risk involves likelihood and asset value, which CVSS does not consider. EPSS provides likelihood, and asset value is determined by the organization.
Mistake
EPSS is a severity score like CVSS.
Correct
EPSS is a probability score (0-100%) indicating the likelihood of exploitation within 30 days. It is not a severity measure.
Mistake
CVE includes a severity rating.
Correct
CVE is only an identifier. Severity ratings come from CVSS, which is often associated with a CVE via the NVD or other databases, but the CVE entry itself does not contain a score.
Mistake
A high CVSS score means the vulnerability is being actively exploited.
Correct
CVSS does not indicate exploitation. A high CVSS means the vulnerability is severe if exploited, but it may not be exploited in the wild. EPSS indicates likelihood of exploitation.
Mistake
CVSS base score is sufficient for prioritization.
Correct
Base score alone is insufficient. Organizations should incorporate temporal and environmental metrics for context, and EPSS for likelihood. Prioritization should consider both severity and likelihood.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
CVSS measures the severity of a vulnerability based on its intrinsic characteristics, such as attack vector and impact. It produces a score from 0 to 10. EPSS measures the likelihood that a vulnerability will be exploited in the wild within the next 30 days, producing a probability from 0% to 100%. CVSS answers 'how bad is it?' while EPSS answers 'how likely is it to be exploited?' Both are used together for prioritization.
The CVSS base score is calculated using a formula that incorporates base metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality Impact, Integrity Impact, and Availability Impact. Each metric has a numeric value, and the formula combines them to produce a score between 0 and 10. The formula is documented in the CVSS v3.1 specification and is implemented in online calculators. For example, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields a base score of 9.8.
CVE identifiers follow the format CVE-YYYY-NNNNN, where YYYY is the year the CVE was assigned or the vulnerability was disclosed, and NNNNN is a sequence number of at least four digits (e.g., CVE-2024-12345). The sequence number may have leading zeros. The identifier is unique and maintained by MITRE.
Yes, if the same vulnerability is discovered independently by different researchers or reported to different CNAs, it may be assigned multiple CVE IDs. However, efforts are made to merge duplicates. In practice, most vulnerabilities have a single CVE ID.
EPSS scores are updated daily by FIRST. The model is retrained with the latest threat intelligence data, including new CVEs, exploit reports, and dark web activity. This ensures the scores reflect the current exploitation landscape.
A CVSS vector string is a text representation of all the metrics used to compute a CVSS score. It starts with 'CVSS:3.1/' followed by metric abbreviations and values. For example: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This string can be used to reproduce the score in any CVSS calculator.
First, identify all CVEs affecting your environment. For each, note the CVSS base score and EPSS probability. Create a matrix: high CVSS (>=7.0) and high EPSS (>=0.5) should be patched immediately. High CVSS but low EPSS can be scheduled for regular patching. Low CVSS but high EPSS may be patched quickly if the asset is critical. Always consider asset value and compensating controls. The goal is to address vulnerabilities with the highest risk, which is a combination of severity and likelihood.
You've just covered CVE, CVSS, and EPSS Scoring — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?