This chapter covers the Common Vulnerability Scoring System (CVSS) as used in penetration test reports, a critical topic for the CompTIA PenTest+ PT0-002 exam, particularly under Objective 4.1 (Report Writing and Communication). Approximately 10–15% of exam questions touch on CVSS interpretation, calculation, or application in reporting. You will learn the CVSS v3.1 structure, how to compute Base, Temporal, and Environmental scores, and how to present these scores effectively in penetration test reports to drive remediation decisions.
Jump to a section
Imagine a hospital emergency room with a triage nurse. When a patient arrives, the nurse assigns a severity score from 1 to 10 based on vital signs, injury type, and likelihood of deterioration. A score of 10 means immediate life threat (e.g., cardiac arrest), while a 1 is a minor scrape. This score determines treatment priority, resource allocation, and reporting urgency. In cybersecurity, CVSS works the same way: a vulnerability is scored based on Base metrics (intrinsic severity like attack vector and complexity), Temporal metrics (current exploit code availability), and Environmental metrics (impact on your specific systems). Just as triage scores are standardized across hospitals, CVSS provides a common language for risk. However, the triage score alone doesn't dictate treatment—a patient with a 9 (stroke) might be treated before a 10 (cardiac arrest) if the stroke window is shorter. Similarly, CVSS base scores must be combined with business context for remediation prioritization. The exam tests your ability to interpret each metric group and compute the final score, not just memorize numbers.
What is CVSS and Why It Exists
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. Developed and maintained by the Forum of Incident Response and Security Teams (FIRST), CVSS provides a numeric score (0.0–10.0) that reflects the relative severity of a vulnerability. The purpose is to enable organizations to prioritize remediation efforts by providing a consistent, repeatable, and objective severity measurement. In penetration test reports, CVSS scores translate technical findings into business risk language that stakeholders can understand and act upon. The current version on the exam is CVSS v3.1, which replaced v3.0 in 2019. You will not be tested on v2.0 or v4.0 (which is still draft as of 2024).
CVSS Metric Groups
CVSS v3.1 consists of three metric groups: - Base Metrics: Intrinsic characteristics of a vulnerability that are constant over time and across user environments. These produce the Base Score (0.0–10.0). - Temporal Metrics: Characteristics that change over time, such as exploit code maturity or patch availability. These modify the Base Score to produce the Temporal Score. - Environmental Metrics: Characteristics that are unique to a user's environment, such as security controls or asset criticality. These modify the Temporal Score to produce the Environmental Score.
For PT0-002, you must understand how each metric affects the score and be able to interpret a given CVSS vector string.
Base Metrics in Detail
The Base Score is computed from two sub-scores: Exploitability (E) and Impact (I). Exploitability measures how easy it is to exploit the vulnerability; Impact measures the consequences of successful exploitation.
Exploitability Metrics: - Attack Vector (AV): How the attacker can reach the vulnerability. Values: Network (N) – exploitable remotely over a network (highest score contribution); Adjacent (A) – limited to the same broadcast or physical segment; Local (L) – requires local access; Physical (P) – requires physical contact. - Attack Complexity (AC): Conditions beyond the attacker's control. Values: Low (L) – no special conditions; High (H) – requires special preparation or timing. - Privileges Required (PR): Level of privileges the attacker must have. Values: None (N), Low (L), High (H). - User Interaction (UI): Whether exploitation requires another user. Values: None (N), Required (R). - Scope (S): Whether the vulnerability affects components beyond the security scope (e.g., a hypervisor vs. a VM). Values: Unchanged (U) – impact stays within same authority; Changed (C) – impact crosses boundaries.
Impact Metrics: - Confidentiality (C): Information disclosure. Values: None (N), Low (L), High (H). - Integrity (I): Data alteration. Values: None (N), Low (L), High (H). - Availability (A): Service disruption. Values: None (N), Low (L), High (H).
Computing the Base Score
The official CVSS v3.1 calculator uses formulas defined in the FIRST specification. The process: 1. Compute the Impact sub-score (ISS) from C, I, A: ISS = 1 - [(1 - C) × (1 - I) × (1 - A)]. 2. Compute the Impact score: If Scope is Unchanged, Impact = 6.42 × ISS; if Changed, Impact = 7.52 × (ISS - 0.029) - 3.25 × (ISS - 0.02)^15. 3. Compute the Exploitability score: Exploitability = 8.22 × AV × AC × PR × UI. 4. Compute the Base Score: If Impact ≤ 0, Base = 0. Otherwise: If Scope is Unchanged, Base = min(Impact + Exploitability, 10); if Changed, Base = min(1.08 × (Impact + Exploitability), 10).
You do NOT need to memorize these formulas for the exam, but you must understand how changing a metric (e.g., AV from N to A) affects the score direction.
Temporal Metrics
Temporal metrics modify the Base Score based on current exploitability and patch availability. - Exploit Code Maturity (E): How likely is exploit code? Values: Not Defined (X) – use default; Unproven (U); Proof-of-Concept (P); Functional (F); High (H). - Remediation Level (RL): Availability of fixes. Values: Not Defined (X); Official Fix (O); Temporary Fix (T); Workaround (W); Unavailable (U). - Report Confidence (RC): Confidence in vulnerability existence. Values: Not Defined (X); Unknown (U); Reasonable (R); Confirmed (C).
The Temporal Score = Base Score × E × RL × RC. Each metric has a multiplier less than or equal to 1.0, so the Temporal Score is always ≤ Base Score.
Environmental Metrics
Environmental metrics allow customization to your environment. They include: - Modified Base Metrics: Same as Base but with values like MAV, MAC, etc. You can override the Base metrics for your environment. - Confidentiality Requirement (CR), Integrity Requirement (IR), Availability Requirement (AR): How critical these are to your organization. Values: Not Defined (X), Low (L), Medium (M), High (H). These modify the Impact sub-score.
The Environmental Score is computed by first recalculating the Base Score with modified metrics, then applying the requirements multipliers to the Impact sub-score.
CVSS Vector String
A CVSS v3.1 vector string is a compact representation of all metrics. Example:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This represents a vulnerability with Network attack vector, Low complexity, No privileges required, No user interaction, Unchanged scope, High impact on all three security objectives – i.e., a critical remote code execution.
For PT0-002, you must be able to read a vector string and identify the score category (None: 0.0, Low: 0.1–3.9, Medium: 4.0–6.9, High: 7.0–8.9, Critical: 9.0–10.0).
CVSS in Penetration Test Reports
In a penetration test report, CVSS scores are typically presented in the findings section. Each vulnerability should include: - CVSS Vector String: For reproducibility. - Base Score and Severity: E.g., 9.8 (Critical). - Temporal Score (if applicable): If exploit code is known. - Environmental Score (if applicable): If client provides asset criticality. - Rationale: Explanation of why each metric was chosen, especially for subjective metrics like Attack Complexity.
Common mistakes in reports:
Using default values for all metrics without justification.
Ignoring Scope when the vulnerability crosses trust boundaries (e.g., a VM escape).
Not recalculating Environmental scores when the client provides asset values.
Exam Relevance
The PT0-002 exam expects you to:
Identify the correct CVSS v3.1 vector string from a description.
Determine which metric group (Base, Temporal, Environmental) is being modified.
Understand that CVSS is a severity score, not a risk score – risk = severity × likelihood × impact (business context).
Know that CVSS scores are used in reports to prioritize remediation, but should not be the sole factor.
Trap Patterns
Confusing CVSS with risk: CVSS measures intrinsic severity; risk incorporates business context. A Critical CVSS vulnerability on a non-critical system may be lower priority than a High CVSS on a crown jewel.
Assuming Temporal metrics always reduce score: While multipliers are ≤1.0, if all are set to 'Not Defined', the Temporal Score equals Base. The exam may present a scenario where Temporal metrics are not defined, and the candidate assumes a lower score.
Misinterpreting Scope: Scope Changed means the vulnerability can affect resources beyond the vulnerable component's security authority (e.g., a container breakout). This significantly increases the Impact score formula.
Forgetting that Environmental metrics can increase the score: If Confidentiality Requirement is High, the Impact sub-score is multiplied by 1.5, potentially raising the Environmental Score above the Base Score.
Commands and Tools
While PT0-002 does not require command-line CVSS calculation, you should be familiar with:
FIRST CVSS v3.1 Calculator (online or offline spreadsheets).
NVD (National Vulnerability Database) which uses CVSS v3.1 for published CVEs.
cvss Python library or similar for automation.
Example of calculating a Base Score manually using the formula (for understanding): Given vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - AV = 0.85, AC = 0.77, PR = 0.85, UI = 0.85 (these are the actual multipliers used in the formula). - Exploitability = 8.22 × 0.85 × 0.77 × 0.85 × 0.85 ≈ 3.9. - ISS = 1 - (1-0.56)×(1-0.56)×(1-0.56) = 1 - 0.44^3 ≈ 0.915. - Impact (Scope Unchanged) = 6.42 × 0.915 ≈ 5.9. - Base = min(5.9+3.9, 10) = 9.8.
Summary
CVSS is a critical tool for communicating vulnerability severity in penetration test reports. The PT0-002 exam tests your ability to interpret vector strings, understand metric groups, and apply scores appropriately. Remember: CVSS is a severity score, not a risk score; always consider business context when prioritizing remediation.
Identify Vulnerability Characteristics
Begin by analyzing the vulnerability to determine its intrinsic properties. For example, for a remote code execution in a web application accessible over the internet, you identify: Attack Vector = Network (remote), Attack Complexity = Low (no special conditions), Privileges Required = None (unauthenticated), User Interaction = None (no user action needed), Scope = Unchanged (only affects the web server). Impact metrics: Confidentiality = High (full file read), Integrity = High (full write), Availability = High (crash service). These characteristics form the Base metrics and produce a vector string like AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Calculate Base Score
Using the Base metrics, compute the Base Score using the CVSS v3.1 formula. First, calculate the Exploitability sub-score: 8.22 × AV × AC × PR × UI. For the example, AV=0.85, AC=0.77, PR=0.85, UI=0.85 → Exploitability ≈ 3.9. Then compute the Impact sub-score (ISS): 1 - (1 - C)×(1 - I)×(1 - A). For C=I=A=High (0.56 each), ISS ≈ 0.915. Since Scope is Unchanged, Impact = 6.42 × ISS ≈ 5.9. Base Score = min(Impact + Exploitability, 10) = min(5.9+3.9,10) = 9.8 (Critical). This score is recorded in the report.
Assess Temporal Factors
Evaluate the current state of exploit code and remediation. For instance, if a proof-of-concept exploit exists, set Exploit Code Maturity = Proof-of-Concept (P). If no official patch is available, set Remediation Level = Unavailable (U). If the vulnerability is confirmed by the vendor, set Report Confidence = Confirmed (C). The multipliers are: E=0.95 (P), RL=0.92 (U), RC=1.0 (C). Temporal Score = Base Score × E × RL × RC = 9.8 × 0.95 × 0.92 × 1.0 ≈ 8.6 (High). This score reflects the current exploitability and fix availability.
Apply Environmental Context
Customize the score for the client's environment. Suppose the affected server is a critical domain controller. Set Confidentiality Requirement = High (CR=H, multiplier 1.5), Integrity Requirement = High (IR=H, 1.5), Availability Requirement = Medium (AR=M, 1.0). Also modify Base metrics if needed (e.g., Attack Vector unchanged). Recalculate Impact sub-score with requirements: ISS_modified = 1 - (1 - C×CR)×(1 - I×IR)×(1 - A×AR). For C=I=0.56, CR=IR=1.5, A=0.56, AR=1.0 → modified ISS ≈ 0.99. Impact (U) = 6.42 × 0.99 ≈ 6.36. Environmental Score = min(1.08 × (6.36+3.9), 10) ≈ 10.0 (Critical). Note: Environmental Score can exceed Base Score if requirements are high.
Document Score in Report
In the penetration test report, present the CVSS information clearly. Include the vector string (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C/CR:H/IR:H/AR:M), the Base Score (9.8), Temporal Score (8.6), and Environmental Score (10.0). Provide a rationale for each metric choice, especially for subjective ones like Attack Complexity. Use a severity table (None, Low, Medium, High, Critical) for readability. Recommend remediation priority based on the Environmental Score and business context.
Enterprise Scenario 1: Financial Institution Penetration Test
A penetration tester is assessing a bank's online banking portal. They discover a SQL injection vulnerability in the login page that allows unauthenticated remote code execution on the database server. The CVSS Base Score is 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. However, the database server is isolated in a separate network segment and contains only non-sensitive test data. The bank's security team assigns low Confidentiality and Integrity Requirements (CR=L, IR=L) because the real customer data is on a different server. The Environmental Score drops to 7.5 (High). The report notes that while the vulnerability is critical in the abstract, the business impact is lower due to compensating controls. The remediation timeline is extended to 30 days instead of immediate. This demonstrates how CVSS Environmental metrics align technical severity with business risk.
Enterprise Scenario 2: Healthcare Provider Patch Management
A healthcare organization uses CVSS scores from the National Vulnerability Database (NVD) to prioritize patch deployment. A vulnerability in their electronic health records (EHR) system has a Base Score of 7.5 (High). However, because the EHR contains Protected Health Information (PHI) and is subject to HIPAA, the organization sets CR, IR, and AR to High. The Environmental Score becomes 9.2 (Critical). The patch is deployed within 24 hours. The security team also considers Temporal metrics: if exploit code is available (E=Functional), the Temporal Score is 7.5 × 0.97 = 7.3, still High. But if no exploit exists (E=Unproven), the Temporal Score is 7.5 × 0.91 = 6.8 (Medium). This helps prioritize based on current threat landscape.
Common Misconfigurations
A frequent error is using the Base Score as the final score without adjusting for environment. For example, a vulnerability with Base Score 9.8 on a public-facing web server may be less critical if the server is a honeypot. Conversely, a Base Score 4.0 (Medium) vulnerability in a critical SCADA system may become 8.0 (High) after environmental adjustments. Another mistake is ignoring Scope: a vulnerability that allows a guest user to escape a virtual machine (Scope Changed) has a higher impact formula. In one engagement, a tester found a VM escape vulnerability and initially scored it as 8.8 (High) with Scope Unchanged. After correctly setting Scope Changed, the score became 9.8 (Critical), changing the remediation priority.
PT0-002 Objective 4.1: Report Writing and Communication
The exam tests your ability to interpret and apply CVSS scores in the context of penetration test reports. Specifically: - Identify the correct CVSS vector string from a description of a vulnerability. For example, given 'remote, unauthenticated, low complexity, no user interaction, high impact on confidentiality and integrity but not availability', you must produce or recognize the vector. - Understand the difference between Base, Temporal, and Environmental scores. You may be asked which metric group is affected by a change (e.g., 'Exploit code is publicly available' affects Temporal). - Apply severity categories: 0.0 None, 0.1-3.9 Low, 4.0-6.9 Medium, 7.0-8.9 High, 9.0-10.0 Critical. Know that 9.0-10.0 is Critical, not 10.0 only. - Recognize that CVSS is a severity score, not a risk score. A question may present a scenario where a Critical vulnerability is on a low-value asset, and ask the best action – the answer is to consider business context, not just patch immediately.
Common Wrong Answers and Traps
Confusing CVSS with risk assessment frameworks like FAIR or OCTAVE. CVSS is purely technical severity; risk assessment includes likelihood and business impact. A question might say 'A vulnerability has a CVSS score of 9.8. What should the organization do?' The wrong answer is 'Immediately patch all systems' – correct answer is 'Prioritize based on asset criticality and risk appetite.'
Assuming Temporal and Environmental scores always lower the Base Score. While Temporal multipliers are ≤1.0, Environmental requirements multipliers (CR, IR, AR) can be >1.0 (e.g., 1.5 for High). Thus, Environmental Score can be higher than Base Score. Candidates often forget this.
Misidentifying Scope Changed vs. Unchanged. If a vulnerability in a web application allows an attacker to access the underlying OS (different security authority), Scope is Changed. Many candidates incorrectly set Scope to Unchanged, leading to a lower score.
Using the wrong version. The exam tests CVSS v3.1. If a question references v2.0 (e.g., Access Vector, Access Complexity), it's a distractor. Know that v3.1 uses Attack Vector, Attack Complexity, etc.
Specific Values to Memorize
Attack Vector multipliers: N=0.85, A=0.62, L=0.55, P=0.2.
Attack Complexity: L=0.77, H=0.44.
Privileges Required: N=0.85, L=0.62 (or 0.68 if Scope Changed), H=0.27 (or 0.5 if Scope Changed).
User Interaction: N=0.85, R=0.62.
Impact values: H=0.56, L=0.22.
Temporal multipliers: E: H=1.0, F=0.97, P=0.95, U=0.91; RL: O=0.95, T=0.96, W=0.97, U=0.92; RC: C=1.0, R=0.96, U=0.92.
Environmental requirements: H=1.5, M=1.0, L=0.5.
Edge Cases
Score of 0.0: If Impact ≤ 0, Base Score is 0 even if Exploitability is high. Example: a vulnerability that causes no impact (C=None, I=None, A=None) scores 0.0 regardless of ease of exploitation.
Scope Changed with low Impact: The formula uses a different impact calculation that can result in a score lower than Unchanged for certain low-impact values, but typically increases for high impact.
Multiple metrics set to Not Defined (X): In Temporal, if all are X, the score equals Base. In Environmental, if all are X, the score equals Temporal (or Base if Temporal also X).
How to Eliminate Wrong Answers
When given a CVSS vector string, parse each metric and compare to the scenario. If the scenario describes 'requires local access', AV should be L, not N. If the scenario says 'exploit code is functional', E should be F, not P. Use the severity categories to check if the score range matches the description. For example, a score of 9.8 is Critical; if the question says 'the vulnerability is medium severity', the vector must produce a score between 4.0 and 6.9.
CVSS v3.1 is the current version tested on PT0-002; v2.0 and v4.0 are not on the exam.
Base Score is computed from Exploitability and Impact sub-scores; the formula is not memorized but metric effects are tested.
Severity categories: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), Critical (9.0–10.0).
Temporal Score ≤ Base Score; Environmental Score can be > Base Score due to requirements multipliers.
Scope Changed increases the Impact score formula and can raise the Base Score significantly.
CVSS is a severity score, not a risk score; always consider business context for remediation.
Common Temporal multipliers: E=Functional (0.97), RL=Official Fix (0.95), RC=Confirmed (1.0).
Common Environmental multipliers: CR/IR/AR High = 1.5, Medium = 1.0, Low = 0.5.
A vector string like 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H' corresponds to a Base Score of 9.8 (Critical).
In penetration test reports, include the vector string, all three scores (Base, Temporal, Environmental), and rationale for metric choices.
These come up on the exam all the time. Here's how to tell them apart.
CVSS v3.1 Base Score
Measures intrinsic severity of a vulnerability based on its characteristics
Uses Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and Impact metrics
Constant across all environments for the same vulnerability
Score range 0.0–10.0 (None to Critical)
Used for initial prioritization and in CVE listings
CVSS v3.1 Environmental Score
Tailors the Base Score to a specific organization's environment
Adds Modified Base Metrics and Confidentiality/Integrity/Availability Requirements
Varies by organization based on asset criticality and compensating controls
Score can be higher or lower than Base Score (requirements multipliers up to 1.5)
Used for final remediation prioritization in penetration test reports
Mistake
CVSS Base Score is a risk score that directly determines patch priority.
Correct
CVSS Base Score measures intrinsic severity of a vulnerability, not risk. Risk = Severity × Likelihood × Business Impact. Organizations must consider asset criticality, existing controls, and threat landscape. A Critical CVSS vulnerability on a non-critical system may be lower priority than a High CVSS on a crown jewel.
Mistake
The Temporal Score is always lower than the Base Score.
Correct
Temporal multipliers are ≤1.0, so the Temporal Score is ≤ Base Score. However, if all Temporal metrics are set to 'Not Defined' (X), the Temporal Score equals the Base Score. It can never be higher than Base.
Mistake
The Environmental Score is always lower than the Base Score.
Correct
Environmental metrics include Confidentiality, Integrity, and Availability Requirements (CR, IR, AR) which can have multipliers >1.0 (e.g., High = 1.5). If these are set high, the Environmental Score can exceed the Base Score. For example, a Base Score of 7.5 (High) with all requirements set to High can become 9.2 (Critical).
Mistake
CVSS v3.1 uses the same metric names as v2.0.
Correct
CVSS v3.1 renamed several metrics. For example, v2.0's 'Access Vector' became 'Attack Vector'; 'Access Complexity' became 'Attack Complexity'; 'Authentication' became 'Privileges Required'. v3.1 also introduced Scope and changed the scoring formula significantly. The exam tests v3.1 exclusively.
Mistake
A vulnerability with a CVSS score of 0.0 is impossible.
Correct
A Base Score of 0.0 occurs when all Impact metrics are None (C=None, I=None, A=None). For example, a vulnerability that allows an attacker to enumerate usernames without any further impact might score 0.0 if confidentiality impact is considered None (since usernames are public). However, such findings are rare and often debated.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Base Score measures the intrinsic severity of a vulnerability based on its fundamental characteristics (attack vector, complexity, privileges, user interaction, scope, and impact on confidentiality, integrity, availability). It is constant for a given vulnerability regardless of the environment. The Environmental Score modifies the Base Score using organization-specific metrics: Modified Base Metrics (e.g., you can change Attack Vector if the vulnerable component is behind a firewall) and Confidentiality, Integrity, and Availability Requirements (how critical these security objectives are to your organization). The Environmental Score can be higher or lower than the Base Score. For the exam, remember that Environmental metrics allow you to tailor severity to your specific context.
A CVSS v3.1 vector string starts with 'CVSS:3.1/' followed by metric abbreviations and values separated by slashes. For example: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'. Each metric group is represented: AV (Attack Vector: N=Network, A=Adjacent, L=Local, P=Physical); AC (Attack Complexity: L=Low, H=High); PR (Privileges Required: N=None, L=Low, H=High); UI (User Interaction: N=None, R=Required); S (Scope: U=Unchanged, C=Changed); C (Confidentiality: H=High, L=Low, N=None); I (Integrity: same); A (Availability: same). Temporal and Environmental metrics follow after a slash, e.g., /E:P/RL:U/RC:C/CR:H/IR:H/AR:M. The exam expects you to parse the vector and understand the severity.
Yes. The Environmental Score recalculates the Impact sub-score using Modified Base Metrics and applies Confidentiality, Integrity, and Availability Requirements (CR, IR, AR). These requirements have multipliers: High = 1.5, Medium = 1.0, Low = 0.5. If the organization sets CR, IR, or AR to High, the Impact sub-score increases, potentially raising the Environmental Score above the Base Score. For example, a Base Score of 7.5 (High) with all requirements High can yield an Environmental Score of 9.2 (Critical). This is a common exam trap because candidates assume Environmental always lowers the score.
A score of 6.8 falls in the Medium severity category (4.0–6.9). The categories are: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), Critical (9.0–10.0). For the exam, memorize these ranges. Note that 7.0 is High, not Medium; 9.0 is Critical, not High. A common mistake is to think 6.9 is High – it is actually Medium because the upper bound of Medium is 6.9 inclusive.
Scope indicates whether the vulnerability affects resources beyond the security authority of the vulnerable component. If Scope is Unchanged (U), the impact is confined to the component itself. If Scope is Changed (C), the vulnerability can affect other components (e.g., a hypervisor vulnerability affects guest VMs). The Impact score formula changes: for Scope Unchanged, Impact = 6.42 × ISS; for Scope Changed, Impact = 7.52 × (ISS - 0.029) - 3.25 × (ISS - 0.02)^15. This typically results in a higher Impact score for Changed scope, especially when ISS is high. For example, a vulnerability with all impacts High and Scope Changed can have a Base Score of 9.8 vs. 9.0 for Unchanged. The exam tests this by asking which vector string corresponds to a VM escape (Scope Changed).
CVSS is a vulnerability severity scoring system that produces a numeric score based on technical characteristics. It does not incorporate likelihood of exploitation or business impact beyond the environmental requirements. FAIR (Factor Analysis of Information Risk) is a risk assessment framework that quantifies risk in financial terms by analyzing loss event frequency and loss magnitude. While CVSS provides a severity input to risk assessments, FAIR is a complete risk analysis methodology. On the exam, you should know that CVSS is not a risk score; it is a severity score that feeds into risk management.
No, you do not need to memorize the exact mathematical formula. The exam tests your ability to interpret vector strings, understand how changing a metric affects the score direction (e.g., changing AV from Network to Local decreases the score), and apply severity categories. You should know the metric names, values, and their general impact. For example, knowing that Attack Vector Network contributes more to exploitability than Local is sufficient. The official CVSS calculator is available for actual use; the exam expects conceptual understanding.
You've just covered CVSS Scoring in Penetration Test Reports — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?