CVSS Version 4.0: What's New

CVSS Version 4.0 introduces significant changes to enhance the accuracy and granularity of vulnerability scoring, with a focus on integrating environmental and threat metrics for a more comprehensive risk assessment. The new version includes added Base Metrics and Values, replacing the Scope metric with Impact Metrics that evaluate effects on both vulnerable and subsequent systems, and the inclusion of a Supplemental Metric Group offering additional context for remediation prioritization. The Attack Requirements metric further refines scoring by accounting for specific conditions needed for attack execution, as illustrated by the "Dirty COW" vulnerability example. Moreover, the revised Threat Metric Group, formerly known as Temporal Score, simplifies assessment with a singular focus on Exploit Maturity, while environmental metrics allow for customization based on unique operational contexts. This update aims to align vulnerability management more closely with organizational risk management processes, encouraging vendors to adopt these metrics into their solutions for tailored risk assessments.