CVSS (Common Vulnerability Scoring System)
A standardized 0–10 severity scale for vulnerabilities. ORDR combines CVSS scores with KEV status, EPSS probability, and asset context to provide meaningful, actionable prioritization.
What is CVSS (Common Vulnerability Scoring System)?
A standardized 0–10 severity scale for vulnerabilities. ORDR combines CVSS scores with KEV status, EPSS probability, and asset context to provide meaningful, actionable prioritization.
The Common Vulnerability Scoring System (CVSS) provides a standardized 0–10 numerical score representing the severity of a vulnerability. Scores are calculated from a set of metrics covering attack vector (local vs. network), attack complexity, required privileges, user interaction, confidentiality impact, integrity impact, and availability impact. A score of 9.0+ is "Critical"; 7.0–8.9 is "High"; 4.0–6.9 is "Medium"; below 4.0 is "Low."
CVSS has become the industry standard for communicating vulnerability severity, and it provides useful signal about the theoretical worst-case impact of a vulnerability. Its limitation is that it measures theoretical severity in isolation from context. A CVSS 9.8 vulnerability on an air-gapped device with no network access is less urgent than a CVSS 6.5 vulnerability that is actively exploited and present on a public-facing server. CVSS doesn't know — and doesn't pretend to know — about your specific environment.
Risk-based prioritization that supplements CVSS with KEV status (is it actively exploited?), EPSS probability (how likely is exploitation in the next 30 days?), asset criticality (how important is the affected device?), and network exposure (can attackers reach the device?) dramatically improves prioritization accuracy. Organizations that patch strictly by CVSS score are systematically over-investing in theoretical risks while potentially underinvesting in likely ones.
Key Facts
- CVSS v3.1 is the current standard; CVSS v4.0 was released in 2023 with expanded metrics
- Research shows that prioritizing by CVSS alone results in remediating 65%+ of the backlog before reaching the most exploited vulnerabilities
- EPSS + KEV filtering can reduce remediation workload by 87% while covering 87% of actually-exploited CVEs
- CVSS scores do not change based on exploitation activity — a score is static even if the vulnerability is being actively weaponized
How ORDR Addresses CVSS (Common Vulnerability Scoring System)
ORDR uses CVSS as one input in a multi-factor risk score that also incorporates KEV status, EPSS probability, asset criticality, network exposure, and device classification. This composite score surfaces the vulnerabilities that combine high theoretical severity with high real-world exploitability in devices that an attacker can actually reach.
See ORDR in actionFrequently Asked Questions
Complete visibility across your entire attack surface.
ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.