CVSS v4.0 Explained: What’s New, Why It Matters, and How It’s Used

 CVSS v4.0 Explained in Detail

What is CVSS v4.0?

CVSS v4.0 (released November 1, 2023) is the latest version of the Common Vulnerability Scoring System, an open standard used globally to communicate the severity of software, hardware, and firmware vulnerabilities.

It provides a numerical severity score from 0 to 10 and a corresponding vector string that explains how the score was calculated.

CVSS v4.0 introduces changes to improve granularity, accuracy, flexibility, and real‑world relevance in vulnerability scoring.

CVSS v4.0 Metric Groups

CVSS v4.0 consists of four metric groups:

Base, Threat, Environmental, and Supplemental.

1. Base Metrics

These are the intrinsic characteristics of a vulnerability, attributes that do not change across environments or over time.

They form the foundation of the CVSS score.

Key updates in CVSS v4.0 Base metrics include:

• Attack Requirements (AT): New metric describing conditions needed for exploitation.
• User Interaction (UI) was expanded to None, Passive, and Active, providing finer-grained control.
• Impact metrics revamped:

• Vulnerable System impacts (VC, VI, VA)
• Subsequent System impacts (SC, SI, SA)
• These replace “Scope” from CVSS v3.1.

2. Threat Metrics

These describe real‑world exploitation conditions that can change over time, such as exploit availability and active attacks.

They now replace the Temporal metrics in CVSS v3.1. 

They allow organizations to calculate a more realistic severity based on:

• in‑the‑wild attacks
• existence of exploit code
• technical maturity of exploits

3. Environmental Metrics

These represent the unique characteristics of the environment where a vulnerability exists.

They help organizations tailor scores to their infrastructure. 

Examples include:

• system value
• controls in place
• business impact
• compensating security mechanisms

4. Supplemental Metrics (New)

A brand‑new group providing additional context without modifying the numeric score.

This includes information such as safety‑related impacts or automation‑relevant data. [first.org]

These metrics are useful for:

• medical device cybersecurity (e.g., FDA recognition) 
• industrial systems
• compliance reporting
• fine‑grained prioritization

Qualitative Severity Ratings (v4.0)

According to NVD, CVSS v4.0 uses:

• Low: 0.1–3.9
• Medium: 4.0–6.9
• High: 7.0–8.9
• Critical: 9.0–10.0

Key Improvements Over CVSS v3.1

1. Better Definition of User Interaction

Passive vs. Active user interaction helps distinguish:

• Passive → user only needs to be present
• Active → user must perform an action

2. Attack Requirements (AT) Metric

Separates “conditions needed to exploit” from “exploit complexity,” making scoring more precise.

 3. Removal/Replacement of Scope

CVSS v3.1’s Scope was often misunderstood.

CVSS v4.0 uses separate impact metrics for “Vulnerable System” and “Subsequent Systems.”

4. New Supplemental Metrics

These allow non‑score‑affecting context, such as safety, automation, and exploit vectorization.

 5. Better Alignment with Real‑World Exploitation

The new Threat metrics track real‑world activity more cleanly than v3’s Temporal metrics.

Why CVSS v4.0 Matters

More Accurate Severity Assessments

More precise metrics → fewer inflated or misleading scores.

Improved Prioritization

Organizations can incorporate environment- and threat‑specific data to improve remediation decisions.

Better Reporting and Compliance

Used by NVD, FIRST, cybersecurity vendors, and regulators such as the FDA.

Enhanced Granularity for Critical Infrastructure

New Supplemental metrics help sectors like healthcare, ICS/OT, and cloud services add context without modifying the core score.

How CVSS v4.0 Is Used Today

NVD (National Vulnerability Database) supports CVSS v4.0 Base scores.

(As of 2024–2025, Threat and Environmental metrics must be user‑calculated.)

Cybersecurity vendors (Qualys, Checkmarx, etc.) are adopting v4.

FDA Recognized Standard for medical device cybersecurity.

Summary

CVSS v4.0 is the most refined and flexible version of the Common Vulnerability Scoring System to date. Its four metric groups, Base, Threat, Environmental, and Supplemental, offer more nuanced scoring, real‑world relevance, and improved context compared to previous versions.

Key improvements include:

• New Attack Requirements metric
• Improved User Interaction classification
• Replacement of Scope with clearer system impact metrics
• Introduction of Supplemental Metrics
• Better alignment with threat intelligence

CVSS v4.0 provides organizations with more accurate, adaptable, and actionable vulnerability severity assessments.