Assessing CVSS Vulnerability Scoring Limitations

This article analyzes the limitations of the CVSS vulnerability scoring system, especially regarding chained vulnerabilities and real-world applications.

In November 2024, during Operation Lunar Peek, attackers gained unauthorized access to over 13,000 devices through two critical vulnerabilities identified as CVE-2024-0012 and CVE-2024-9474. This incident highlights shortcomings in the Common Vulnerability Scoring System (CVSS), which assessed these vulnerabilities separately, failing to account for the compounded risk when they are chained.

The first vulnerability, CVE-2024-0012, allowed unauthenticated remote admin access, while the second, CVE-2024-9474, enabled privilege escalation. While the CVSS scored these vulnerabilities at 9.3 and 6.9, respectively, the scoring system’s approach treated them as isolated events, neglecting their potential for combined exploitation.

Pattern detected: CVSS scoring misses critical vulnerability interactions.

Chained Vulnerabilities and CVSS

The independent evaluation of vulnerabilities by CVSS led to significant operational oversights. The low score for CVE-2024-9474 caused it to fall below most patch thresholds, despite being instrumental in the attack chain. Adam Meyers, SVP at CrowdStrike, noted that security teams often deprioritize lower-scoring vulnerabilities, further complicating remediation efforts.

Moreover, both vulnerabilities were listed in the CISA Known Exploited Vulnerabilities catalog, yet their combined effect went unrecognized. The CVSS system’s inherent design focuses on single vulnerability assessment, lacking the capability to evaluate real-world attack scenarios where vulnerabilities are exploited in conjunction.

Real-World Implications of CVSS Limitations

The incident is not unique. CVSS has repeatedly failed to identify vulnerabilities that, when chained, lead to severe security breaches. As reported, a significant number of disclosed vulnerabilities are now exploited as zero-days, exposing organizations to rapid attacks.

In 2025, the number of disclosed CVEs reached over 48,000, reflecting a 20.6% increase year-over-year. The volume of vulnerabilities is expected to rise, further straining the effectiveness of CVSS as organizations face an increasing breadth of potential exploits.

Addressing CVSS Shortcomings

Alternative models such as the Exploit Prediction Scoring System (EPSS) and the Software Security Verification Standard (SSVC) are being developed to address the flaws inherent in CVSS. These models aim to incorporate more contextual information about the likelihood of exploitation and the potential impact on organizations.

Organizations are advised to adopt a multi-faceted approach to vulnerability management that includes considering real-world implications and using multiple scoring systems to assess risk accurately.

Signal confirmed: dependency on CVSS alone risks significant vulnerabilities.

Conclusion

The limitations of the CVSS vulnerability scoring system are evident in the recent exploitations of chained vulnerabilities. To enhance cybersecurity measures, organizations need a more comprehensive understanding of how vulnerabilities can interact, moving beyond singular scoring metrics. Continuous monitoring of vulnerability management systems is essential to mitigate risks effectively.

Observation recorded.