Back to Feed

Navigating Vulnerability Prioritization: Balancing CVSS, Real-World Impact, and the Puzzle of 'Reachable Medium' vs. 'Critical Unreachable'

Backslash Team


November 15, 2023

In the intricate realm of vulnerability assessment, the Common Vulnerability Scoring System (CVSS) strives to strike a balance between theory and practical application. With the emergence of CVSS 4, an attempt was made to bridge the gap between theoretical scoring and real-world scenarios. However, its seamless integration into practical use faces challenges, particularly when platforms like the National Vulnerability Database (NVD) predominantly provide the 'Base Score.' 

As Chris Hughes emphasizes in his CSO article ”Base metrics alone aren't sufficient for vulnerability prioritization." Recognizing the need for additional factors such as environmental or business context, actual exploitation, and exploitability of a vulnerability becomes imperative.

CVSS Balancing Act: Contextual Elements vs. Theoretical Foundation

CVSS encountered significant criticism for its perceived detachment from real-world scenarios and complexity. CVSS incorporates contextual elements alongside a theoretical 'Base Score,' attempting to capture the unique environment of vulnerabilities. However, the core score often remains detached from the actual operational landscapes where these vulnerabilities reside.

While CVSS4 has introduced crucial enhancements, bolstering its effectiveness, it remains essential to consider factors like business context and the practical aspects of vulnerability exploitation and exploitability. 

Deciphering the Puzzle: 'Reachable Medium' vs. 'Critical Unreachable'

The conundrum lies in scenarios where a 'Reachable Medium' vulnerability, with a lower CVSS score, poses in fact a greater risk than a "critical unreachable" vulnerability, despite its supposedly higher severity.

'Reachable Medium' Vulnerability

This denotes a vulnerability that is more accessible and easier to exploit, despite its lower CVSS score.

'Critical Unreachable' Vulnerability

Conversely, a 'Critical' score does not necessarily imply immediate risk if the vulnerability is practically difficult or impossible to exploit.

Implementing CVSS 4 in Reality

Although CVSS 4 aims for a more enhanced contextual perspective, translating this into practical implementation poses significant challenges. When organizations are required to input their specific contextual information, it adds a substantial workload to achieve accurate vulnerability prioritization scores and determine appropriate actions.

Seeking a Unified Approach

The gap between theoretical scoring and the practical assessment of risk underscores the necessity for a more comprehensive approach in managing vulnerabilities.

For fortified vulnerability management, a solution is required that provides not only theoretical scores but also practical insights, integrating context more effectively. This shift allows for a better comprehension of vulnerability risks within distinct operational environments, preventing misinformed decisions in security strategies. Without such evolution, organizations risk remaining susceptible to the disconnect between theoretical scores and the actual threat posed by vulnerabilities.

The Backslash Angle

At Backslash we bridge the gap between theoretical scores and real-world risks.  By integrating many signals including those from infrastructure, package reachability, VEX, and more, Backslash enables organizations to navigate risk by remarkably minimizing vulnerabilities while finding the ones that truly matter. 

See it in action!