In a recent development, the Forum of Incident Response and Security Teams (FIRST) has made headlines by unveiling version 4.0 of the Common Vulnerability Scoring System (CVSS). This latest release, following four years since CVSS v3.1, represents a noteworthy advancement in the standard employed for evaluating the severity of cybersecurity vulnerabilities. 

Before we get into CVSS 4.0, it is crucial to grasp the roots of the Common Vulnerability Scoring System. This framework had its beginnings back in 2005 when the National Infrastructure Advisory Council (NIAC) first introduced it. 

It plays a crucial role by providing essential information about vulnerabilities for security teams. Nowadays, the Forum of Incident Response and Security Teams (FIRST), a non-profit organization with over 500 global member organizations, manages CVSS as an open platform. 

CVSS essentially acts as a tool, offering a standardized way to measure the severity of computer system problems. It takes into account factors like the likelihood of exploitation, potential impact, and complexity. These considerations come together to form a score, aiding organizations in deciding which issues to prioritize and how to address them effectively. 

In the realm of cybersecurity assessments, Version 3.0 of the Common Vulnerability Scoring System (CVSS) and the CVSS standard overall have been widely regarded for their effectiveness in gauging the "impact" of vulnerabilities. 

However, a notable shortcoming has been identified in their ability to accurately score the "exploitability" of a vulnerability. Exploitability, encompassing the likelihood of a vulnerability being exploited, takes into account various factors such as user interactions, the proficiency and capabilities of potential threat actors, and the configuration of the system in question. 

Following this, FIRST has come up with CVSS v4.0 to make things simpler and better. This new version is a big change, making scoring easier, more flexible, and accurate. The idea is to fix the problems with the old version, showing risks more realistically. This will help organizations decide which problems to fix first and use their resources better to fix them. 

 CVSS 4.0 - What's New? 

 1. Attack Vector: 

• Considers how close an attacker needs to be to exploit a vulnerability. 

• Determines if the attack can happen over the internet, in the same network, or requires physical access. • Network-based vulnerabilities are seen as more severe. 

 2. Attack Complexity: 

• Describes the conditions beyond the attacker's control needed to exploit a vulnerability. 

• Addresses factors that enhance security or complicate exploit development. 

• Considers whether specific information about the target is necessary for exploitation. 

3. Privileges Required: 

• Outlines the level of access rights an attacker needs before exploiting a vulnerability. 

• Does not focus on how the attacker gains these permissions. 

• Considers the extent of permissions needed for a successful exploit. 

4. User Interaction: 

• Gauges if successful exploitation requires human interaction. 

• Examples include phishing emails needing user clicks or network-based exploits without user involvement. 

• Directly impacts the CVSS score, with non-user interactive vulnerabilities generally considered more severe. 

5. Scope: 

• Captures if a vulnerability in one component affects resources beyond its security scope. 

• Removed as a base metric in CVSS version 4.0. 

6. Impact Metrics (Confidentiality, Integrity, Availability): 

• Measures consequences if a vulnerability is exploited successfully. 

• Introduced new "Subsequent System" impact metrics to capture effects on systems beyond the vulnerable one. 

7. Exploit Code Maturity: 

• Evaluates the probability of an attacker utilizing the vulnerability. 

• Considers existing exploit strategies, accessibility of exploit code, and real-time exploitation reports. 

• Categories include "Attacked," "PoC" (Proof-of-Concept), and "Unreported." 

Additionally, the optional Supplemental Metrics in CVSS 4.0 provide essential insights beyond standard vulnerability assessment. Safety evaluates human safety risks, Automatable gauges exploit automation potential, Recovery assesses system resilience, Value Density explores resource control, Vulnerability Response Effort aids in response planning, and Provider Urgency standardizes severity assessments from suppliers. Together, these metrics enhance the depth and context of vulnerability analysis for more informed decision-making.