Exploitability metrics are a fundamental component of the Common Vulnerability Scoring System (CVSS), directly influencing the Base Score, which quantifies the intrinsic severity of a vulnerability. These metrics assess how easily an attacker can exploit a given vulnerability, thereby helping organizations prioritize remediation efforts effectively.
Components of Exploitability Metrics
In CVSS v3.1, the Exploitability sub-score is derived from four key metrics:
-
Attack Vector (AV): Indicates the context by which vulnerability exploitation is possible. The values are:
-
Network (N): Exploitable remotely over a network.
-
Adjacent (A): Exploitable from an adjacent network.
-
Local (L): Requires local access to the system.
-
Physical (P): Requires physical access to the system.
-
Attack Complexity (AC): Reflects the conditions beyond the attacker's control that must exist for the exploit to be successful. It can be:
-
Privileges Required (PR): Denotes the level of privileges an attacker must possess before successfully exploiting the vulnerability:
-
None (N): No privileges required.
-
Low (L): Requires basic user privileges.
-
High (H): Requires administrative privileges.
-
User Interaction (UI): Specifies whether the exploitation requires any user interaction:
Each of these metrics is assigned a numerical value, and together they contribute to the Exploitability sub-score, which is a component of the overall Base Score. The Base Score ranges from 0.0 to 10.0, with higher scores indicating more severe vulnerabilities.
Impact on Overall CVSS Score
The Exploitability sub-score is combined with the Impact sub-score, which assesses the potential consequences of a successful exploit on confidentiality, integrity, and availability. The formula for the Base Score incorporates both sub-scores, ensuring that both the ease of exploitation and the potential impact are considered.
For example, a vulnerability that is exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N) would have a high Exploitability sub-score, leading to a higher Base Score, especially if the Impact sub-score is also high.
Practical Implications
Understanding Exploitability metrics allows organizations to assess the risk associated with vulnerabilities more accurately. Vulnerabilities with high Exploitability scores are more likely to be targeted by attackers, as they require less effort to exploit. Therefore, such vulnerabilities should be prioritized for remediation to reduce the organization's exposure to potential attacks.
In summary, Exploitability metrics are crucial in determining the CVSS Base Score, providing insight into how easily a vulnerability can be exploited. This information is vital for organizations to prioritize their vulnerability management efforts effectively.
