“” is published by Andrey Pautov in InfoSec Write-ups.

InfoSecWriteUps' platform is  dedicated to providing insights and resources for cybersecurity professionals and enthusiasts. Through articles, tutorials, and security research, InfoSecWriteUps offers insights into cybersecurity vulnerabilities, attack techniques, and defense strategies. Readers can learn about penetration testing, threat intelligence, and incident response to enhance their cybersecurity knowledge and skills.

InfoSec Write-ups

CVSS v4.0 is a redesigned vulnerability scoring framework that moves beyond a single static number toward a contextual, lifecycle-based model. Key changes include splitting impact into Vulnerable System and Subsequent System metrics, adding Attack Requirements (AT) alongside Attack Complexity, and replacing the Temporal group with a streamlined Threat metric (Exploit Maturity). The guide explains the CVSS-B → CVSS-BT → CVSS-BTE lifecycle and argues that many teams benefit from applying Environmental metrics before Threat metrics since local context is often available immediately. Practical worked examples show how a 10.0 Critical (Log4Shell, Erlang/OTP SSH) can legitimately drop to Medium when environmental adjustments reflect actual network isolation, compensating controls, and limited blast radius. Integration with CISA KEV, EPSS, ExploitDB, and Metasploit is covered with code samples for automating exploit maturity determination. The guide also covers industry-specific scoring, supplemental metrics for OT/safety contexts, and common CVSS mistakes.

CVSS v4.0: The Practical Field Guide for Vulnerability Management