After this lesson, you will be able to: Read CVE entries, interpret CVSS scores, and prioritize remediation by risk.
Once you know what's vulnerable, the next question is which to fix first. CVEs and CVSS provide a standard vocabulary, but the score is just the start. Real prioritization layers context on top.
A CVE (Common Vulnerabilities and Exposures) ID like CVE-2024-12345 is a unique label for a specific vulnerability. MITRE assigns CVE IDs; the NVD adds analysis. When a vendor announces a security flaw, they reference the CVE ID so the whole industry can talk about the same bug.
Common Vulnerability Scoring System produces a 0.0–10.0 score and a vector string like AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Each letter encodes one factor: Attack Vector (Network/Local), Attack Complexity, Privileges Required, User Interaction needed, Scope change, and the C/I/A impact. Score buckets: 0–3.9 Low, 4–6.9 Medium, 7–8.9 High, 9–10 Critical.
EPSS (Exploit Prediction Scoring System) estimates how likely a CVE is to be exploited in the next 30 days, based on real-world signals. CISA's KEV (Known Exploited Vulnerabilities) catalog lists CVEs known to be actively exploited right now. Modern teams use EPSS + KEV alongside CVSS to focus on the small set of vulnerabilities actually being attacked.
Pick a recent CVE and walk the score breakdown.
Open the NVD homepage and click any recent critical CVE
Note the CVSS score and the vector string
Translate each letter of the vector to plain English (use the calculator at FIRST.org)
Look up whether it's in the CISA KEV catalog
Write a one-paragraph 'should we patch this immediately?' decision
CVE-A: CVSS 9.8 on an air-gapped lab printer. CVE-B: CVSS 7.2 on your public production API, in CISA KEV.
Sign in and purchase access to unlock this lesson.