█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Vulnerability Management/CVEs, CVSS, and Prioritization
35 minBeginner

CVEs, CVSS, and Prioritization

After this lesson, you will be able to: Read CVE entries, interpret CVSS scores, and prioritize remediation by risk.

Once you know what's vulnerable, the next question is which to fix first. CVEs and CVSS provide a standard vocabulary, but the score is just the start. Real prioritization layers context on top.

Prerequisites:Scanning and Discovery

What a CVE actually is

A CVE (Common Vulnerabilities and Exposures) ID like CVE-2024-12345 is a unique label for a specific vulnerability. MITRE assigns CVE IDs; the NVD adds analysis. When a vendor announces a security flaw, they reference the CVE ID so the whole industry can talk about the same bug.

CVSS, the severity score

Common Vulnerability Scoring System produces a 0.0–10.0 score and a vector string like AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Each letter encodes one factor: Attack Vector (Network/Local), Attack Complexity, Privileges Required, User Interaction needed, Scope change, and the C/I/A impact. Score buckets: 0–3.9 Low, 4–6.9 Medium, 7–8.9 High, 9–10 Critical.

Metric inputs
attack vector, complexity, impact
→
CVSS formula
→
9.8 Critical
score maps to a severity bucket
CVSS turns a set of qualitative metrics into one 0 to 10 score, then a severity bucket (None / Low / Medium / High / Critical).

💡 Why CVSS alone isn't enough

A CVSS 9.8 on an internal printer with no internet exposure is less risky than a CVSS 6.5 on your customer-facing API. Always layer environmental context on top: is the system internet-facing? Is the data sensitive? Is there a known exploit in the wild?

EPSS and KEV, the prioritization upgrades

EPSS (Exploit Prediction Scoring System) estimates how likely a CVE is to be exploited in the next 30 days, based on real-world signals. CISA's KEV (Known Exploited Vulnerabilities) catalog lists CVEs known to be actively exploited right now. Modern teams use EPSS + KEV alongside CVSS to focus on the small set of vulnerabilities actually being attacked.

Try it

Pick a recent CVE and walk the score breakdown.

  1. 1

    Open the NVD homepage and click any recent critical CVE

  2. 2

    Note the CVSS score and the vector string

  3. 3

    Translate each letter of the vector to plain English (use the calculator at FIRST.org)

  4. 4

    Look up whether it's in the CISA KEV catalog

  5. 5

    Write a one-paragraph 'should we patch this immediately?' decision

Quick Check

Which vulnerability should you patch first?

CVE-A: CVSS 9.8 on an air-gapped lab printer. CVE-B: CVSS 7.2 on your public production API, in CISA KEV.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Scanning and Discovery
Back to Vulnerability Management
Patch Management→