"CVSS Vulnerability Scores Can Be Misleading: Security Researchers"

During a new study, security researchers at Flashpoint analyzed 11,860 vulnerabilities in the first six months of 2022.  The researchers stated that vulnerability management systems based on the Common Vulnerability Scoring System (CVSS) v2 scoring system may be misguided, as the researchers found that roughly half of the most critical vulnerabilities may be scored incorrectly.  The researchers stated that looking at the past 10 years, in the same midyear period,  they saw that, on average, 51.5 percent of all known 10.0 scored vulnerabilities were unspecified.  This means organizations could be prioritizing hundreds of issues that may not actually be 10.0, further highlighting that base CVSS scores alone should not drive vulnerability management processes.  The researchers also found that the CVE/NVD services failed to report and detail 27.3% of the analyzed vulnerabilities.  The researchers stated that this lack of detail might mean some vulnerabilities are scored too high as a precaution.  The researchers noted that to make better risk decisions, organizations need comprehensive vulnerability intelligence.  The researchers stated that security teams can maximize resources and reduce their immediate workload by 82 percent by first focusing on actionable, high severity vulnerabilities.

eSecurity Planet reports: "CVSS Vulnerability Scores Can Be Misleading: Security Researchers"