Skip to main content
Skip table of contents

CVSS Scores and Exploitability in Mend SCA

CVSS Score Prioritization

  1. MITRE

  2. NVD

  3. Mend.io

MITRE and NVD

2 main sources for CVSS scores are MITRE and the NVD, with MITRE taking precedence.

In other words, if Mend.io uses an NVD issued CVSS score for a vulnerability and later on MITRE issues a different CVSS score for the same vulnerability, the NVD score will be discarded and the MITRE score will be propagated to all Mend.io products.

Mend.io and NVD

Assuming MITRE has not issued a CVSS score:
If the CVE is set as "Reserved" in the NVD, this means the vulnerability Id was created and associated, but its details aren't shown publicly in the NVD. In this case, the CVSS score will be based on Mend.io’s own score, defined by Mend.io’s security team’s metrics.
Lastly, when the score of the NVD is officially published, the CVSS score/severity in the various Mend.io products gets replaced with the one from the NVD site.

Supported Risk Score Types

Mend.io supports the following types of Risk Scores:

  • CVSS 4.0,

  • CVSS 3.x (3.1, 3.0),

  • CVSS 2.0.

Although Mend.io processes scores from multiple sources, only the most reliable score of each type is considered during the alert calculation process.

Exploitability

Exploitability information is attached to the highest priority result. This means that in case MITRE reports a specific CVSS score with no exploitability, and Mend.io knows that an exploit exists, this information is appended to the CVSS score.

Mend.io’s exploitability detection algorithm works on the principle of the strongest match. Data from various proprietary sources (e.g., CISA) are compared, and the final result is the highest value of all those found. The exploitability value is then added to the CVSS score.

Supported Exploitability Values

For CVSS 4.0 

For CVSS 3.X

Attacked (A)

High (H)

Proof-Of-Concept (P)

Functional (F)

Not Defined (X)

Proof-Of-Concept (P)

Not Defined (X)

Unreported and Unproven are not values, because Mend.io cannot definitively state that the exploit code does not exist.

The results are given on a stronger matching basis.

Example: Source 1 shows exploitability as Proof-Of-Concept, while Source 2 shows exploitability as Attacked. The final score is Attacked, since it’s the strongest match.

EPSS versus Exploitability

How should I prioritize EPSS scores?

Unlike CVSS, EPSS does not report severity. EPSS provides a likelihood of exploiting a vulnerability, and a percentage of vulnerabilities with equal or lower EPSS score. 

Mend.io recommends prioritizing the vulnerabilities that fall beyond two standard deviations above the mean first (“High Outliers”). Scores that fall within the range from one to two standard deviations above the mean, are classified as “Moderately High”. 

Example: CVE-2024-3094 has an EPSS 0.95359, percentile: 0.993560000, which means it falls into the “High Outliers” interval. 

Q&A

What To Do When EPSS is High, but CVSS Provides No Exploitability Information

A high EPSS score suggests that there are significant chances that the vulnerability will be exploited. However, it does not guarantee exploitation. It simply means that, based on the data and models used to generate the score, there is a higher probability that attackers might target this vulnerability.

The EPSS score should not be confused with exploitability metrics, such as those found in the Common Vulnerability Scoring System (CVSS).

A vulnerability with a high CVSS score but a low EPSS score might be very dangerous if exploited, but the likelihood of it being exploited is low. Conversely, a vulnerability with a high EPSS score but a moderate CVSS score might be more likely to be targeted by attackers, even if the impact is not as severe. 

Should EPSS/Exploitability Information Affect my Remediation Strategy?

In the remediation strategy, it is recommended to prioritize vulnerabilities based on both their exploitability and their potential impact on the codebase. Mend.io recommends an integrated approach, that combines addressing:

  1. Exploited and Reachable Vulnerabilities – these pose an immediate threat and need urgent remediation to prevent further exploitation and mitigate damage. Vulnerabilities that can be accessed and potentially exploited through existing code paths require special attention. 

  2. Exploited Vulnerabilities.

  3. Reachable Vulnerabilities.

  4. High EPSS Scores – even if these vulnerabilities have not been exploited yet, the high probability suggests they could be targeted soon. Proactively addressing these vulnerabilities can prevent potential attacks.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close