CVSS 4.0 vs CVSS 3.1: Differences, Migration, Audit Impact

A Short History: Why CVSS 4.0 Exists

CVSS 3.0 (2015) restructured the 2.0 metric set around explicit Exploitability and Impact subscores and introduced the Scope concept to model vulnerabilities that affect components beyond their immediate container. CVSS 3.1 (2019) was a clarification release: the same metrics, the same math, refined wording and worked examples to reduce inter-rater variance. Most enterprise programmes have been running 3.1 for seven years.

CVSS 4.0 was developed by the FIRST Special Interest Group across roughly four years of public review and published in November 2023. The headline goals: produce more granular Base scores by separating the attacker-controlled difficulty of an exploit from environmental conditions outside the attacker control, replace the single Scope flag with an explicit Vulnerable System and Subsequent System impact pair to remove the ambiguity that made S:C reasoning hard to score consistently, retire the Temporal group in favour of a leaner Threat group, and add a Supplemental metrics group for advisory signals (safety, automatable, recovery) that programmes wanted but the closed-form scoring formula could not absorb without distorting the underlying severity. The result is a richer vector that is harder to misuse but requires more discipline to score and more lookup-table machinery to compute. For the underlying CVSS mechanics that 4.0 builds on, see the CVSS 3.1 vector strings, base score, and severity rating scale guide; this page focuses on what changed.

The Four Metric Groups in CVSS 4.0

CVSS 3.1 had three metric groups: Base, Temporal, and Environmental. CVSS 4.0 has four: Base, Threat, Environmental, and Supplemental. The names matter because CVSS 4.0 also introduces an explicit nomenclature for which combination of groups a given score includes.

The CVSS 4.0 Naming: B, BT, BE, BTE

CVSS 4.0 formalises four named score combinations. The names are not cosmetic; they encode which metric groups the score includes, which is the single most commonly miscommunicated property of a CVSS score in practice.

Why this matters: CVSS 3.1 conflated all four under a single CVSS Base / Temporal / Environmental phrase. Consumers who read a vendor advisory routinely treated the published Base as a CVSS-BE or CVSS-BTE because the language did not distinguish them. CVSS 4.0 makes the distinction explicit so the published advisory, the threat-aware advisory, and the asset-specific severity can be different scores with different names on the same finding.

Base Group: What Changed Metric by Metric

Eight of the eleven CVSS 4.0 Base metrics retained their CVSS 3.1 names (AV, AC, PR, UI, plus the four impact metrics now split across two systems). Three are new or restructured.

Threat Group: Why It Replaced Temporal

CVSS 3.1 Temporal had three metrics: Exploit Code Maturity (E), Remediation Level (RL), and Report Confidence (RC). The intent was to let the score reflect what was currently known about exploitation, remediation availability, and disclosure confidence. In practice, RL and RC were rarely used and rarely updated; programmes that ran scoring at scale ignored them, and the closed-form formula gave both metrics small enough weights that the operating impact was negligible. CVSS 4.0 retired RL and RC entirely and kept Exploit Maturity, renamed the group from Temporal to Threat, and gave E a more meaningful weight in the macrovector lookup.

Exploit Maturity (E) values in CVSS 4.0: Attacked (A), Proof-of-Concept (P), Unreported (U), and Not Defined (X). The renaming from Functional / High / Proof-of-Concept / Unproven aligns with the way EPSS and CISA KEV describe exploitation evidence, which makes the Threat metric easier to populate from existing telemetry. Programmes that ingest EPSS and KEV alongside CVSS can map: a KEV-listed CVE is CVSS-E:A; a CVE with public PoC and no observed exploitation is CVSS-E:P; a CVE with no public exploit evidence is CVSS-E:U.

For the surrounding likelihood layer that the Threat group sits next to, see the EPSS score explained guide and the CISA KEV catalog guide. CVSS 4.0 Exploit Maturity is the in-vector mirror of the same evidence those external feeds publish.

Environmental Group: Same Idea, More Inputs

The Environmental group works the same way it did in CVSS 3.1: the consuming organisation re-weights the score for asset-specific Confidentiality, Integrity, and Availability requirements (CR, IR, AR) and can modify the Base metrics for environmental conditions. The difference in 4.0 is the input set. CVSS 3.1 allowed modified versions of eight Base metrics; CVSS 4.0 allows modified versions of all eleven Base metrics, including the new Subsequent System impact triplet (MSC, MSI, MSA) and the new Attack Requirements (MAT). A programme operating under CVSS 4.0 can therefore re-weight Subsequent System damage for assets where containment is or is not effective, which was not expressible in 3.1.

The CR, IR, AR mechanic is unchanged: each asks whether the asset has Low, Medium, High, or Not Defined requirements for the corresponding impact dimension, and the modified score amplifies or dampens the Base impact accordingly. Most programmes that already use CR/IR/AR in 3.1 can copy the asset-tier mapping straight into 4.0.

Supplemental Group: Advisory Metrics That Do Not Affect the Score

The Supplemental group is the most distinctive new feature in CVSS 4.0. Six metrics travel with the vector but do not affect the numeric score. They exist because programmes wanted to capture risk-relevant attributes the closed-form formula could not absorb without distorting the technical severity.

Programmes use Supplemental metrics to flag wormable findings (AU:Yes), safety-critical findings (S:Present), or hard-to-fix findings (RE:High) for elevated SLA without distorting the technical severity. The metrics do not influence CVSS-B, CVSS-BT, CVSS-BE, or CVSS-BTE; they are recorded alongside as advisory data.

The Math: From Closed Form to Macrovector Lookup

CVSS 3.1 computes the Base score with a closed-form formula. The Exploitability subscore is a function of AV, AC, PR, UI; the Impact subscore is a function of C, I, A and Scope; the Base score is a roundup of their combination. Anyone implementing a calculator can copy the equations from the spec.

CVSS 4.0 abandons the closed-form formula. The vector is reduced to a six-dimensional macrovector through a published mapping (effectively a categorical hash of the eleven Base metrics into a tractable space), and the macrovector resolves to a base score through a lookup table the FIRST SIG published as part of the spec. Threat and Environmental scores follow the same macrovector mechanism with adjusted inputs. The change is invisible to scoring users (calculators run the lookup automatically) but matters for anyone implementing scoring: there is no closed-form CVSS 4.0 base score equation. The reference implementation lives in the official FIRST CVSS 4.0 calculator and a small number of open-source ports.

Why the change: the closed-form formula had structural irregularities at metric boundaries (small changes in input could produce disproportionate score shifts) that the SIG considered impossible to tune without breaking other parts of the score. A lookup table lets the SIG calibrate any specific metric combination directly. The trade-off is that the math is harder to inspect, harder to argue with, and harder to reproduce from the spec without the lookup table at hand.

Severity Rating Bands: Same Numbers, Different Population

CVSS 4.0 kept the CVSS 3.1 severity rating bands identical: None (0.0), Low (0.1 to 3.9), Medium (4.0 to 6.9), High (7.0 to 8.9), Critical (9.0 to 10.0). What changes is the population that lands in each band because the metric definitions and the scoring math are different.

The operationally relevant point: a vulnerability that scored 7.5 (High) in 3.1 may score 6.8 (Medium) or 8.1 (High) in 4.0 because the new metrics influence the lookup. Historical comparability across the two versions is therefore not direct, which is why programmes that record both vectors during a transition track them as parallel evidence rather than substituting one for the other.

Worked Example: SQL Injection on an Internet-Facing API

Consider an authenticated SQL injection on a public-internet API endpoint that, when exploited, lets the attacker read and modify the underlying database for the API service but does not give shell access on the host. The exploit is a single HTTP request once the attacker has any authenticated session.

Adoption Status as of 2026

Three years after release, CVSS 4.0 is alongside CVSS 3.1 in most ecosystems but has not displaced it. The pragmatic posture for most enterprise programmes is dual-tracking, with CVSS 3.1 as the operating anchor and CVSS 4.0 recorded when the source publishes one.

Migrating an Enterprise Programme: A Defensible Plan

A programme operating under CVSS 3.1 today can move to dual-tracking, then incrementally toward CVSS 4.0 primary, without breaking the audit trail. The discipline is to treat the migration as a recordkeeping change, not a scoring re-run.

1. Phase 1, dual-track ingest. Add CVSS 4.0 vector storage to the finding record alongside CVSS 3.1. When a CNA, NVD, or scanner emits both, store both. When a source emits only one, store what is available. Do not back-score historical findings; the cost of re-scoring the historical record exceeds the operational value.
2. Phase 2, audit-evidence parity. Update the audit-evidence pack to record CVSS-B (Base) as the published score from each source, plus CVSS-BE for asset-specific re-weighting where the programme already runs CR/IR/AR. Most programmes that record CR/IR/AR in 3.1 can copy the asset-tier mapping into 4.0 without change.
3. Phase 3, SLA mapping continuity. Keep the SLA bands tied to severity labels (Critical, High, Medium, Low) rather than to a specific CVSS version. Because the band boundaries are identical between 3.1 and 4.0, the SLA policy does not need to change. The programme continues to run a Critical SLA on score 9.0 or above regardless of which version produced the score.
4. Phase 4, exception and disposition discipline. When a finding has both a 3.1 score and a 4.0 score, record both on the disposition. If the band differs between the versions, the exception register notes which version drives the SLA decision and why. Most programmes run a higher-band-wins rule as the safe default; some programmes anchor to the version the source publishes.
5. Phase 5, supplemental metric capture. Once dual-tracking is stable, add CVSS 4.0 Supplemental metric capture for findings where Safety, Automatable, or Response Effort meaningfully changes the response. Wormable findings (AU:Yes) and safety-relevant findings (S:Present) are the highest-value Supplemental signals; the others can wait until the operational picture demands them.

CVSS 4.0 in the Wider Prioritisation Stack

CVSS 4.0 is one signal among several in a modern vulnerability prioritisation framework. EPSS speaks to likelihood, KEV speaks to observed exploitation, CWE speaks to weakness class, and reachability analysis speaks to whether the affected code path is actually exercised. CVSS 4.0 changes none of those layers; it only refines the technical severity layer they sit alongside.

For the multi-signal prioritisation framework that combines CVSS, EPSS, KEV, and asset context, see the vulnerability prioritisation framework guide. For the action-call layer that sits above the score (Track, Track-star, Attend, Act), see the SSVC stakeholder-specific vulnerability categorization guide. For the noise-reduction layer that runs before any prioritisation function consumes inputs, see the reachability analysis guide. CVSS 4.0 is the technical-severity refinement; the other layers continue to do the same work they did under 3.1.

Audit-Evidence and Compliance Implications

Audit frameworks do not specify a CVSS version. ISO 27001 Annex A 8.8 (technical vulnerability management), SOC 2 Trust Services Criteria CC7.1 (system monitoring), PCI DSS Requirement 6.3 (vulnerability identification and ranking), NIST 800-53 RA-5 (vulnerability monitoring) and SI-2 (flaw remediation) all require a defensible technical-severity score with a documented SLA mapping; they do not say which version that score must use. Auditors read the consistency of the programme rather than the version.

The defensible audit-evidence posture during the dual-tracking transition has three components. First, document which version is the programme primary score and why (most programmes anchor to 3.1 in 2026 because of historical comparability). Second, record both scores on findings where both are available, so the audit trail shows the version reasoning rather than implying a silent swap. Third, keep the SLA mapping tied to the severity label rather than the version, so the policy continues to mean what it says when the primary version eventually changes.

For the audit-evidence cadence and durability discipline this sits inside, see the audit evidence half-life research and the audit evidence retention workflow. Both treat the score itself as a small part of the evidence record; the durability, the timestamped-state-change trail, and the framework mapping carry most of the audit weight.

How SecPortal Records CVSS 3.1 and CVSS 4.0

SecPortal exposes a standalone CVSS calculator that supports both CVSS 3.1 and CVSS 4.0 Base score calculation. The calculator runs the full CVSS 4.0 macrovector lookup over the eleven Base metrics (AV, AC, AT, PR, UI, VC, VI, VA, SC, SI, SA), produces the CVSS-B score and severity label, generates the 4.0 vector string, and supports a shareable URL for handing the score off to a remediation owner. The 3.1 calculator on the same page produces the equivalent for the 3.1 metric set.

Inside the engagement record, the findings management workflow stores the CVSS vector and base score on each finding for downstream reporting and audit-evidence purposes. The in-product finding-side calculator and the 300+ finding template library currently default to CVSS 3.1 vectors; CVSS 3.0 and 3.1 vector strings are parsed on import (so scanner output and vendor advisories using either form are accepted without conversion). For programmes dual-tracking during the CVSS 4.0 transition, the operating pattern is to compute the CVSS 4.0 Base score on the standalone calculator, copy the resulting 4.0 vector and score into the finding evidence section as supplementary data, and continue to record the CVSS 3.1 vector as the calculator-backed primary score on the finding for SLA continuity.

Scanner imports preserve the original CVSS vector emitted by the source tool. When scanners that emit CVSS 4.0 vectors land in the import surface, the imported vector text is preserved on the finding record alongside the 3.1 vector when both are available. The activity log captures CVSS-related state changes (vector edits, severity recalibration, evidence updates) with timestamps and the acting user, which is the audit-evidence trail an external auditor reads when reconciling the SLA decision against the recorded score. The compliance tracking surface maps findings to ISO 27001, SOC 2, Cyber Essentials, PCI DSS, and NIST framework references with CSV export for evidence packs.

What the platform does not do: SecPortal does not autoconvert between 3.1 and 4.0 vectors (no defensible mapping exists that would let a 3.1 vector mechanically produce a 4.0 score because the metric definitions differ), does not subscribe to CVSS-version-specific feeds, and does not replace the policy-side decision about which version is the programme primary score. Those decisions remain with the security organisation; the platform records the version reasoning and the resulting SLA decision in the finding lifecycle.

Where the Programme Sits in the Wider Security Org

CVSS scoring is one input into a wider internal security organisation. The version decision sits next to the daily operational discipline of the vulnerability management team, the engineering-side AppSec function, the GRC owner cadence, and the leadership reporting cadence the CISO produces.

For the find-track-fix-verify operator function, see SecPortal for vulnerability management teams. For the AppSec function that triages scanner output for engineering ownership, SecPortal for AppSec teams covers the upstream. For the CISO sponsoring the programme, the SecPortal for CISOs page covers how scoring decisions roll up into leadership reporting. For the GRC owner translating scoring discipline into evidence, SecPortal for GRC and compliance teams covers the audit-side discipline. For the per-finding triage operator running the queue every shift, SecPortal for SOC analysts covers the scoring calibration practice at finding granularity.

Buyers comparing dedicated risk-based vulnerability management platforms (which build proprietary exploit-likelihood scoring on top of CVSS, EPSS, and KEV signals) to a single workspace that records CVSS 3.1, CVSS 4.0, EPSS, KEV, and engagement context together can read the SecPortal vs Kenna Security comparison for the side-by-side, and the risk-based vulnerability management buyer guide for the broader category framing.

Record CVSS 3.1 and CVSS 4.0 on a Single Engagement Record

The CVSS 4.0 transition is mostly a recordkeeping problem in disguise. Both vector forms are public, both map to the same severity bands, and both feed the same SLA policy if the policy is anchored to the severity label. What stops most programmes from getting clean dual-track evidence is that the per-finding CVSS vectors, the lifecycle audit trail, the exception register, the framework mapping, and the leadership read all sit on different records, so producing the evidence pack means reconciling four or five sources at audit time. SecPortal is built around a single engagement record: findings management with the in-product CVSS 3.1 calculator plus the standalone CVSS 3.1 and 4.0 calculator at /tools/cvss-calculator for ad-hoc dual-track scoring, the activity log for the timestamped chain of state changes, compliance tracking with framework mapping and CSV export, and AI-powered report generation when leadership wants the executive summary. None of these features pull CVSS 4.0 automatically; the version choice is yours. What the platform does is keep the score, the lifecycle, the evidence, and the framework mapping on the same record so the audit conversation collapses into a query rather than a multi-team scramble.

Frequently Asked Questions

Sources and Further Reading

1. FIRST, CVSS v4.0 Specification Document, November 2023. first.org/cvss/v4-0/specification-document
2. FIRST, CVSS v4.0 User Guide. first.org/cvss/v4-0/user-guide
3. FIRST, CVSS v4.0 Examples. first.org/cvss/v4-0/examples
4. FIRST, CVSS v3.1 Specification Document. first.org/cvss/v3-1/specification-document
5. NIST National Vulnerability Database, CVSS scoring policy. nvd.nist.gov/vuln-metrics/cvss
6. CISA, Authorised Data Publisher (ADP) programme. cisa.gov/cve-program
7. FIRST, EPSS model and data feed. first.org/epss
8. CISA, Known Exploited Vulnerabilities Catalog. cisa.gov/known-exploited-vulnerabilities-catalog
9. CMU SEI, Stakeholder-Specific Vulnerability Categorization (SSVC). cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc
10. ISO/IEC 27001 Annex A 8.8, Management of technical vulnerabilities.
11. PCI DSS v4.0 Requirement 6.3, Identify security vulnerabilities. pcisecuritystandards.org
12. NIST SP 800-53 Rev 5 RA-5 Vulnerability Monitoring and Scanning, SI-2 Flaw Remediation.
13. SOC 2 Trust Services Criteria CC7.1.
14. SecPortal CVSS calculator. /tools/cvss-calculator
15. SecPortal CVSS 3.1 vector string fields explainer. /blog/cvss-scoring-explained
16. SecPortal vulnerability prioritisation framework. /blog/vulnerability-prioritisation-framework