Microsoft Defender Vulnerability Management is now supporting CVSS v4 as the preferred scoring standard for newly published Common Vulnerabilities and Exposures (CVEs). This update aligns Defender Vulnerability Management with the latest vulnerability scoring standards, providing more precise industry-aligned assessments tailored to real world risk evaluation.
Why transition to CVSS v4?
The Common Vulnerability Scoring System (CVSS) is the global standard for assessing vulnerability severity. As leading institutions like the National Vulnerability Database (NVD) transition to CVSS v4, Microsoft is embracing this enhanced scoring model to ensure better alignment and more actionable insights.
CVSS v4 addresses the limitations of its predecessor, CVSS v3, introducing features that provide a more granular and accurate assessment of vulnerabilities. For an in-depth overview, refer to the CVSS v4.0 Specification.
Benefits of CVSS v4 for organizations using Defender Vulnerability Management
CVSS v4 offers significant improvements over CVSS v3, including:
- Enhanced Exploitability Assessment
o Introduction of the Attack Requirements (AR) metric, distinguishing vulnerabilities that require specific conditions (e.g., configurations) versus those that don’t.
o More nuanced User Interaction (UI) values:
- Passive (P): Normal user actions.
- Active (A): Unusual actions or those subverting security protocols.
- None (N): No conditions
- Refined Impact Metrics
o Replacement of the Scope metric with separate impact metrics for:
- Vulnerable Systems: Confidentiality, Integrity, and Availability impacts.
- Subsequent Systems: Granular downstream effects.
These changes allow for a more detailed and precise analysis of vulnerability impact and exploitability.
Important Considerations
While CVSS v4 improves scoring precision, it is critical to account for additional contextual insights available in the Defender Vulnerability Management portal, such as:
- EPSS (Exploit Prediction Scoring System) scores: Predicting the likelihood of exploitation in the near future.
- Threat Intelligence: Insights into known exploits and active attacks in the wild, leveraging Microsoft vast proprietary knowledge.
- Exposure Metrics: Includes the number of critical devices affected and whether vulnerabilities are Internet-facing.
| Best Practice: Use CVSS v4 scores alongside EPSS and Threat Intelligence data to prioritize vulnerabilities effectively and manage your exposure risk. See more info in the additional resources below.
What to Expect?
No action is required on your part. Once the transition is complete:
- Existing CVEs with available CVSS v4 scores, likely affecting your environment) will automatically use the updated scoring standard.
- This will likely cause a one-time adjustment to your organization’s Exposure Score, reflected as a single event in the Exposure Score Trend and the Event Timeline.
We apologize for any inconvenience caused and appreciate your understanding as we enhance our scoring capabilities.You can view the CVSS version and vector string in the CVE side panel. The large majority of CVEs added in the future will display CVSS v4 scores by default.
Additional resources:
- Recommended read: Enhancing vulnerability prioritization with asset context and EPSS.
- CVSS v4 Specification Document
- https://www.first.org/cvss/v4-0/user-guide
Published Mar 20, 2025
Version 1.0
Yuval_Fisher
Microsoft
Microsoft