The Common Vulnerability Scoring System is a standard way to rate how severe a software vulnerability is. It scores the flaw itself using base, temporal, and environmental factors, but it does not tell you how likely the issue is to be exploited in your specific identity environment.
Expanded Definition
CVSS, or the Common Vulnerability Scoring System, is a standardised way to express how severe a software vulnerability is. In NHI and identity-adjacent operations, it is best treated as a starting point for triage, not as a complete risk decision. The score describes the flaw, while the real exposure depends on where the vulnerable component sits, which secrets it can reach, and whether an NHI such as a service account or API key can exploit it.
Definitions vary in operational use because CVSS was designed for severity scoring, not for exploitability in a specific environment. That distinction matters in agentic and service-to-service estates, where NIST Cybersecurity Framework 2.0 emphasises context, governance, and response prioritisation rather than score-only decisions. NHI Management Group recommends treating CVSS as one input among asset criticality, identity privilege, exposure path, and secret reachability. The most common misapplication is using a high CVSS score as an automatic emergency without checking whether the vulnerable system is actually reachable from privileged NHIs in the current environment.
Examples and Use Cases
Implementing CVSS rigorously often introduces a prioritisation tradeoff, requiring organisations to weigh a consistent scoring method against the extra effort of environment-specific validation.
- A vulnerability in a container image receives a high CVSS base score, but it matters more because a workload identity can use that container to reach production secrets.
- An internet-facing API library flaw looks severe on paper, yet the real urgency changes once defenders confirm that only non-privileged test identities can access the affected service.
- A package vulnerability in a CI/CD runner is scored alongside the fact that the runner stores credentials in a vault misconfiguration, making the identity path more important than the raw score.
- Security teams compare CVSS with exposure data from the Ultimate Guide to NHIs to see whether a flaw intersects with service accounts, API keys, or other NHIs that already have elevated reach.
- An application vulnerability is triaged differently when its environmental score changes because the affected system is a secret broker used by machine identities across multiple clusters.
When used well, CVSS helps standardise communication between engineering, operations, and governance teams. When used poorly, it can create false urgency for low-exposure issues while hiding high-impact identity paths that are not obvious from the score alone.
Why It Matters in NHI Security
CVSS matters in NHI security because many breaches are not caused by a vulnerability in isolation, but by a vulnerability plus identity exposure, secret sprawl, or excessive privilege. NHI Management Group reports that 97% of NHIs carry excessive privileges and 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which means a scored flaw can become a direct access path once an NHI reaches it. The same guide also notes that 96% of organisations store secrets outside of secrets managers in vulnerable locations, making environmental context essential for any meaningful response.
That is why the score should be paired with access review, secret inventory, and workload trust analysis, consistent with guidance from the Ultimate Guide to NHIs and NIST Cybersecurity Framework 2.0. In practice, CVSS becomes most useful when teams ask which NHIs can touch the vulnerable asset, which secrets it can expose, and whether remediation must also include rotation or revocation. Organisations typically encounter the limits of CVSS only after an exploit reaches a privileged service account, at which point severity scoring alone is no longer enough to contain the incident.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | CVSS must be paired with secret exposure and identity reach in NHI risk decisions. |
| NIST CSF 2.0 | RS.RP-1 | CVSS supports incident response prioritisation, but context determines real operational urgency. |
| NIST AI RMF | Risk governance requires contextual assessment, not score-only decision-making. |
Use CVSS as an input, then validate secret paths and NHI privileges before prioritising remediation.
