Criticality (Severity Rating)
The following are Severity Rating values.
Extremely Critical
This value is typically used for remotely and easily exploitable vulnerabilities that are otherwise designated “highly critical” but also have been exploited in the wild before their publication (zero-day). These vulnerabilities typically exist in services like FTP, HTTP and SMTP or specific client systems such as email programs or browsers. Operating systems can also be prone to them—e.g., when font handling is performed on operating system level.
Highly Critical
| • | This value is generally used for remotely and easily exploitable vulnerabilities that can lead to system compromise. |
| • | Successful exploitation doesn’t usually require any interaction, but there are no known exploits available at the time of disclosure. |
| • | These vulnerabilities typically exist in services like FTP, HTTP and SMTP or specific client systems such as email programs or browsers. Operating systems can also be prone to them—e.g., when font handling is performed on operating system level. |
Moderately Critical
This value is usually used for remotely and easily exploitable denial-of-service vulnerabilities against services like FTP, HTTP and SMTP. Additionally, easily exploitable vulnerabilities that could lead to information disclosure or affect the integrity of a product can result in this criticality level.
This rating is also used for vulnerabilities allowing system compromise on LANs in services like SMB, RPC, NFS, LPD and similar services that are not intended for use over the Internet.
Less Critical
This value is typically used for cross-site scripting and local privilege escalation vulnerabilities.
This rating is also used for vulnerabilities allowing exposure of sensitive data to local users.
Not Critical
This value is typically used for very limited privilege escalation vulnerabilities and locally exploitable Denial of Service vulnerabilities.
This rating is also used for non-sensitive system information disclosure vulnerabilities (for example, remote disclosure of installation path of applications).