About CVSS version

Y.Narita347153 — Thu, 11 Sep 2025 01:11:25 GMT

Hello PaloAlto Networks Team,

What version of CVSS is listed in Palo Alto Networks Security Advisories?

Please tell me which version it is, such as CVSS v3 or v4.

Regards,

Re: About CVSS version

kiwi — Thu, 11 Sep 2025 09:52:11 GMT

Hi @Y.Narita347153 ,

Palo Alto Networks has adopted CVSS v4.0 as its primary scoring system for new security advisories.

While older advisories still list scores using CVSS v3.1, all new advisories now feature the updated CVSS v4.0 metrics and a vector string, in addition to other context-specific ratings like Urgency, Response Effort, and Recovery.

Source: https://www.paloaltonetworks.com/product-security-assurance

"We use CVSS version 4.0 (CVSS-B, and CVSS-BT scores) to score vulnerabilities and consider several factors such as active exploitation, customer exposure, and public disclosure timelines while prioritizing response actions for issues. The Base Score (CVSS-B) reflects the severity of a vulnerability according to its intrinsic characteristics which are constant over time. The Threat Metrics (CVSS-BT) adjust the severity of a vulnerability based on factors, such as the availability of proof-of-concept code or active exploitation."

Hope this helps,

-Kim.

topic About CVSS version in General Topics

About CVSS version

Re: About CVSS version