Critical

 >= 9

• Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.

• Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.

For critical vulnerabilities, is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place. For example, a mitigating factor could be if your installation is not accessible from the Internet.

4 hours

High

>=7

• The vulnerability is difficult to exploit.

• Exploitation could result in elevated privileges.

• Exploitation could result in a significant data loss or downtime.

8 hours

Medium 

>=4

• Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.

• Denial of service vulnerabilities that are difficult to set up.

• Exploits that require an attacker to reside on the same local network as the victim.

• Vulnerabilities where exploitation provides only very limited access.

• Vulnerabilities that require user privileges for successful exploitation. 

24 hours

Low

<4

Vulnerabilities in the low range typically have very little impact on an organisation's business. Exploitation of such vulnerabilities usually requires local or physical system access.

72 hours