Russian Vulnerability Scanner Database

Navigation

Help & DocumentationPlatform OverviewHow to Use the PlatformVulnerability Scoring SystemsFrequently Asked QuestionsRelease History

The Vulnerability Catalog uses professional risk assessment systems employed in the commercial Scanner-VS 7 by JSC “ Echelon Technologies”. Understanding these systems is critical for effective threat analysis and making informed protection decisions.

CVSS — Common Vulnerability Scoring System

CVSS is an international standard for quantitative assessment of information security vulnerability severity, adopted in both Russian and foreign threat analysis systems.

CVSS Assessment Principles

Basic Concept: CVSS evaluates the maximum possible impact of a vulnerability under the most unfavorable exploitation scenario, providing a numerical score from 0.0 to 10.0.

Mathematical Model: The final score is calculated based on eight core metrics covering:

  • Attack Complexity
  • Privileges Required
  • User Interaction
  • Impact on confidentiality, integrity, and availability

Classification by Criticality Levels

Criticality Range Description Response Timeframes
🔴 Critical 9.0 - 10.0 Vulnerabilities with catastrophic system impact 24 hours
🟠 High 7.0 - 8.9 Serious vulnerabilities requiring immediate attention 7 days
🟡 Medium 4.0 - 6.9 Significant vulnerabilities for scheduled remediation 30 days
🟢 Low 0.1 - 3.9 Vulnerabilities with limited impact 90 days
None 0.0 Informational messages without security impact As needed

CVSS Standard Evolution

CVSS v2.0 (Legacy)

Historical Context:

  • First widely adopted standardization system
  • Basic impact and exploitability metrics
  • Used for compatibility with legacy systems

Main Components:

  • Access Vector (local/remote access)
  • Access Complexity (exploitation simplicity)
  • Authentication (authentication requirements)
  • Impact metrics (CIA - Confidentiality, Integrity, Availability)

CVSS v3.1 (Current Standard)

Improvements over v2.0:

  • More precise attack complexity gradation
  • Modern attack vector consideration
  • Separation of privileges and user interaction
  • Improved final score calculation algorithms

Key v3.1 Metrics:

  • Attack Vector — network/adjacent/local/physical
  • Attack Complexity — low/high complexity
  • Privileges Required — none/low/high
  • User Interaction — not required/required
  • Scope — unchanged/changed
  • Impact — CIA impact (0-High)

CVSS v4.0 (Latest Version)

Revolutionary Changes:

  • Expanded attack vector detail
  • New metrics for IoT and cloud environments
  • Improved accuracy for modern threats
  • Supply Chain attack support

v4.0 Innovations:

  • Attack Requirements — attack condition requirements
  • Vulnerable System Impact — impact on vulnerable system
  • Subsequent System Impact — impact on connected systems
  • Safety Impact — physical security influence

Practical CVSS Application

CVSS Vector Interpretation

Critical Vulnerability Example:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Score: 10.0 (Critical)

Breakdown:

  • AV:N — network attack (Network)
  • AC:L — low complexity (Low)
  • PR:N — no privileges required (None)
  • UI:N — no user interaction needed (None)
  • S:C — scope change (Changed)
  • C:H/I:H/A:H — high impact on all CIA aspects

Medium-Level Vulnerability Example:

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
Score: 3.8 (Low)

Breakdown:

  • AV:L — local attack (Local)
  • AC:H — high complexity (High)
  • PR:H — high privileges (High)
  • UI:R — interaction required (Required)
  • S:U — unchanged scope (Unchanged)
  • C:L/I:L/A:N — limited impact

EPSS — Exploit Prediction Scoring System

EPSS represents an innovative approach to threat assessment, using machine learning and threat intelligence to predict the real probability of vulnerability exploitation.

Concept and Methodology

Basic Principle: Unlike CVSS, which assesses potential impact, EPSS predicts the probability that a specific vulnerability will be exploited in real conditions within the next 30 days.

Model Data Sources:

  • Public exploit databases (Exploit-DB, Metasploit)
  • Threat intelligence feeds from leading vendors
  • Dark web activity analysis
  • Real cybersecurity incident statistics
  • Social media and hacker forums

EPSS Assessment Scale

Probabilistic Model (0.0 - 1.0):

Risk Level EPSS Range Interpretation Practical Recommendations
🔴 Critical 0.8 - 1.0 80-100% exploitation probability Immediate protective measures
🟠 High 0.6 - 0.8 60-80% attack probability Priority remediation
🟡 Medium 0.4 - 0.6 40-60% usage probability Planned measures within a month
🟢 Low 0.2 - 0.4 20-40% attack probability Monitoring and assessment
Minimal 0.0 - 0.2 0-20% exploitation probability Background observation

Dynamic Nature of EPSS

Daily Updates: EPSS scores are updated every 24 hours based on:

  • Newly discovered exploits
  • Threat landscape changes
  • Community vulnerability relevance
  • Automated exploitation tool emergence

Factors Influencing EPSS Changes:

  • PoC Exploit Publication — sharp score increase
  • Exploit Kit Integration — significant probability growth
  • Mass Campaigns — temporary relevance increase
  • Patch Release — gradual score decrease

CVSS and EPSS Synergy in Professional Analysis

Decision Matrix

Critical Priority (Immediate Response):

  • CVSS ≥ 9.0 + EPSS ≥ 0.8
  • High impact + High exploitation probability
  • Examples: RCE in popular web servers, critical OS vulnerabilities

High Priority (Within a week):

  • CVSS 7.0-8.9 + EPSS ≥ 0.6 OR CVSS ≥ 9.0 + EPSS 0.2-0.6
  • Serious impact with moderate probability OR critical impact with low probability
  • Examples: Privilege escalation with available exploits

Medium Priority (Within a month):

  • CVSS 4.0-6.9 + EPSS 0.3-0.6
  • Moderate impact with moderate probability
  • Examples: Information disclosure in specialized software

Low Priority (Planned measures):

  • CVSS ≤ 4.0 OR EPSS ≤ 0.3
  • Low impact OR low exploitation probability
  • Examples: DoS vulnerabilities with local access

Comprehensive Analysis Cases

Case 1: Critical Web Vulnerability

Characteristics:

  • CVE-2024-XXXX: Remote Code Execution in Apache HTTP Server
  • CVSS 3.1: 9.8 (Critical)
  • EPSS: 0.95 (Critical)
  • Available exploits: Metasploit, public PoCs

Analysis:

  • Maximum criticality by both metrics
  • Wide Apache HTTP Server distribution
  • Active wild exploitation
  • Decision: Immediate emergency patching (within 24 hours)

Case 2: Local Privilege Escalation

Characteristics:

  • CVE-2024-YYYY: Local Privilege Escalation in Windows
  • CVSS 3.1: 8.8 (High)
  • EPSS: 0.15 (Very Low)
  • Exploits: Proof-of-concept only

Analysis:

  • High impact but low exploitation probability
  • Requires local system access
  • Complex exploitation conditions
  • Decision: Scheduled update within a month

Case 3: IoT Vulnerability

Characteristics:

  • CVE-2024-ZZZZ: Authentication Bypass in Smart Cameras
  • CVSS 3.1: 6.5 (Medium)
  • EPSS: 0.85 (Critical)
  • Exploits: Mass botnet attacks

Analysis:

  • Moderate technical impact
  • Very high mass exploitation probability
  • Attack automation simplicity
  • Decision: Priority protection measures (device isolation)

Russian Threat Assessment Specifics

Integration with FSTEC Russia BDU

Russian Classification Features:

  • Domestic IT infrastructure specifics consideration
  • Compliance with regulator requirements (FSTEC, FSB)
  • Critical information infrastructure protection priority
  • Special attention to certified software vulnerabilities

International Standards Adaptation:

  • CVSS compliance with international practices
  • Additional analysis for domestic solutions
  • Geopolitical factor consideration in threat intelligence
  • Specialized threat data sources

Application in Scanner-VS 7

Intelligent Prioritization: The commercial Scanner-VS 7 uses an advanced model combining:

  • CVSS scores of all versions (2.0, 3.1, 4.0)
  • EPSS forecasts considering Russian threat landscape
  • Applicability analysis to specific IT environment
  • Automatic correlation with existing protective measures

Contextual Scoring:

  • Organization network architecture consideration
  • Protected asset criticality analysis
  • SIEM integration for current threat assessment
  • Personalized remediation recommendations

Practical Recommendations

For Information Security Specialists

Daily Work:

  1. Critical change monitoring — tracking vulnerabilities with CVSS ≥ 9.0
  2. EPSS dynamics analysis — identifying growing threats
  3. Asset correlation — assessing applicability to your environment
  4. Measure planning — developing vulnerability remediation roadmap

Strategic Planning:

  • Building vulnerability management programs
  • Integration with risk management processes
  • Routine assessment process automation
  • Team training in professional methodologies

For Information Security Managers

Reporting Metrics:

  • Number of critical vulnerabilities (CVSS ≥ 9.0)
  • Average remediation time by criticality categories
  • Risk exposure change dynamics
  • ROI from vulnerability management system investments

Investment Justification:

  • Real risk demonstration through EPSS scores
  • Potential incident damage calculation
  • Preventive measures vs. response cost comparison
  • Regulator requirement compliance

Transition to Automated Assessment

Manual Analysis Limitations

Scaling Problems:

  • Thousands of new vulnerabilities monthly
  • EPSS change tracking complexity
  • Need for expert applicability assessment
  • Human factor in decision making

Scanner-VS 7 Capabilities

Automated Scoring:

  • Continuous database change monitoring
  • Automatic risk reassessment on EPSS changes
  • Intelligent relevance filtering
  • Personalized alerts and recommendations

IT Process Integration:

  • Automatic vulnerable software discovery in infrastructure
  • Real risk-based patching prioritization
  • Configuration management system integration
  • Multi-level management reporting

Getting a Professional Assessment System

Commercial Solution Advantages

Scanner-VS 7 provides complete vulnerability management lifecycle:

  • Automated Discovery of IT infrastructure vulnerabilities
  • Intelligent Prioritization based on CVSS/EPSS and environment context
  • Rapid Deployment — 1-minute installation
  • Minimal Requirements — 2 GB RAM, 2 CPU cores
  • FSTEC Russia Certificate №2204 (4UD, TU) for Scanner-VS 6 version, Scanner-VS 7 certificate expected in 2025
  • Domestic OS Support (Astra Linux, RED OS, Alt Linux)

Implementation Contacts

JSC “Echelon Technologies”:

  • 📧 Email: partners@npo-echelon.ru
  • 📞 Phone: 8 (495) 223-23-92
  • 🏢 Address: 107023, Moscow, Elektrozavodskaya str., 24
  • 🛠️ Tech Support: 8 (800) 100-05-02

Understanding CVSS and EPSS assessment systems is the foundation for effective information security risk management. The Vulnerability Catalog provides an educational foundation for mastering these technologies, while Scanner-VS 7 is a professional tool for their application at industrial scale.