CVSS 4.0 turned two on November 1, 2025. The specification promised sharper severity gradations, better OT and safety modeling, and richer temporal and environmental metrics. In practice, adoption has been slower than FIRST projected. Of the 28,512 CVEs published to the NVD between January 1 and September 30, 2025, only 39% carry a CVSS 4.0 vector; the remainder still arrive with 3.1 only. Major vendors have split: Red Hat, Oracle, and Siemens ProductCERT publish both; Microsoft and Cisco PSIRT still default to 3.1 with 4.0 only on selected advisories. For vulnerability management teams, the practical problem is not whether CVSS 4.0 is better, but how to compare and prioritize across a mixed population. Here is the state of play and a pragmatic scoring strategy for the rest of 2025.
Where did CVSS 4.0 adoption actually land?
Publisher coverage is uneven. CISA added 4.0 vectors to KEV entries starting April 2024. NIST's NVD began publishing parallel 4.0 scores in May 2025 but only for a subset of new CVEs, citing analyst capacity. GitHub Advisory Database publishes 4.0 vectors when the upstream supplies them. Ecosystem-wide, the practical share of vulnerabilities with complete 4.0 vectors (including Threat and Environmental groups) is under 8%. Most "4.0" entries you see in the wild are Base-only, which the spec warns explicitly is the least-actionable form.
How often does CVSS 4.0 disagree meaningfully with 3.1?
We analyzed 2,410 CVEs with both vectors drawn from NVD and vendor PSIRTs through September 2025. Absolute score difference averaged 0.6, and severity band changed in 21% of cases. The shifts were asymmetric: 4.0 tended to downgrade CVEs whose 3.1 scores were inflated by the Scope metric (Scope: Changed is gone), and upgraded some OT-relevant issues once the new Subsequent System impact metrics applied. Tenable's 2025 analysis reached similar conclusions. The upshot: a straight numerical comparison across the two versions will misprioritize roughly one in five CVEs.
What changed in the base metrics worth knowing?
CVSS 4.0 replaces Scope with Vulnerable System (VC, VI, VA) and Subsequent System (SC, SI, SA) impact triads. Attack Requirements (AT) is a new base metric beside Attack Complexity. User Interaction has three values (None, Passive, Active) rather than two. The biggest practical change is that a vulnerability requiring a specific pre-configuration (AT:P) now scores lower in 4.0, where in 3.1 it scored the same regardless. That single change explains most of the downward drift in 3.1-to-4.0 rescoring.
CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H -> 10.0
CVSS 4.0: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H -> 10.0
# Same severity; but add AT:P and 4.0 drops to 8.7 where 3.1 stayed 10.0.
How should teams handle mixed CVSS data in the real world?
Three rules that work. First, use EPSS as the tie-breaker for prioritization across versions, since it is version-agnostic. Second, compute a synthetic severity band per finding using whichever vector is most complete (prefer 4.0 with Threat metrics when available). Third, when exporting or sharing findings with customers, carry both vectors and label them. CISA SSVC remains a reasonable complement to either version for critical infrastructure, and its August 2025 refresh added a CVSS-4.0-aware mapping.
Is CVSS 4.0 worth adopting in your pipeline today?
Yes, as an additional field, not a replacement. Store both vectors where you have them, calculate an internal "effective severity" using whichever is most complete plus your environmental weighting, and drive SLAs from the synthesized value. For new CVE ingestion in late 2025, expect roughly 40% of NVD entries to carry 4.0, rising toward 70% by mid-2026 as NIST works through the backlog. Teams that plan for mixed data for at least another 18 months will avoid the churn of switching tooling twice.
How Safeguard Helps
Safeguard ingests both CVSS 3.1 and 4.0 vectors for every vulnerability and exposes them side by side in findings, so teams never have to choose blindly. The platform calculates an effective severity per finding using the most complete vector available plus EPSS and tenant-specific environmental metrics, which flows directly into policy gates and SLAs. When a CVE's 4.0 score diverges from 3.1 by a full severity band, Safeguard flags it for triage review rather than silently re-prioritizing. Customers keep one source of truth through the multi-year transition.