Why does a 'medium' vulnerability score sometimes hide a critical risk?

A numerical severity score is a starting point for triage, not a verdict — and the gap between a score of 6.5 and root-level system access is exactly where real-world breaches happen.

Why this matters now

Vulnerability management teams live and die by prioritization queues. When thousands of CVEs compete for a finite number of engineer-hours, a scoring system that sorts "critical" from "medium" feels essential. The problem is that scoring systems measure individual vulnerability characteristics in isolation, and attackers do not operate in isolation. They chain. A flaw that looks manageable on paper can open a direct path to full system compromise when it is one step inside an environment where credentials have already been stolen.

This is not a hypothetical edge case. It is a structural limitation in how most organizations operationalize risk scoring, and it is worth understanding before it costs you an incident.

How it works

The Common Vulnerability Scoring System (CVSS) assigns a base score by evaluating a fixed set of attributes: how the attack is delivered, how complex it is, what privileges the attacker needs beforehand, whether user interaction is required, and how the vulnerability's impact is scoped. Each attribute nudges the score up or down. Requiring authentication, for example, lowers the score — because it adds friction.

What CVSS does not natively capture is chaining potential: the degree to which one vulnerability becomes the launch pad for the next.

Authenticated access ············
     │
     ├─ Step 1: Crafted request ··
     │         (CVSS scores this)
     │
     ├─ Step 2: Arbitrary file write
     │         (CVSS partially scores)
     │
     └─ Step 3: Privilege escalation
               to root
               (CVSS underweights this)

In a path traversal attack, a flaw in input validation lets an attacker write or overwrite files outside the intended directory. If the application fails to sanitize the file path in an upload request, an attacker can target sensitive system files — configuration files, scheduled tasks, startup scripts — and use that write access to escalate privileges. The authentication requirement that lowered the CVSS score? If credentials were already obtained through phishing or a prior breach, that friction costs the attacker almost nothing.

The result: the score measures step one's difficulty. It does not adequately reflect what steps two and three unlock.

Real-world applications

Triage decisions. Security teams sorting by CVSS base score alone will consistently underprioritize flaws that chain into privilege escalation. A better heuristic asks: if an attacker clears the initial bar, what can they reach next? Flaws touching management planes, identity systems, or orchestration layers deserve escalated scrutiny regardless of base score.

Red team thinking. Offensive security practitioners routinely build exploit chains where no single step would trigger a critical alert. Understanding chaining potential is foundational to both red teaming and to evaluating whether your detection coverage is positioned at the right links in the chain.

AI and LLM attack surfaces. The same logic applies to prompt injection and adversarial inputs in AI systems. A single prompt injection might score as low severity in isolation — it requires user interaction, limited scope — but chained with tool access or an agent with file-write permissions, it becomes a path to data exfiltration or system manipulation. The structural gap between a severity label and actual exploitability is not unique to traditional CVEs.

Defense design. Systems that centralize control — network management planes, AI orchestration layers, identity providers — are categorically higher-value targets. A medium-severity flaw in a peripheral application and a medium-severity flaw in your most privileged system are not the same risk, even if CVSS scores them identically.

Where to go deeper

If this gap between scoring and actual exploitability surfaces questions about AI-specific attack surfaces, the EducationPals courses on Prompt Injection, Red Teaming LLMs, and Adversarial Machine Learning apply exactly this chain-thinking to language model deployments. AI Safety and Data Privacy for AI extend the framework to systemic risk and what happens when an attacker reaches the data layer. The transferable skill across all of them: always ask what the vulnerability enables downstream, not just what it does at the point of entry.