Go Beyond CVSS Scores

The post discusses the importance of not relying solely on CVSS scores when a new critical vulnerability emerges. Using the example of CVE-2025-24813 (Tomcat), the author explains that it is crucial to understand the conditions necessary for the exploitation of the vulnerability. In this case, a specific non-default configuration of Tomcat was required. After checking their version control system, they found that this configuration was not enabled anywhere, which meant that the vulnerability posed no risk to them. Additionally, a threat intelligence service like Mandiant assessed CVE-2025-24813 as being of medium severity due to the uncommon non-default configuration.