It’s the last sentence of the article - 9.8/10. In this case it’s probably called critical because of the potential consequences of the exploit being a full machine takeover, not the likeliness of the exploit being used.
It means that CVSS is calculated wrong. It can’t be so big because default configuration is not affected and attacker requires admin access to change it.
I wonder if Matt calculated CVSS score before calling this vulnerability “critical”.
It’s the last sentence of the article - 9.8/10. In this case it’s probably called critical because of the potential consequences of the exploit being a full machine takeover, not the likeliness of the exploit being used.
It means that CVSS is calculated wrong. It can’t be so big because default configuration is not affected and attacker requires admin access to change it.
I mean take a look at the report. Still not sure how it’s “wrong”.
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2023-40547&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST
Admin or physical access.