On which criteria is the weakness assessment based on?
The assessment of all weaknesses is based on two parameters. The first parameter describes the influence on the network by exploitation of weaknesses. This includes questions like are there any well-known attacks, which are based on one particular protocol? Is the support for an application / version of an application stopped? Furthermore, the assessment includes the probability with which a weakpoint can be exploited. On the one hand, the probability considers the estimated costs for the attacker by exploiting a weakness and, on the other hand, if there was an attack in the past, it considers the actual costs.
In the end, the combination of the two criteria influence and probability results in the estimated threat potential of a vulnerability.