This is a great article because it outlines most of the fears I always had when looking at scan results in my own systems that separated the types of vulnerabilities from critical down to low. Vulnerability scans provide a way for organizations to check how resistant their networks will be to an attack. The way they typically work is this: a scan shows the known vulnerabilities in the target systems and then ranks them by severity, usually on a scale of “Low,” “Medium,” “High” and “Critical.” In order to best protect the network, the Critical and High severity vulnerabilities are fixed, the Medium severity vulnerabilities are dealt with when and if there is personnel and budget capacity, and the Low severity vulnerabilities are left to persist indefinitely.
First it is necessary to understand how vulnerabilities are assigned a severity ranking. Let’s assume that the scanning tool’s severity rankings are based either directly or indirectly on a vulnerability’s Common Vulnerability Scoring System score.
The general idea is that a number of criteria are considered in order to calculate a “Base Score” for a vulnerability. The Base Score ranges from 0-10 where the threshold for Medium Severity is 4.0, High is 7.0 and Critical is 9.0, and it is this information that is often used to assign severity ratings to vulnerability scanning tool findings.
The Base Scores are calculated using a number of factors including how complex a vulnerability is to exploit, where it can be exploited from, whether an attacker needs to be authenticated, and what the potential impact would be on confidentiality, integrity and availability. While these are all valid criteria that can tell us quite a bit about a vulnerability, the base score ignores some key things that should matter to us. The full version of the CVSS can also calculate “Temporal” and “Environmental” scores.
Focusing on the Critical and High Risk vulnerabilities also ignores the possibility of vulnerabilities being chained together by an attacker. For example, one vulnerability may allow an attacker to gain a foothold on a system under an account with very low privileges while another vulnerability may allow an attacker to escalate privileges to an administrator level. Taken independently these vulnerabilities might each be Low or Medium severity but when combined together the result is an attacker who can gain remote access with administrator level privileges which many organizations would (or at least should) consider high risk. A real world example of how chaining vulnerabilities this way works can be seen in the “Hot Potato” exploit that relies on a series of Windows vulnerabilities, some of which date back over a decade.
here is the rest of the article: http://www.securitymagazine.com/articles/87600-why-low-severity-vulnerabilities-can-still-be-high-risk