IMHO CVSS is a waste of time. There are only two actions applicable to vulnerabilities in business environments: Fix urgently or fix as per periodic patching. You need to fix urgently vulnerabilities with remote execution or escalation of privileges. Done.