I am not entirely sure, but I would not be surprised if the risk level is a composite of published information and internal McAfee info.
I ran into an interesting situation with regards to the CVSS vector that illustrates how the internal-to-McAfee info is used.
In my case, I constructed a vulnerability set based on the CVSS vector; I was searching for vulnerabilities that are exploitable (E:F). This turned up a list of vulnerabilties with (published) 'undetermined' exploitability (E:ND). Apparently McAfee has internal, non-published information that an exploit exists, and so the vulnerabilities match the search criteria, even though that's not what the resulting report shows.
So I am guessing that the risk level may also incorporate internal-to-McAfee information.
Thanks for the reply. I found a description of the ratings in the MVM product guide(p16-17) but they do not provide much detail. An interesting thought though as to how McAfee internally rates vulnerabilities.
An attacker might gain privileged access (administrator, root) to the system over a remote connection.
• IIS Remote Data Services provides remote control
• RPC Auto-mounted attack