@misc Thanks for reaching out :) You may want to take a look at the section "Impact Metrics" (https://www.first.org/cvss/v4.0/specification-document#Impact-Metrics). Here they state:

"Formally, a system of interest for scoring a vulnerability is defined as the set of computing logic that executes in an environment with a coherent function and set of security policies."

The next paragraph extends this definition:

"When a system provides its functionality solely to another system, or it is designed to be exclusively used by another system, then together they are considered as the system of interest for scoring."

Now, if there is a vulnerability in one of the components of this system, this makes this system the "Vulnerable System". If the vulnerability affects another system, this is called the "Subsequent System".

Regarding the examples:
1. VMware (https://www.first.org/cvss/v4.0/examples#CVE-2020-3947)

"Successful exploitation of this issue may lead to code execution on the host from the guest".

To me, this sounds like the vulnerability is in the guest and allows code execution on the host. The guest machine is a "set of computing logic that executes in an environment with a coherent function and set of security policies", so it's the vulnerable system. The host machine provides its functionality to other systems (other guests) and is therefore the subsequent system (it's not the same system of interest).

2. "in a web service vulnerability, the underlying OS is usually part of the vulnerable system":

I am afraid you need to clarify this. Exactly what vulnerability are you talking about? In my opinion, the underlying OS should indeed be a subsequent system, since it not only provides its functionality to the web application, but usually also allows management access, etc.