I have read Access Complexity from NVD(https://nvd.nist.gov/CVSS/v2-calculator),
[Access Complexity]
This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.
Medium (M) : Some information must be gathered before a successful attack can be launched. Low (L): The attack can be performed manually and requires little skill or additional information gathering.
I have a question: if one vulnerability is hard to be discovered,and the attacker need collect certain information first, but the vulnerability is easy to be exploited. If the Access Complexity metric is "Low" in this example,is it reasonable?