Vulnerability is associated with the probability of resistance of actions of a threat. A vulnerability exists when a force of threat exceeds the capacity of resistance. Virtualization and its exclusive architecture have numerous features and advantages over non-conventional virtual machines. However, this new uniqueness creates new vulnerabilities and attacks on a cloud system. Assessing the security of software services on Cloud is complex because the security depends on the vulnerability of infrastructure, platform and software services. In 2017, over 14,000 new vulnerabilities were disclosed, so, a key question for administrators is which vulnerabilities to prioritize. The Common Vulnerability Scoring System (CVSS) is often used to decide which vulnerabilities pose the greatest risk. CVSS V3 creates a metric for each vulnerability and establishes a very broad definition of vulnerabilities, therefore, multi-criteria decision making (MCDM) is necessary to making a choice of the best alternative from among a finite set of decision alternatives in terms of multiple criteria. We propose a model for the evaluation and prioritization of vulnerabilities in cloud architectures based on the Common Vulnerability Scoring System and multi-criteria decision making.