A routine vulnerability scan identifies a newly disclosed zero-day flaw (CVSS 9.8) in the HTTPS stack of an internet-facing web server. The vendor has not released a patch or official workaround. Which immediate action will best mitigate the risk until a permanent fix becomes available?
Begin drafting a post-incident lessons-learned report
Block all external network access to the web server until a patch is available
Install the latest OS and application patches even though the vulnerability remains
Escalate the finding to senior management and await further guidance
Because no vendor patch currently exists, the quickest way to prevent exploitation is to block the vulnerable service from external access-either by disconnecting the host or by enforcing a firewall rule that denies inbound traffic to the web server. This containment (isolation) reduces the attack surface while you monitor for a patch, test it, and schedule full remediation. Other options (installing existing but ineffective patches, performing post-incident analysis, or waiting for management direction) do not immediately remove exposure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a zero-day vulnerability?
Open an interactive chat with Bash
What is CVSS and why is a score of 9.8 significant?
Open an interactive chat with Bash
What does 'blocking external network access' achieve in vulnerability mitigation?