After completing a vulnerability assessment, you discover several issues across multiple systems. One vulnerability exists in an internal component that is not internet-facing, can only be reached by users who already have privileged network access, and currently has no publicly available exploit code. If an attacker were able to take advantage of it, the result would be complete system takeover.
Which risk rating is the most appropriate to assign to this vulnerability?
Assign a critical risk score because a system takeover is possible.
Assign a low risk score because the system is not internet-facing.
Assign a medium risk score.
Assign a high risk score because privileged access is required.
Risk scores combine likelihood and impact. Although the impact is severe (full compromise), the likelihood is reduced because exploitation requires privileged insider access, the asset is not exposed externally, and no active exploits are known. In most common 3×3 or 5×5 risk matrices-and in CVSS calculations where High privileges are required-such a scenario falls into the Medium band (roughly 4.0 - 6.9), rather than High or Critical. Rating it Low would underestimate the potential business impact.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is the exposure of a vulnerability important in risk assessment?
Open an interactive chat with Bash
What does 'privileged network access' mean in the context of vulnerabilities?
Open an interactive chat with Bash
How do active exploits influence the risk level of a vulnerability?