After completing a vulnerability assessment, you discover several issues across multiple systems. One vulnerability exists in an internal component that is not internet-facing, can only be reached by users who already have privileged network access, and currently has no publicly available exploit code. If an attacker were able to take advantage of it, the result would be complete system takeover.
Which risk rating is the most appropriate to assign to this vulnerability?
Assign a medium risk score.
Assign a low risk score because the system is not internet-facing.
Assign a high risk score because privileged access is required.
Assign a critical risk score because a system takeover is possible.
Risk scores combine likelihood and impact. Although the impact is severe (full compromise), the likelihood is reduced because exploitation requires privileged insider access, the asset is not exposed externally, and no active exploits are known. In most common 3×3 or 5×5 risk matrices-and in CVSS calculations where High privileges are required-such a scenario falls into the Medium band (roughly 4.0 - 6.9), rather than High or Critical. Rating it Low would underestimate the potential business impact.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a risk score in vulnerability management?
Open an interactive chat with Bash
What is CVSS, and how does it calculate risk scores?
Open an interactive chat with Bash
Why is the vulnerability rated Medium risk despite the possibility of system takeover?