A security analyst for a financial services company is prioritizing recently discovered vulnerabilities. Which of the following vulnerabilities should the analyst address FIRST?
A medium-severity vulnerability (CVSS 6.5) in the firmware of office printers for which a patch has been available for three months.
A low-severity vulnerability (CVSS 3.1) in a legacy development server that is scheduled to be decommissioned in the next two weeks.
A known remote code execution (RCE) vulnerability with a CVSS score of 9.8 on an external, internet-facing customer portal server. A patch is available, and active exploitation has been reported in the wild.
A zero-day vulnerability discovered in an internal-only Human Resources application. No active exploitation has been observed, and the potential impact is limited to local data access.
The highest priority should be the vulnerability that poses the most immediate and significant risk to the organization. A known vulnerability with a high CVSS score on a critical, internet-facing asset that is under active exploitation presents a clear and present danger. While a zero-day vulnerability is a serious concern, its risk must be contextualized; in this scenario, it affects a less critical, internal system with no active exploits observed, making it a lower priority than the actively exploited vulnerability on a mission-critical server. The vulnerabilities on the printer and the decommissioned server represent significantly lower risks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a zero-day vulnerability?
Open an interactive chat with Bash
Why are known vulnerabilities with patches still considered important?
Open an interactive chat with Bash
What strategies can an organization employ to manage vulnerabilities effectively?