During an authorized penetration test, you have discovered an outdated web server software running on a client's production server. Given the nature of the software, it is susceptible to a known remote code execution (RCE) vulnerability that allows an attacker to run arbitrary code on the server. What is the MOST responsible and professional action to take next?
Run a proof-of-concept to confirm the vulnerability's exploitability before informing the client.
Report the vulnerability with details of the affected software, the vulnerability's impact, and suggested remediation steps to the client.
Ignore the vulnerability since it is the client's responsibility to keep software updated, not the tester's.
Exploit the vulnerability to demonstrate the severity to the client without causing any harm to the server.