During an authorized penetration test, you have discovered an outdated web server software running on a client's production server. Given the nature of the software, it is susceptible to a known remote code execution (RCE) vulnerability that allows an attacker to run arbitrary code on the server. What is the MOST responsible and professional action to take next?
You selected this option
Report the vulnerability with details of the affected software, the vulnerability's impact, and suggested remediation steps to the client.
You selected this option
Exploit the vulnerability to demonstrate the severity to the client without causing any harm to the server.
You selected this option
Ignore the vulnerability since it is the client's responsibility to keep software updated, not the tester's.
You selected this option
Run a proof-of-concept to confirm the vulnerability's exploitability before informing the client.
When a known vulnerability is identified, the penetration tester's responsibility is to report the vulnerability to the organization in a detailed and timely manner. The report should include the impact of the vulnerability, how it was discovered, and recommended remediation steps. The penetration tester must not exploit the vulnerability without explicit authorization, as doing so can lead to legal issues and would be against the professional code of conduct. Running a proof-of-concept without permission could potentially disrupt the client's operations and would also be unethical. Ignoring the vulnerability fails the client and does not fulfill the tester's obligation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are remote code execution (RCE) vulnerabilities?
Open an interactive chat with Bash
What should be included in a vulnerability report?
Open an interactive chat with Bash
Why is it important to avoid exploiting vulnerabilities during a penetration test?