You are performing a penetration test and have discovered an undocumented file server containing sensitive company data during the assessment. This server is not listed in the provided target list. In keeping with professional conduct regarding the scope, which course of action should you take next?
Document the finding in your report for post-assessment review but avoid interacting with the server
Run non-aggressive scans on the server to determine if it holds any exploitable vulnerabilities
Inform the client of the finding and request a clarification on whether it should be included in the scope of the assessment
Immediately disconnect from the network to avoid any further unauthorized interaction