CompTIA CySA+ (CS0-003) — Question 2

A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

Answer options

• A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
• B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
• C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
• D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

Correct answer: A

Explanation

The correct answer, A, accurately reflects the characteristics of the zero-day vulnerability, indicating no user interaction (UI:N) and high confidentiality impact (C:H) while having no effect on availability (A:L). The other options either imply user interaction, incorrect impacts on availability, or require privilege escalation, which do not align with the described scenario.