CompTIA CySA+ (CS0-003) — Question 402

A security analyst is analyzing two vulnerabilities on a critical router. The analyst must choose only one to patch during this maintenance window. Given the following information:

Vulnerability 1 has not received a CVSS score. The vulnerability has the following characteristics:
• Must be logged in to the router, but elevated privileges are not required
• Trivial to exploit, but user interaction is needed
• Low impact to availability, but high impact to confidentiality and integrity

Vulnerability 2 has a CVSS score of AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Which of the following conclusions should the analyst reach?

Answer options

• A. Patch Vulnerability 1 because it has a higher overall impact when looking at confidentiality, integrity, and availability, and it requires lower privileges.
• B. Patch Vulnerability 1 because it is easier to exploit and has a higher impact on confidentiality.
• C. Patch Vulnerability 2 because it has a higher overall impact when looking at confidentiality, integrity, and availability, and it can be exploited by a privileged user.
• D. Patch Vulnerability 2 because it is easier to exploit, has a high impact on availability, and it is more likely to be exploited remotely.

Correct answer: D

Explanation

The correct answer is D because Vulnerability 2, with its CVSS score indicating a significant threat to availability and remote exploitability, poses a greater risk overall. In contrast, while Vulnerability 1 has high impacts on confidentiality and integrity, its requirement for logged-in user interaction and lack of a CVSS score suggest it is less critical to address immediately.