CompTIA PenTest+ (PT1-002) — Question 59

A penetration tester has identified several newly released CVEs on a VoIP call manager. The scanning tool the tester used determined the possible presence of the CVEs based off the version number of the service. Which of the following methods would BEST support validation of the possible findings?

Answer options

• A. Manually check the version number of the VoIP service against the CVE release
• B. Test with proof-of-concept code from an exploit database
• C. Review SIP traffic from an on-path position to look for indicators of compromise
• D. Utilize an nmap ג€"sV scan against the service

Correct answer: B

Explanation

Option B is the best choice because using proof-of-concept code allows the tester to actively confirm the exploitability of the CVEs. The other options, while useful for gathering information or checking configurations, do not provide direct validation of the vulnerabilities like testing with exploit code does.