CompTIA Security+ (SY0-501) — Question 918

An auditor is performing an assessment of a security appliance with an embedded OS that was vulnerable during the last two assessments. Which of the following
BEST explains the appliance's vulnerable state?

Answer options

• A. The system was configured with weak default security settings.
• B. The device uses weak encryption ciphers.
• C. The vendor has not supplied a patch for the appliance.
• D. The appliance requires administrative credentials for the assessment.

Correct answer: C

Explanation

The correct answer is C because if the vendor has not supplied a patch, the known vulnerabilities remain unaddressed, leaving the appliance exposed. Option A is incorrect as it pertains to initial configurations rather than vendor support, while B focuses on encryption strength rather than patch status. Option D is not relevant to the appliance's vulnerabilities, as the requirement for credentials does not affect its security patch status.