A penetration tester completes a vulnerability scan showing multiple low-risk findings and one high-risk vulnerability tied to outdated server software. What should the tester prioritize as the next step?
A.
Perform a brute-force attack on the server to gain access
B.
Ignore the high-risk vulnerability and proceed with testing other systems
C.
Focus on exploiting the low-risk vulnerabilities first
D.
Verify if the high-risk vulnerability is exploitable by checking for known exploits
CEH methodology stresses prioritization based on risk, exploitability, and business impact. High-severity vulnerabilities—especially those related to outdated or unsupported server software—are frequently associated with known, publicly documented exploits. The proper next step after identifying such vulnerabilities is to confirm exploitability safely, typically by researching available exploit code, validating version-specific weaknesses, and determining whether the vulnerability can be successfully leveraged under the defined scope of engagement. CEH highlights that exploitation attempts must be evidence-driven, not arbitrary, and focusing on high-risk vulnerabilities allows testers to demonstrate meaningful security impacts. Brute-forcing (Option A) is unnecessary and high-noise. Ignoring or deprioritizing the high-risk finding (Options B and C) contradicts CEH risk-based assessment principles. Therefore, verifying exploitability of the high-risk vulnerability is the correct step.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit