) is persistently stored on the server (e.g., in a database or file) and then rendered and executed in the browser of another user who views the affected page. This demonstrates that the attack can impact victims beyond the tester, proving the vulnerability is not self-inflicted or limited to the attacker's session."},"suggestedAnswer":[{"@type":"Answer","text":"The server has a large disk"},{"@type":"Answer","text":"The application uses HTTPS"}]},{"@type":"Question","name":"Which pipeline controls help prevent vulnerable dependencies reaching production? (Choose two.)","acceptedAnswer":{"@type":"Answer","text":"SBOM generation and review for released builds. A is correct because SBOM (Software Bill of Materials) generation and review provides a detailed inventory of all components in a build, enabling teams to identify and block vulnerable dependencies before release. This aligns with supply chain security best practices, as SBOMs allow automated comparison against vulnerability databases (e.g., NVD) to enforce policy gates early in the pipeline."},"suggestedAnswer":[{"@type":"Answer","text":"Manual badge checks at the office door"},{"@type":"Answer","text":"DNS MX record rotation"}]},{"@type":"Question","name":"A vulnerability appears critical but the vulnerable feature is disabled. What should the analyst document before downgrading? (Choose two.)","acceptedAnswer":{"@type":"Answer","text":"Approval and rationale for the severity change. Option A is correct because when a vulnerability is critical but the vulnerable feature is disabled, the analyst must document the approval and rationale for the severity change to maintain an accurate risk register and audit trail. This ensures that the decision to downgrade is justified, traceable, and compliant with organizational change management policies, preventing arbitrary adjustments that could obscure true risk posture."},"suggestedAnswer":[{"@type":"Answer","text":"Deletion of the original scanner finding"},{"@type":"Answer","text":"The analyst's personal preference for fewer tickets"}]},{"@type":"Question","name":"A vulnerability manager wants accurate Linux package findings. Which scan conditions are important? (Choose two.)","acceptedAnswer":{"@type":"Answer","text":"Authenticated access to inspect installed packages. For accurate Linux package findings, the vulnerability scanner must have authenticated access (e.g., via SSH with valid credentials) to inspect installed packages directly from the package manager database (e.g., RPM or dpkg). Without authentication, the scanner can only perform unauthenticated network-based checks, which cannot reliably determine installed software versions or patch levels. Authenticated access ensures the scanner can execute commands like 'rpm -qa' or 'dpkg -l' to enumerate packages with high accuracy."},"suggestedAnswer":[{"@type":"Answer","text":"Only scanning ICMP echo replies"},{"@type":"Answer","text":"Changing server hostnames randomly"}]},{"@type":"Question","name":"An emergency patch may break a revenue-critical system. Which actions balance risk and availability? (Choose two.)","acceptedAnswer":{"@type":"Answer","text":"Test the patch in a representative staging environment. Option A is correct because testing the emergency patch in a representative staging environment that mirrors the production system's configuration, dependencies, and load allows you to identify potential breaking changes before deployment. This balances risk by validating the patch's impact on revenue-critical systems while maintaining availability, as any failures are contained in the test environment. Option B is correct because applying temporary compensating controls—such as additional monitoring, rate limiting, or failover mechanisms—provides a safety net that reduces the blast radius of a potential patch failure, enabling you to proceed with deployment while preserving system availability."},"suggestedAnswer":[{"@type":"Answer","text":"Disable monitoring to avoid alerts during the change"},{"@type":"Answer","text":"Ignore active exploitation until the next annual review"}]},{"@type":"Question","name":"Which findings should be included when reporting remediation performance to asset owners? (Choose two.)","acceptedAnswer":{"@type":"Answer","text":"Recently remediated findings awaiting validation. Recently remediated findings awaiting validation are a critical metric for asset owners because they confirm that remediation actions have been taken and are pending verification. This aligns with the vulnerability management lifecycle, where validation ensures the fix was applied correctly and no residual risk remains. Including this status in reports provides asset owners with actionable insight into the progress of remediation efforts and any outstanding steps needed to close the finding."},"suggestedAnswer":[{"@type":"Answer","text":"Every raw scanner debug line"},{"@type":"Answer","text":"Unrelated physical-access badge failures"}]}]}
Objective 2.0
Vulnerability Management
CS0-003 Practice Questions
Use this page to practise threats, attacks and vulnerabilities questions. CompTIA Security+ is scenario-heavy here — you must identify not just the attack type but the most appropriate response.
Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.
Threat actor types and motivations (APT, script kiddie, insider, nation-state).
Attack techniques: phishing, social engineering, ransomware, SQL injection, XSS.
Vulnerability scanning vs penetration testing vs risk assessment.
Mitigation strategies mapped to specific attack types.
Common exam traps
Where candidates lose marks on Vulnerability Management
⚠Social engineering targets people, not systems — the attack vector matters.
⚠A vulnerability scanner finds weaknesses; it does not exploit them.
⚠Phishing is email-based; vishing is voice-based; smishing is SMS-based.
⚠Zero-day vulnerabilities have no patch available at the time of discovery.
CS0-003 Vulnerability Management — Practice Questions
A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For validation, Which action should be taken before closing or downgrading the finding?
A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For control selection, Which control best addresses the stated weakness without hiding risk?
A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For stakeholder management, Which documentation or approval is required to keep the programme defensible?
A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For tool configuration, Which scanner or pipeline change most directly improves result quality?
A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For business prioritization, Which recommendation gives the best risk-based order of work?
A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For validation, Which action should be taken before closing or downgrading the finding?
Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For control selection, Which control best addresses the stated weakness without hiding risk?
A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?
A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For tool configuration, Which scanner or pipeline change most directly improves result quality?
A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For business prioritization, Which recommendation gives the best risk-based order of work?
A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For validation, Which action should be taken before closing or downgrading the finding?
A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?
A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For tool configuration, Which scanner or pipeline change most directly improves result quality?
A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For business prioritization, Which recommendation gives the best risk-based order of work?
More Vulnerability Management questions available in the full practice test.