Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

) is persistently stored on the server (e.g., in a database or file) and then rendered and executed in the browser of another user who views the affected page. This demonstrates that the attack can impact victims beyond the tester, proving the vulnerability is not self-inflicted or limited to the attacker's session."},"suggestedAnswer":[{"@type":"Answer","text":"The server has a large disk"},{"@type":"Answer","text":"The application uses HTTPS"}]},{"@type":"Question","name":"Which pipeline controls help prevent vulnerable dependencies reaching production? (Choose two.)","acceptedAnswer":{"@type":"Answer","text":"SBOM generation and review for released builds. A is correct because SBOM (Software Bill of Materials) generation and review provides a detailed inventory of all components in a build, enabling teams to identify and block vulnerable dependencies before release. This aligns with supply chain security best practices, as SBOMs allow automated comparison against vulnerability databases (e.g., NVD) to enforce policy gates early in the pipeline."},"suggestedAnswer":[{"@type":"Answer","text":"Manual badge checks at the office door"},{"@type":"Answer","text":"DNS MX record rotation"}]},{"@type":"Question","name":"A vulnerability appears critical but the vulnerable feature is disabled. What should the analyst document before downgrading? (Choose two.)","acceptedAnswer":{"@type":"Answer","text":"Approval and rationale for the severity change. Option A is correct because when a vulnerability is critical but the vulnerable feature is disabled, the analyst must document the approval and rationale for the severity change to maintain an accurate risk register and audit trail. This ensures that the decision to downgrade is justified, traceable, and compliant with organizational change management policies, preventing arbitrary adjustments that could obscure true risk posture."},"suggestedAnswer":[{"@type":"Answer","text":"Deletion of the original scanner finding"},{"@type":"Answer","text":"The analyst's personal preference for fewer tickets"}]},{"@type":"Question","name":"A vulnerability manager wants accurate Linux package findings. Which scan conditions are important? (Choose two.)","acceptedAnswer":{"@type":"Answer","text":"Authenticated access to inspect installed packages. For accurate Linux package findings, the vulnerability scanner must have authenticated access (e.g., via SSH with valid credentials) to inspect installed packages directly from the package manager database (e.g., RPM or dpkg). Without authentication, the scanner can only perform unauthenticated network-based checks, which cannot reliably determine installed software versions or patch levels. Authenticated access ensures the scanner can execute commands like 'rpm -qa' or 'dpkg -l' to enumerate packages with high accuracy."},"suggestedAnswer":[{"@type":"Answer","text":"Only scanning ICMP echo replies"},{"@type":"Answer","text":"Changing server hostnames randomly"}]},{"@type":"Question","name":"An emergency patch may break a revenue-critical system. Which actions balance risk and availability? (Choose two.)","acceptedAnswer":{"@type":"Answer","text":"Test the patch in a representative staging environment. Option A is correct because testing the emergency patch in a representative staging environment that mirrors the production system's configuration, dependencies, and load allows you to identify potential breaking changes before deployment. This balances risk by validating the patch's impact on revenue-critical systems while maintaining availability, as any failures are contained in the test environment. Option B is correct because applying temporary compensating controls—such as additional monitoring, rate limiting, or failover mechanisms—provides a safety net that reduces the blast radius of a potential patch failure, enabling you to proceed with deployment while preserving system availability."},"suggestedAnswer":[{"@type":"Answer","text":"Disable monitoring to avoid alerts during the change"},{"@type":"Answer","text":"Ignore active exploitation until the next annual review"}]},{"@type":"Question","name":"Which findings should be included when reporting remediation performance to asset owners? (Choose two.)","acceptedAnswer":{"@type":"Answer","text":"Recently remediated findings awaiting validation. Recently remediated findings awaiting validation are a critical metric for asset owners because they confirm that remediation actions have been taken and are pending verification. This aligns with the vulnerability management lifecycle, where validation ensures the fix was applied correctly and no residual risk remains. Including this status in reports provides asset owners with actionable insight into the progress of remediation efforts and any outstanding steps needed to close the finding."},"suggestedAnswer":[{"@type":"Answer","text":"Every raw scanner debug line"},{"@type":"Answer","text":"Unrelated physical-access badge failures"}]}]}
Certifications›CS0-003›Objectives›Vulnerability Management
Objective 2.0

Vulnerability Management

CS0-003 Practice Questions

Use this page to practise threats, attacks and vulnerabilities questions. CompTIA Security+ is scenario-heavy here — you must identify not just the attack type but the most appropriate response.

Full Practice Test →All Objectives

What this objective tests

CS0-003 Vulnerability Management — Key Topics

Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.

  • Threat actor types and motivations (APT, script kiddie, insider, nation-state).
  • Attack techniques: phishing, social engineering, ransomware, SQL injection, XSS.
  • Vulnerability scanning vs penetration testing vs risk assessment.
  • Mitigation strategies mapped to specific attack types.

Common exam traps

Where candidates lose marks on Vulnerability Management

  • ⚠Social engineering targets people, not systems — the attack vector matters.
  • ⚠A vulnerability scanner finds weaknesses; it does not exploit them.
  • ⚠Phishing is email-based; vishing is voice-based; smishing is SMS-based.
  • ⚠Zero-day vulnerabilities have no patch available at the time of discovery.

CS0-003 Vulnerability Management — Practice Questions

30 questions from this objective

Question 2mediummulti select
Full question →

A vulnerability manager is prioritizing remediation. Which factors should influence risk-based priority? (Choose three.)

Question 3mediummulti select
Full question →

Which conditions should push a vulnerability higher in the remediation queue? (Choose three.)

Question 4hardmulti select
Full question →

A scanner reports a critical issue on a network device. Which steps help validate the finding before closure? (Choose two.)

Question 5mediummulti select
Full question →

Which items belong in a vulnerability exception request? (Choose three.)

Question 6hardmulti select
Full question →

A web application DAST scan reports stored XSS. Which evidence helps confirm exploitability? (Choose two.)

Question 7mediummulti select
Full question →

Which pipeline controls help prevent vulnerable dependencies reaching production? (Choose two.)

Question 8hardmulti select
Full question →

A vulnerability appears critical but the vulnerable feature is disabled. What should the analyst document before downgrading? (Choose two.)

Question 9mediummulti select
Full question →

A vulnerability manager wants accurate Linux package findings. Which scan conditions are important? (Choose two.)

Question 10hardmulti select
Read the full NAT/PAT explanation →

An emergency patch may break a revenue-critical system. Which actions balance risk and availability? (Choose two.)

Question 11mediummulti select
Full question →

Which findings should be included when reporting remediation performance to asset owners? (Choose two.)

Question 12hardmulti select
Full question →

A vulnerability scan of a segmented OT network must avoid disrupting fragile devices. Which controls are appropriate? (Choose two.)

Question 13mediummulti select
Full question →

Which sources improve asset criticality context for vulnerability prioritization? (Choose two.)

Question 14hardmulti select
Full question →

A cloud security posture tool reports public access on object storage. Which follow-up checks matter? (Choose two.)

Question 15mediummulti select
Full question →

Which measures help reduce recurring vulnerabilities from unsupported software? (Choose two.)

Question 16hardmulti select
Full question →

An application has a high CVSS vulnerability, but a WAF rule blocks known exploit payloads. What should the team still do? (Choose two.)

Question 17easymultiple choice
Read the full VPN explanation →

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For validation, Which action should be taken before closing or downgrading the finding?

Question 18mediummultiple choice
Read the full NAT/PAT explanation →

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For control selection, Which control best addresses the stated weakness without hiding risk?

Question 19hardmultiple choice
Full question →

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

Question 20easymultiple choice
Full question →

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For tool configuration, Which scanner or pipeline change most directly improves result quality?

Question 21mediummultiple choice
Full question →

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For business prioritization, Which recommendation gives the best risk-based order of work?

Question 22hardmultiple choice
Full question →

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For validation, Which action should be taken before closing or downgrading the finding?

Question 23easymultiple choice
Full question →

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For control selection, Which control best addresses the stated weakness without hiding risk?

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

Question 25hardmultiple choice
Full question →

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For tool configuration, Which scanner or pipeline change most directly improves result quality?

Question 26easymultiple choice
Full question →

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For business prioritization, Which recommendation gives the best risk-based order of work?

Question 27mediummultiple choice
Review the full subnetting walkthrough →

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For validation, Which action should be taken before closing or downgrading the finding?

Question 28hardmulti select
Read the full NAT/PAT explanation →

A team requests a patch exception for a legacy application. What should be required? (Choose two.)

Question 29easymultiple choice
Full question →

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

Question 30mediummultiple choice
Read the full NAT/PAT explanation →

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For tool configuration, Which scanner or pipeline change most directly improves result quality?

Question 31hardmultiple choice
Full question →

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For business prioritization, Which recommendation gives the best risk-based order of work?

More Vulnerability Management questions available in the full practice test.

Continue Practising →
←

Previous objective

Security Operations

Next objective

Incident Response and Management

→

All CS0-003 Objectives

  • 1.Security Operations
  • 2.Vulnerability Management
  • 3.Incident Response and Management
  • 4.Reporting and Communication